Bug 21135 - readelf segfault - invalid read
Summary: readelf segfault - invalid read
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.29
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-02-13 08:52 UTC by Thuan Pham
Modified: 2017-04-13 06:08 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
Crashing input (386 bytes, application/x-object)
2017-02-13 08:52 UTC, Thuan Pham
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Thuan Pham 2017-02-13 08:52:34 UTC
Created attachment 9802 [details]
Crashing input

Dear all,

This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks also to Marcel Böhme. We found several inputs causing readelf to crash. we will report all of them one by one.

This bug was found on Ubuntu 14.04 64-bit & binutils was checkout from main repository at git://sourceware.org/git/binutils-gdb.git. Its commit is 53f7e8ea7fad1fcff1b58f4cbd74e192e0bcbc1d (Fri Feb 10 00:00:16 2017) 

To reproduce:
Download the attached file - bug_1
readelf -zR3 bug_1

Valgrind says:
==54145== Command: /home/ubuntu/thesis/subjects/binutils-newest/build-normal/binutils/readelf -zR3 bug_1
==54145== 
readelf: Warning: Section 1 has an out of range sh_info value of 61440
readelf: Warning: Section 3 has an out of range sh_link value of 1179648
readelf: Warning: Section 4 has an out of range sh_link value of 4278190955
readelf: Warning: Section 5 has an out of range sh_link value of 1310720
readelf: Warning: Section 6 has an out of range sh_link value of 1953068403
readelf: Warning: Section 7 has an out of range sh_link value of 117442048
readelf: Error: Reading 0x180064 bytes extends past end of file for string table
readelf: Error: Section 3 has invalid sh_entsize of 0600000000000000
readelf: Error: (Using the expected size of 24 for the rest of this dump)

Hex dump of section '<no-name>':
==54145== Invalid read of size 1
==54145==    at 0x40E9A0: dump_section_as_bytes (readelf.c:12786)
==54145==    by 0x42334D: process_section_contents (readelf.c:13085)
==54145==    by 0x42334D: process_object (readelf.c:16780)
==54145==    by 0x402111: process_file (readelf.c:17154)
==54145==    by 0x402111: main (readelf.c:17225)
==54145==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==54145== 
==54145== 
==54145== Process terminating with default action of signal 11 (SIGSEGV)
==54145==  Access not within mapped region at address 0x0
==54145==    at 0x40E9A0: dump_section_as_bytes (readelf.c:12786)
==54145==    by 0x42334D: process_section_contents (readelf.c:13085)
==54145==    by 0x42334D: process_object (readelf.c:16780)
==54145==    by 0x402111: process_file (readelf.c:17154)
==54145==    by 0x402111: main (readelf.c:17225)

ASAN says:
==57956==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000055efcf sp 0x7fff2de971a0 bp 0x7fff2de97af0 T0)
    #0 0x55efce in dump_section_as_bytes /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:12786
    #1 0x4e1531 in process_section_contents /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:13085
    #2 0x48d610 in process_object /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:16780
    #3 0x488365 in process_file /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:17154
    #4 0x4855c3 in main /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:17225
    #5 0x7f62892d3f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #6 0x47ddfc in _start (/home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/readelf+0x47ddfc)
Comment 1 Thuan Pham 2017-02-13 10:14:19 UTC
binutils was built with ASAN using gcc-6.2 and clang-3.4. The configure command was:

CC=clang CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=undefined,address -fno-omit-frame-pointer -g -Wno-error" ../configure --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim
Comment 2 cvs-commit@gcc.gnu.org 2017-02-13 15:05:59 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f055032e4e922f1e1a5e11026c7c2669fa2a7d19

commit f055032e4e922f1e1a5e11026c7c2669fa2a7d19
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Feb 13 15:04:37 2017 +0000

    Fix invalid read of section contents whilst processing a corrupt binary.
    
    	PR binutils/21135
    	* readelf.c (dump_section_as_bytes): Handle the case where
    	uncompress_section_contents returns false.
Comment 3 Nick Clifton 2017-02-13 15:07:44 UTC
Hi Thuan,

  Thanks for reporting this bug.  I have checked in a patch to fix the problem.

  The bug here was the uncompress_section_contents function was detecting
  a malformed compressed section, but the dump_section_as_bytes function
  was not checking to see if the decompression had actually worked.

Cheers
  Nick
Comment 4 cvs-commit@gcc.gnu.org 2017-02-13 15:21:16 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1835f746a7c7fff70a2cc03a051b14fdc6b3f73f

commit 1835f746a7c7fff70a2cc03a051b14fdc6b3f73f
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Feb 13 15:19:48 2017 +0000

    Extend previous patch to cover uncompress_section_contents returning FALSE to other callers.
    
    	PR binutils/21135
    	(dump_section_as_bytes, load_specific_debug_section): Likewise.
Comment 5 Thuan Pham 2017-04-13 06:08:39 UTC
This is CVE-2017-7209