Bug 21137

Summary: readelf - heap buffer overflow in elfcomm
Product: binutils Reporter: Thuan Pham <thuanpv>
Component: binutilsAssignee: Not yet assigned to anyone <unassigned>
Status: RESOLVED FIXED    
Severity: normal CC: nickc
Priority: P2    
Version: 2.29   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:
Attachments: Bug triggering input

Description Thuan Pham 2017-02-13 09:13:16 UTC
Created attachment 9804 [details]
Bug triggering input

Dear all,

This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks also to Marcel Böhme. 

This bug was found on Ubuntu 14.04 64-bit & binutils was checkout from main repository at git://sourceware.org/git/binutils-gdb.git. Its commit is 53f7e8ea7fad1fcff1b58f4cbd74e192e0bcbc1d (Fri Feb 10 00:00:16 2017) 

To reproduce:
Download the attached file - bug_3
readelf -w bug_3

binutils was built with ASAN using gcc-6.2 and clang-3.4. The configure command was:

CC=clang CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=undefined,address -fno-omit-frame-pointer -g -Wno-error" ../configure --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim

==81550==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e00000e00c at pc 0x722a9d bp 0x7ffd132dc8b0 sp 0x7ffd132dc8a8
WRITE of size 1 at 0x60e00000e00c thread T0
    #0 0x722a9c in byte_put_little_endian /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/elfcomm.c:75
    #1 0x54acfa in target_specific_reloc_handling /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:11640
    #2 0x52e6dc in apply_relocations /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:12343
    #3 0x4846b5 in load_specific_debug_section /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:12905
    #4 0x564b4c in display_debug_section /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:13009
    #5 0x4e194f in process_section_contents /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:13091
    #6 0x48d610 in process_object /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:16780
    #7 0x488365 in process_file /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:17154
    #8 0x4855c3 in main /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:17225
    #9 0x7efe28957f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #10 0x47ddfc in _start (/home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/readelf+0x47ddfc)

0x60e00000e00c is located 15 bytes to the right of 157-byte region [0x60e00000df60,0x60e00000dffd)
allocated by thread T0 here:
    #0 0x467d19 in __interceptor_malloc (/home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/readelf+0x467d19)
    #1 0x503114 in get_data /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:393
    #2 0x48180a in load_specific_debug_section /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:12829
    #3 0x564b4c in display_debug_section /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:13009
    #4 0x4e194f in process_section_contents /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:13091
    #5 0x48d610 in process_object /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:16780
    #6 0x488365 in process_file /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:17154
    #7 0x4855c3 in main /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:17225
Comment 1 Sourceware Commits 2017-02-13 13:10:20 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=03f7786e2f440b9892b1c34a58fb26222ce1b493

commit 03f7786e2f440b9892b1c34a58fb26222ce1b493
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Feb 13 13:08:32 2017 +0000

    Fix readelf writing to illegal addresses whilst processing corrupt input files containing symbol-difference relocations.
    
    	PR binutils/21137
    	* readelf.c (target_specific_reloc_handling): Add end parameter.
    	Check for buffer overflow before writing relocated values.
    	(apply_relocations): Pass end to target_specific_reloc_handling.
Comment 2 Nick Clifton 2017-02-13 13:10:58 UTC
*** Bug 21138 has been marked as a duplicate of this bug. ***
Comment 3 Nick Clifton 2017-02-13 13:12:19 UTC
Hi Thuan,

  Thanks for reporting this bug.  I have applied a patch to fix the problem.

  The issue was the code in readelf that processes target specific relocations
  was not checking for possible buffer overflow.  So I have added these checks.

Cheers
  Nick
Comment 4 Nick Clifton 2017-02-13 14:05:05 UTC
*** Bug 21141 has been marked as a duplicate of this bug. ***
Comment 5 Nick Clifton 2017-02-13 14:05:32 UTC
*** Bug 21140 has been marked as a duplicate of this bug. ***
Comment 6 Nick Clifton 2017-02-13 14:12:16 UTC
*** Bug 21146 has been marked as a duplicate of this bug. ***
Comment 7 Nick Clifton 2017-02-13 15:21:55 UTC
*** Bug 21136 has been marked as a duplicate of this bug. ***
Comment 8 Thuan Pham 2017-04-13 06:05:14 UTC
This is CVE-2017-6965