Created attachment 9802 [details] Crashing input Dear all, This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks also to Marcel Böhme. We found several inputs causing readelf to crash. we will report all of them one by one. This bug was found on Ubuntu 14.04 64-bit & binutils was checkout from main repository at git://sourceware.org/git/binutils-gdb.git. Its commit is 53f7e8ea7fad1fcff1b58f4cbd74e192e0bcbc1d (Fri Feb 10 00:00:16 2017) To reproduce: Download the attached file - bug_1 readelf -zR3 bug_1 Valgrind says: ==54145== Command: /home/ubuntu/thesis/subjects/binutils-newest/build-normal/binutils/readelf -zR3 bug_1 ==54145== readelf: Warning: Section 1 has an out of range sh_info value of 61440 readelf: Warning: Section 3 has an out of range sh_link value of 1179648 readelf: Warning: Section 4 has an out of range sh_link value of 4278190955 readelf: Warning: Section 5 has an out of range sh_link value of 1310720 readelf: Warning: Section 6 has an out of range sh_link value of 1953068403 readelf: Warning: Section 7 has an out of range sh_link value of 117442048 readelf: Error: Reading 0x180064 bytes extends past end of file for string table readelf: Error: Section 3 has invalid sh_entsize of 0600000000000000 readelf: Error: (Using the expected size of 24 for the rest of this dump) Hex dump of section '<no-name>': ==54145== Invalid read of size 1 ==54145== at 0x40E9A0: dump_section_as_bytes (readelf.c:12786) ==54145== by 0x42334D: process_section_contents (readelf.c:13085) ==54145== by 0x42334D: process_object (readelf.c:16780) ==54145== by 0x402111: process_file (readelf.c:17154) ==54145== by 0x402111: main (readelf.c:17225) ==54145== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==54145== ==54145== ==54145== Process terminating with default action of signal 11 (SIGSEGV) ==54145== Access not within mapped region at address 0x0 ==54145== at 0x40E9A0: dump_section_as_bytes (readelf.c:12786) ==54145== by 0x42334D: process_section_contents (readelf.c:13085) ==54145== by 0x42334D: process_object (readelf.c:16780) ==54145== by 0x402111: process_file (readelf.c:17154) ==54145== by 0x402111: main (readelf.c:17225) ASAN says: ==57956==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000055efcf sp 0x7fff2de971a0 bp 0x7fff2de97af0 T0) #0 0x55efce in dump_section_as_bytes /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:12786 #1 0x4e1531 in process_section_contents /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:13085 #2 0x48d610 in process_object /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:16780 #3 0x488365 in process_file /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:17154 #4 0x4855c3 in main /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:17225 #5 0x7f62892d3f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) #6 0x47ddfc in _start (/home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/readelf+0x47ddfc)
binutils was built with ASAN using gcc-6.2 and clang-3.4. The configure command was: CC=clang CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=undefined,address -fno-omit-frame-pointer -g -Wno-error" ../configure --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f055032e4e922f1e1a5e11026c7c2669fa2a7d19 commit f055032e4e922f1e1a5e11026c7c2669fa2a7d19 Author: Nick Clifton <nickc@redhat.com> Date: Mon Feb 13 15:04:37 2017 +0000 Fix invalid read of section contents whilst processing a corrupt binary. PR binutils/21135 * readelf.c (dump_section_as_bytes): Handle the case where uncompress_section_contents returns false.
Hi Thuan, Thanks for reporting this bug. I have checked in a patch to fix the problem. The bug here was the uncompress_section_contents function was detecting a malformed compressed section, but the dump_section_as_bytes function was not checking to see if the decompression had actually worked. Cheers Nick
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1835f746a7c7fff70a2cc03a051b14fdc6b3f73f commit 1835f746a7c7fff70a2cc03a051b14fdc6b3f73f Author: Nick Clifton <nickc@redhat.com> Date: Mon Feb 13 15:19:48 2017 +0000 Extend previous patch to cover uncompress_section_contents returning FALSE to other callers. PR binutils/21135 (dump_section_as_bytes, load_specific_debug_section): Likewise.
This is CVE-2017-7209