29732 – A heap buffer overflow was found in find_section_in_set() of binutils-2.39 (commit 49c843e6)

Bug 29732 - A heap buffer overflow was found in find_section_in_set() of binutils-2.39 (commit 49c843e6)

Summary: A heap buffer overflow was found in find_section_in_set() of binutils-2.39 (c...

Status:	RESOLVED FIXED

Alias:	None

Product:	binutils
Classification:	Unclassified
Component:	binutils (show other bugs)
Version:	2.39

Importance:	P2 normal
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-10-30 12:19 UTC by 15664243668
Modified:	2022-10-30 13:05 UTC (History)
CC List:	0 users

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
readelf poc file (357 bytes, application/x-executable) 2022-10-30 12:19 UTC, 15664243668	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description 15664243668 2022-10-30 12:19:29 UTC

Created attachment 14421 [details]
readelf poc file

Hi

There is a heap buffer overflow bug in binutils-2.39 (commit 49c843e6). 

The bug is triggered in find_section_in_set() at binutils/readelf.c:970 when parsing the debug sections of a malformed ELF file.

The bug is caused in the code stashing pool section entries.  With random nonsensical values in the index entries (rather than each index pointing to its own set distinct from other sets), it's possible to overflow the space allocated, losing the NULL terminator.  Without a terminator, find_section_in_set can run off the end of the shndx_pool buffer.

To reproduce this bug, use:

1. compile binutils-2.39 with clang-6.0 and address sanitizer:
```sh
./configure --disable-shared --disable-gdb --disable-werror
make
```

2. use readelf to process the PoC file (see attachment):
```sh
readelf -w ./PoC
```

The address sanitizer reports are as follows.
```
readelf: Error: Internal error: out of space in the shndx pool.
readelf: Error: Internal error: out of space in the shndx pool.
readelf: Error: Internal error: out of space in the shndx pool.
readelf: Error: Internal error: out of space in the shndx pool.
readelf: Error: Internal error: out of space in the shndx pool.
readelf: Error: Internal error: out of space in the shndx pool.
Contents of the .debug_names section:

readelf: Warning: Debug info is corrupted, .debug_names header at 0 has length 0x4c457f
Contents of the .debug_names section:

=================================================================
==29074==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a000000bd8 at pc 0x0000005143de bp 0x7fffffffd6c0 sp 0x7fffffffd6b8
READ of size 4 at 0x61a000000bd8 thread T0
    #0 0x5143dd in find_section_in_set /binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:970:19
    #1 0x5130b6 in load_debug_section /binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:16160:9
    #2 0x612472 in load_debug_section_with_follow /binutils-gdb/obj-asan/binutils/../../binutils/dwarf.c:3453:7
    #3 0x606ce0 in display_debug_names /binutils-gdb/obj-asan/binutils/../../binutils/dwarf.c:10002:3
    #4 0x558c9b in display_debug_section /binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:16258:18
    #5 0x558c9b in process_section_contents /binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:16354
    #6 0x52ae91 in process_object /binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:22372:9
    #7 0x517f9e in process_file /binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:22795:13
    #8 0x517f9e in main /binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:22866
    #9 0x7ffff6e22c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #10 0x41a909 in _start (/binutils-gdb/obj-asan/binutils/readelf+0x41a909)

0x61a000000bd8 is located 0 bytes to the right of 1368-byte region [0x61a000000680,0x61a000000bd8)
allocated by thread T0 here:
    #0 0x4dac40 in realloc (/binutils-gdb/obj-asan/binutils/readelf+0x4dac40)
    #1 0x74eeed in xrealloc /binutils-gdb/obj-asan/libiberty/../../libiberty/xmalloc.c:181:14

SUMMARY: AddressSanitizer: heap-buffer-overflow /binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:970:19 in find_section_in_set
Shadow bytes around the buggy address:
  0x0c347fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c347fff8170: 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa
  0x0c347fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
```

Found by SyntaxAFL.

(This bug has been reported via mail list. This report is for tracking this bug in bugzilla.)

Comment 1 15664243668 2022-10-30 12:19:58 UTC

Fixed for 2.40 with commit 28750e3b967d.