Bug 24081

Summary: buffer over-read Problem in elf32_xlatetom function in libelf
Product: elfutils Reporter: wcventure <wcventure>
Component: libelfAssignee: Not yet assigned to anyone <unassigned>
Status: RESOLVED DUPLICATE    
Severity: normal CC: elfutils-devel, mark
Priority: P2    
Version: unspecified   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:
Attachments: POC1
POC2

Description wcventure 2019-01-10 13:21:47 UTC
Created attachment 11527 [details]
POC1

Hi there,

Our fuzzer caught Use-after-free problem in eu-readelf of the latest elfutils-0.174 code base when calling memmove in elf32_xlatetom function in libelf, this inputs will cause the segment faults and I have confirmed them with address sanitizer too. 

Please use the "./eu-readelf -a $POC"to reproduce the bug. If you have any questions, please let me know.

git log

> commit 1dabad36ee28aa76b8cf14b6426b379cabee6def
> Author: Jim Wilson <jimw@sifive.com>
> Date:   Thu Dec 27 15:25:49 2018 -0800
> 
>     RISC-V: Improve riscv64 core file support.
> 
>     This fixes two problems.  The offset for x1 is changed from 1 to 8 because
>     this is a byte offset not a register skip count.  Support for reading the
>     PC value is added.  This requires changing the testsuite to match the new
>     readelf output for coredumps.
> 
>     Signed-off-by: Jim Wilson <jimw@sifive.com>


The ASAN dumps the stack trace as follows:

> ==7822==ERROR: AddressSanitizer: unknown-crash on address 0x7f773670a000 at pc 0x7f7735694e2b bp 0x7ffcba3c16a0 sp 0x7ffcba3c0e48
> READ of size 8 at 0x7f773670a000 thread T0
>     #0 0x7f7735694e2a in memmove (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ae2a)
>     #1 0x7f7734d5a9bb in memmove /usr/include/x86_64-linux-gnu/bits/string3.h:59
>     #2 0x7f7734d5a9bb in elf32_xlatetom /elfutils/libelf/elf32_xlatetom.c:100
>     #3 0x56d6b8 in ebl_object_note /elfutils/libebl/eblobjnote.c:342
>     #4 0x4a06f3 in handle_notes_data /elfutils/src/readelf.c:12251
>     #5 0x4c5b47 in handle_notes /elfutils/src/readelf.c:12315
>     #6 0x4c5b47 in process_elf_file /elfutils/src/readelf.c:1000
>     #7 0x4c5b47 in process_dwflmod /elfutils/src/readelf.c:760
>     #8 0x7f7735265e9c in dwfl_getmodules /elfutils/libdwfl/dwfl_getmodules.c:86
>     #9 0x41399c in process_file /elfutils/src/readelf.c:868
>     #10 0x405df6 in main /elfutils/src/readelf.c:350
>     #11 0x7f773477b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
>     #12 0x406ef8 in _start (/elfutils/build/bin/eu-readelf+0x406ef8)
> 
> Address 0x7f773670a000 is a wild pointer.
> SUMMARY: AddressSanitizer: unknown-crash (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ae2a) in memmove
> Shadow bytes around the buggy address:
>   0x0fef66cd93b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0fef66cd93c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0fef66cd93d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0fef66cd93e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0fef66cd93f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0fef66cd9400:[fe]fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>   0x0fef66cd9410: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>   0x0fef66cd9420: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>   0x0fef66cd9430: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>   0x0fef66cd9440: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>   0x0fef66cd9450: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
>   Left alloca redzone:     ca
>   Right alloca redzone:    cb
> ==7822==ABORTING
Comment 1 wcventure 2019-01-10 13:26:05 UTC
Created attachment 11528 [details]
POC2
Comment 2 Mark Wielaard 2019-01-15 13:16:58 UTC
This is really just the same as https://sourceware.org/bugzilla/show_bug.cgi?id=24075 we should check the pr_datasz.

*** This bug has been marked as a duplicate of bug 24075 ***