This is the mail archive of the
elfutils-devel@sourceware.org
mailing list for the elfutils project.
[Bug backends/24075] Program Crash due to buffer over-read in ebl_object_note function in eblobjnote.c in libebl.
- From: "wcventure at 126 dot com" <sourceware-bugzilla at sourceware dot org>
- To: elfutils-devel at sourceware dot org
- Date: Sat, 26 Jan 2019 08:04:34 +0000
- Subject: [Bug backends/24075] Program Crash due to buffer over-read in ebl_object_note function in eblobjnote.c in libebl.
- Auto-submitted: auto-generated
- References: <bug-24075-10460@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=24075
wcventure <wcventure at 126 dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |UNCONFIRMED
Resolution|FIXED |---
--- Comment #4 from wcventure <wcventure at 126 dot com> ---
Regression Testing:
I have done regression testing.
This problem can be broken again!
Here is the POC file.
The Commit ID I used:
> commit a17c2c0917901ffa542ac4d3e327d46742219e04
> Author: Mark Wielaard <mark@klomp.org>
> Date: Tue Jan 22 15:55:18 2019 +0100
>
> readelf: Don't go past end of line data reading unknown opcode parameters.
>
> https://sourceware.org/bugzilla/show_bug.cgi?id=24116
>
> Signed-off-by: Mark Wielaard <mark@klomp.org>
ASAN trace:
> ==22829==ERROR: AddressSanitizer: unknown-crash on address 0x7f07d1c81000 at pc 0x0000004c0857 bp 0x7ffc6580df50 sp 0x7ffc6580df40
READ of size 1 at 0x7f07d1c81000 thread T0
> #0 0x4c0856 in ebl_object_note /home/wencheng/Experiment/elfutils/libebl/eblobjnote.c:495
> #1 0x452e0f in handle_notes_data /home/wencheng/Experiment/elfutils/src/readelf.c:12256
> #2 0x465ec3 in handle_notes /home/wencheng/Experiment/elfutils/src/readelf.c:12320
> #3 0x465ec3 in process_elf_file /home/wencheng/Experiment/elfutils/src/readelf.c:1000
> #4 0x465ec3 in process_dwflmod /home/wencheng/Experiment/elfutils/src/readelf.c:760
> #5 0x7f07d0893961 in dwfl_getmodules /home/wencheng/Experiment/elfutils/libdwfl/dwfl_getmodules.c:86
> #6 0x40d035 in process_file /home/wencheng/Experiment/elfutils/src/readelf.c:868
> #7 0x40579e in main /home/wencheng/Experiment/elfutils/src/readelf.c:350
> #8 0x7f07cff1882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
> #9 0x406428 in _start (/home/wencheng/Experiment/elfutils/build/bin/eu-readelf+0x406428)
>
> Address 0x7f07d1c81000 is a wild pointer.
> SUMMARY: AddressSanitizer: unknown-crash /home/wencheng/Experiment/elfutils/libebl/eblobjnote.c:495 in ebl_object_note
> Shadow bytes around the buggy address:
> 0x0fe17a3881b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0fe17a3881c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0fe17a3881d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0fe17a3881e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0fe17a3881f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0fe17a388200:[fe]fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> 0x0fe17a388210: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> 0x0fe17a388220: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> 0x0fe17a388230: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> 0x0fe17a388240: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> 0x0fe17a388250: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
> ==22829==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.