[Bug libelf/25077] AddressSanitizer: heap-buffer-overflow at libelf/elf32_updatefile.c:772
mark at klomp dot org
sourceware-bugzilla@sourceware.org
Sat Oct 19 12:43:00 GMT 2019
https://sourceware.org/bugzilla/show_bug.cgi?id=25077
Mark Wielaard <mark at klomp dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |ASSIGNED
Last reconfirmed| |2019-10-19
CC| |mark at klomp dot org
Ever confirmed|0 |1
--- Comment #1 from Mark Wielaard <mark at klomp dot org> ---
Replicated under valgrind:
$ valgrind -q eu-unstrip hbo_libelf/hbo__elf32_updatefile.c:772_1
hbo_libelf/stripped -o /tmp/foobar
==25850== Syscall param pwrite64(buf) points to unaddressable byte(s)
==25850== at 0x57A80D3: __pwrite_nocancel (syscall-template.S:81)
==25850== by 0x4E45E37: UnknownInlinedFun (system.h:95)
==25850== by 0x4E45E37: __elf64_updatefile (elf32_updatefile.c:795)
==25850== by 0x4E42250: write_file (elf_update.c:132)
==25850== by 0x4E42250: elf_update (elf_update.c:231)
==25850== by 0x406840: copy_elided_sections (unstrip.c:2070)
==25850== by 0x4078B3: handle_file (unstrip.c:2158)
==25850== by 0x407B8B: handle_explicit_files (unstrip.c:2223)
==25850== by 0x4029DD: main (unstrip.c:2558)
==25850== Address 0x632b8c6 is 0 bytes after a block of size 470 alloc'd
==25850== at 0x4C2BF79: calloc (vg_replace_malloc.c:762)
==25850== by 0x408028: xcalloc (xmalloc.c:63)
==25850== by 0x403FD6: adjust_relocs.isra.14 (unstrip.c:565)
==25850== by 0x406CC6: copy_elided_sections (unstrip.c:1956)
==25850== by 0x4078B3: handle_file (unstrip.c:2158)
==25850== by 0x407B8B: handle_explicit_files (unstrip.c:2223)
==25850== by 0x4029DD: main (unstrip.c:2558)
==25850==
eu-unstrip: cannot write output file: cannot write data to file
The issue is simply that if the sh_entsize of the symver section was bogus
(bigger than necessary) then some bogus data would be written out (except that
then fails as can be seen by the error message).
The solution is simply to use the actual symver data size:
diff --git a/src/unstrip.c b/src/unstrip.c
index fc878325..5531a02d 100644
--- a/src/unstrip.c
+++ b/src/unstrip.c
@@ -572,7 +572,7 @@ adjust_relocs (Elf_Scn *outscn, Elf_Scn *inscn, const
GElf_Shdr *shdr,
record_new_data (versym);
data->d_buf = versym;
- data->d_size = nent * shdr->sh_entsize;
+ data->d_size = nent * sizeof versym[0];
elf_flagdata (data, ELF_C_SET, ELF_F_DIRTY);
update_sh_size (outscn, data);
}
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the Elfutils-devel
mailing list