This is the mail archive of the
elfutils-devel@sourceware.org
mailing list for the elfutils project.
[Bug libelf/25077] New: AddressSanitizer: heap-buffer-overflow at libelf/elf32_updatefile.c:772
- From: "leftcopy.chx at gmail dot com" <sourceware-bugzilla at sourceware dot org>
- To: elfutils-devel at sourceware dot org
- Date: Tue, 08 Oct 2019 03:19:11 +0000
- Subject: [Bug libelf/25077] New: AddressSanitizer: heap-buffer-overflow at libelf/elf32_updatefile.c:772
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=25077
Bug ID: 25077
Summary: AddressSanitizer: heap-buffer-overflow at
libelf/elf32_updatefile.c:772
Product: elfutils
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: libelf
Assignee: unassigned at sourceware dot org
Reporter: leftcopy.chx at gmail dot com
CC: elfutils-devel at sourceware dot org
Target Milestone: ---
Created attachment 12030
--> https://sourceware.org/bugzilla/attachment.cgi?id=12030&action=edit
pocs and error message
As of 47780c9e, libelf may suffer from a heap-buffer-overflow vulnerability
when executing `./eu-unstrip $FILE ./stripped -o /dev/null`, where elfutils is
built with ASAN. The attachment contains the required files for reproduction.
The error message is like:
==32515==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6150000009d6 at pc 0x7ffff6e670ae bp 0x7fffffff1290 sp 0x7fffffff0a38
READ of size 60432 at 0x6150000009d6 thread T0
#0 0x7ffff6e670ad (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x4d0ad)
#1 0x7ffff6c10de4 in pwrite_retry ../lib/system.h:95
#2 0x7ffff6c10de4 in __elf64_updatefile
/home/hongxu/FOT/Targets/elfutils/eu-orig/libelf/elf32_updatefile.c:772
#3 0x7ffff6c0ce98 in write_file
/home/hongxu/FOT/Targets/elfutils/eu-orig/libelf/elf_update.c:132
#4 0x7ffff6c0ce98 in elf_update
/home/hongxu/FOT/Targets/elfutils/eu-orig/libelf/elf_update.c:231
#5 0x55555556b4ec in copy_elided_sections
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2074
#6 0x55555556bea1 in handle_file
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2162
#7 0x55555556c760 in handle_explicit_files
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2227
#8 0x55555556f1f6 in main
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2562
#9 0x7ffff6596b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#10 0x555555559a89 in _start
(/home/hongxu/FOT/Targets/elfutils/eu-asan/install/bin/eu-unstrip+0x5a89)
0x6150000009d6 is located 0 bytes to the right of 470-byte region
[0x615000000800,0x6150000009d6)
allocated by thread T0 here:
#0 0x7ffff6ef8d38 in __interceptor_calloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded38)
#1 0x55555556f4aa in xcalloc
/home/hongxu/FOT/Targets/elfutils/eu-asan/lib/xmalloc.c:63
#2 0x55555555db16 in adjust_relocs
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:565
#3 0x55555556a62a in copy_elided_sections
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:1960
#4 0x55555556bea1 in handle_file
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2162
#5 0x55555556c760 in handle_explicit_files
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2227
#6 0x55555556f1f6 in main
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2562
#7 0x7ffff6596b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0x4d0ad)
Shadow bytes around the buggy address:
0x0c2a7fff80e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
0x0c2a7fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2a7fff8130: 00 00 00 00 00 00 00 00 00 00[06]fa fa fa fa fa
0x0c2a7fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==32515==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.