[Bug libelf/25069] AddressSanitizer: heap-buffer-overflow at libdwelf/dwelf_strtab.c:284

mark at klomp dot org sourceware-bugzilla@sourceware.org
Sat Oct 26 20:07:00 GMT 2019


https://sourceware.org/bugzilla/show_bug.cgi?id=25069

Mark Wielaard <mark at klomp dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
   Last reconfirmed|                            |2019-10-26
     Ever confirmed|0                           |1

--- Comment #4 from Mark Wielaard <mark at klomp dot org> ---
Thanks, replicated with that reproducer (and the stripped file from the first)
with valgrind:

mark@librem:~/build/elfutils-obj$ LD_LIBRARY_PATH=backends:libelf:libdw:libasm
valgrind -q src/unstrip poc2/hbo__dwelf_strtab.c\:284_2 poc2/stripped -o
/dev/null
==22429== Invalid read of size 1
==22429==    at 0x4838C74: strlen (vg_replace_strmem.c:460)
==22429==    by 0x49B3EE3: dwelf_strtab_add (dwelf_strtab.c:284)
==22429==    by 0x11A8BE: copy_elided_sections (unstrip.c:1882)
==22429==    by 0x11CDA2: handle_file (unstrip.c:2203)
==22429==    by 0x11D10D: handle_explicit_files (unstrip.c:2268)
==22429==    by 0x1121CF: main (unstrip.c:2603)
==22429==  Address 0x5d8c3b5 is 0 bytes after a block of size 3,829 alloc'd
==22429==    at 0x483577F: malloc (vg_replace_malloc.c:299)
==22429==    by 0x4878E2D: __libelf_set_rawdata_wrlock (elf_getdata.c:332)
==22429==    by 0x4879B5C: __elf_getdata_rdlock (elf_getdata.c:535)
==22429==    by 0x4879B5C: __elf_getdata_rdlock (elf_getdata.c:458)
==22429==    by 0x4879C73: elf_getdata (elf_getdata.c:562)
==22429==    by 0x112B29: collect_symbols (unstrip.c:843)
==22429==    by 0x119B7D: copy_elided_sections (unstrip.c:1820)
==22429==    by 0x11CDA2: handle_file (unstrip.c:2203)
==22429==    by 0x11D10D: handle_explicit_files (unstrip.c:2268)
==22429==    by 0x1121CF: main (unstrip.c:2603)
==22429== 
==22429== Invalid read of size 1
==22429==    at 0x483D4E0: mempcpy (vg_replace_strmem.c:1536)
==22429==    by 0x49B3BD2: mempcpy (string_fortified.h:48)
==22429==    by 0x49B3BD2: copystrings (dwelf_strtab.c:301)
==22429==    by 0x49B400C: dwelf_strtab_finalize (dwelf_strtab.c:342)
==22429==    by 0x11AC4C: copy_elided_sections (unstrip.c:1929)
==22429==    by 0x11CDA2: handle_file (unstrip.c:2203)
==22429==    by 0x11D10D: handle_explicit_files (unstrip.c:2268)
==22429==    by 0x1121CF: main (unstrip.c:2603)
==22429==  Address 0x5d8c3b5 is 0 bytes after a block of size 3,829 alloc'd
==22429==    at 0x483577F: malloc (vg_replace_malloc.c:299)
==22429==    by 0x4878E2D: __libelf_set_rawdata_wrlock (elf_getdata.c:332)
==22429==    by 0x4879B5C: __elf_getdata_rdlock (elf_getdata.c:535)
==22429==    by 0x4879B5C: __elf_getdata_rdlock (elf_getdata.c:458)
==22429==    by 0x4879C73: elf_getdata (elf_getdata.c:562)
==22429==    by 0x112B29: collect_symbols (unstrip.c:843)
==22429==    by 0x119B7D: copy_elided_sections (unstrip.c:1820)
==22429==    by 0x11CDA2: handle_file (unstrip.c:2203)
==22429==    by 0x11D10D: handle_explicit_files (unstrip.c:2268)
==22429==    by 0x1121CF: main (unstrip.c:2603)
==22429== 
src/unstrip: cannot write output file: section `sh_size' too small for data

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the Elfutils-devel mailing list