Bug 23064

Summary: Buffer overflow (read of size 8) in Dwarf
Product: binutils Reporter: Thuan Pham <thuanpv>
Component: binutilsAssignee: Not yet assigned to anyone <unassigned>
Status: RESOLVED FIXED    
Severity: normal CC: nickc
Priority: P2    
Version: 2.31   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:
Attachments: Bug-revealing sample input

Description Thuan Pham 2018-04-14 01:43:43 UTC 
Created attachment 10951 [details]
Bug-revealing sample input

Dear all,

This bug was found with AFLSmart, an extension of AFL. Thanks also to Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu. 

This bug was found on Ubuntu 16.04 64-bit & binutils was checked out from main repository at git://sourceware.org/git/binutils-gdb.git. Its commit is 68e91e42492551e165b103d819c021c4953da10b (April 14 2018) 


To reproduce:

Compile binutils with ASAN enabled

CC=gcc-6 CXX=g++-6 CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=undefined,address -fno-omit-frame-pointer -g -Wno-error" CXXFLAGS="$CFLAGS" ./configure --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim

Download the attached file - bug3
readelf -w bug3

ASAN says:

readelf: Warning: Section 0 has an out of range sh_link value of 4160749568
readelf: Warning: Section 1 has an out of range sh_link value of 16769792
readelf: Warning: Section 2 has an out of range sh_link value of 33554432
readelf: Warning: Section 6 has an out of range sh_link value of 247
readelf: Warning: Section 7 has an out of range sh_link value of 2130706432
readelf: Warning: Section 11 has an out of range sh_link value of 774778414
readelf: Warning: Section 12 has an out of range sh_link value of 774778414
readelf: Warning: possibly corrupt ELF header - it has a non-zero program header offset, but no program headers
readelf: Warning: could not find separate debug file ''
readelf: Warning: tried: /lib/debug/
readelf: Warning: tried: /usr/lib/debug/usr/
readelf: Warning: tried: /usr/lib/debug/
readelf: Warning: tried: /home/thuan/experiments/binutils-gdb-asan-newest/binutils/.debug/
readelf: Warning: tried: /home/thuan/experiments/binutils-gdb-asan-newest/binutils/
readelf: Warning: tried: .debug/
readelf: Warning: tried: 
=================================================================
==24671==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700000dd58 at pc 0x0000004c0942 bp 0x7ffe992edb10 sp 0x7ffe992edb00
READ of size 8 at 0x60700000dd58 thread T0
    #0 0x4c0941 in process_cu_tu_index /home/thuan/experiments/binutils-gdb-asan-newest/binutils/dwarf.c:9290
    #1 0x4c189f in load_cu_tu_indexes /home/thuan/experiments/binutils-gdb-asan-newest/binutils/dwarf.c:9411
    #2 0x4c1926 in find_cu_tu_set /home/thuan/experiments/binutils-gdb-asan-newest/binutils/dwarf.c:9429
    #3 0x461fe2 in display_debug_section /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:13703
    #4 0x4628ab in process_section_contents /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:13796
    #5 0x47c7ba in process_object /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:18684
    #6 0x47e9d0 in process_file /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:19104
    #7 0x47ed55 in main /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:19163
    #8 0x7f863ba9c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x4025d8 in _start (/home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf+0x4025d8)

0x60700000dd5f is located 0 bytes to the right of 79-byte region [0x60700000dd10,0x60700000dd5f)
allocated by thread T0 here:
    #0 0x7f863cc2bf70 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc6f70)
    #1 0x40b573 in get_data /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:421
    #2 0x4600d1 in load_specific_debug_section /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:13477
    #3 0x461605 in load_debug_section /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:13630
    #4 0x48e235 in load_debug_section_with_follow /home/thuan/experiments/binutils-gdb-asan-newest/binutils/dwarf.c:2705
    #5 0x4c188c in load_cu_tu_indexes /home/thuan/experiments/binutils-gdb-asan-newest/binutils/dwarf.c:9410
    #6 0x4c1926 in find_cu_tu_set /home/thuan/experiments/binutils-gdb-asan-newest/binutils/dwarf.c:9429
    #7 0x461fe2 in display_debug_section /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:13703
    #8 0x4628ab in process_section_contents /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:13796
    #9 0x47c7ba in process_object /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:18684
    #10 0x47e9d0 in process_file /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:19104
    #11 0x47ed55 in main /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:19163
    #12 0x7f863ba9c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/thuan/experiments/binutils-gdb-asan-newest/binutils/dwarf.c:9290 in process_cu_tu_index
Shadow bytes around the buggy address:
  0x0c0e7fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9b70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0e7fff9ba0: fa fa 00 00 00 00 00 00 00 00 00[07]fa fa fa fa
  0x0c0e7fff9bb0: 00 00 00 00 00 00 00 00 05 fa fa fa fa fa 00 00
  0x0c0e7fff9bc0: 00 00 00 00 00 00 00 07 fa fa fa fa 00 00 00 00
  0x0c0e7fff9bd0: 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 00 00
  0x0c0e7fff9be0: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0e7fff9bf0: fd fd fa fa fa fa 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb


Thanks,

Thuan
Comment 1 Sourceware Commits 2018-04-17 11:37:08 UTC 
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6aea08d9f3e3d6475a65454da488a0c51f5dc97d

commit 6aea08d9f3e3d6475a65454da488a0c51f5dc97d
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Apr 17 12:35:55 2018 +0100

    Fix illegal memory access when parsing corrupt DWARF information.
    
    	PR 23064
    	* dwarf.c (process_cu_tu_index): Test for a potential buffer
    	overrun before copying signature pointer.
Comment 2 Nick Clifton 2018-04-17 11:41:57 UTC 
Hi Thuan,

  Thanks for reporting this bug.  I have checked in a small patch to fix
  the problem, so I hope that the issue is now resolved.

Cheers
  Nick