Summary: | readelf - heap buffer overflow, invalid read | ||
---|---|---|---|
Product: | binutils | Reporter: | Thuan Pham <thuanpv> |
Component: | binutils | Assignee: | Not yet assigned to anyone <unassigned> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | nickc |
Priority: | P2 | ||
Version: | 2.29 | ||
Target Milestone: | --- | ||
Host: | Target: | ||
Build: | Last reconfirmed: | ||
Attachments: | Bug triggering input |
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0ee3043f58aae078a1ecc54b7be2810cae39a718 commit 0ee3043f58aae078a1ecc54b7be2810cae39a718 Author: Nick Clifton <nickc@redhat.com> Date: Mon Feb 13 14:17:07 2017 +0000 Fix access violation when reporting sections that could not be dumped. PR binutils/21147 * readelf.c (process_section_contents): Fix off by one error reporting un-dumped sections. Hi Thuan, Thanks for reporting this bug. I have checked in a small patch to fix it. The problem was an off-by-one error when reporting sections which could not be dumped. Cheers Nick |
Created attachment 9814 [details] Bug triggering input Dear all, This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks also to Marcel Böhme. This bug was found on Ubuntu 14.04 64-bit & binutils was checkout from main repository at git://sourceware.org/git/binutils-gdb.git. Its commit is 53f7e8ea7fad1fcff1b58f4cbd74e192e0bcbc1d (Fri Feb 10 00:00:16 2017) binutils was built with ASAN using gcc-6.2 and clang-3.4. The configure command was: CC=clang CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=undefined,address -fno-omit-frame-pointer -g -Wno-error" ../configure --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim To reproduce: Download the attached file - bug_13 readelf -p 7 bug_13 Valgrind says: ==12826== Invalid read of size 1 ==12826== at 0x423674: process_section_contents (readelf.c:13097) ==12826== by 0x423674: process_object (readelf.c:16780) ==12826== by 0x402111: process_file (readelf.c:17154) ==12826== by 0x402111: main (readelf.c:17225) ==12826== Address 0x51fd5a8 is 0 bytes after a block of size 8 alloc'd ==12826== at 0x4C2CC70: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==12826== by 0x406B10: request_dump_bynumber (readelf.c:4298) ==12826== by 0x406BFA: request_dump (readelf.c:4356) ==12826== by 0x401D47: parse_args (readelf.c:4449) ==12826== by 0x401D47: main (readelf.c:17198) ASAN says: ==3009==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ef58 at pc 0x4e1b6d bp 0x7ffca5290210 sp 0x7ffca5290208 READ of size 1 at 0x60200000ef58 thread T0 #0 0x4e1b6c in process_section_contents /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:13097 #1 0x48d610 in process_object /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:16780 #2 0x488365 in process_file /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:17154 #3 0x4855c3 in main /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:17225 #4 0x7f6ce7ee1f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) #5 0x47ddfc in _start (/home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/readelf+0x47ddfc)