Bug 21148 - readelf - multiple invalid read
Summary: readelf - multiple invalid read
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.29
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-02-13 10:05 UTC by Thuan Pham
Modified: 2017-02-13 14:39 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
Bug triggering input (791 bytes, application/octet-stream)
2017-02-13 10:05 UTC, Thuan Pham
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Thuan Pham 2017-02-13 10:05:03 UTC
Created attachment 9815 [details]
Bug triggering input

Dear all,

This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks also to Marcel Böhme. 

This bug was found on Ubuntu 14.04 64-bit & binutils was checkout from main repository at git://sourceware.org/git/binutils-gdb.git. Its commit is 53f7e8ea7fad1fcff1b58f4cbd74e192e0bcbc1d (Fri Feb 10 00:00:16 2017) 

binutils was built with ASAN using gcc-6.2 and clang-3.4. The configure command was:

CC=clang CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=undefined,address -fno-omit-frame-pointer -g -Wno-error" ../configure --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim

To reproduce:
Download the attached file - bug_14
readelf -a bug_14


Valgrind says:
==46771== Invalid read of size 1
==46771==    at 0x438E2A: byte_get_little_endian (elfcomm.c:151)
==46771==    by 0x41127E: process_version_sections (readelf.c:10029)
==46771==    by 0x422E63: process_object (readelf.c:16778)
==46771==    by 0x402111: process_file (readelf.c:17154)
==46771==    by 0x402111: main (readelf.c:17225)
==46771==  Address 0x52086b8 is 0 bytes after a block of size 248 alloc'd
==46771==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==46771==    by 0x40566E: get_data (readelf.c:393)
==46771==    by 0x411112: process_version_sections (readelf.c:9980)
==46771==    by 0x422E63: process_object (readelf.c:16778)
==46771==    by 0x402111: process_file (readelf.c:17154)
==46771==    by 0x402111: main (readelf.c:17225)
==46771== 
==46771== Invalid read of size 1
==46771==    at 0x438E10: byte_get_little_endian (elfcomm.c:149)
==46771==    by 0x411291: process_version_sections (readelf.c:10030)
==46771==    by 0x422E63: process_object (readelf.c:16778)
==46771==    by 0x402111: process_file (readelf.c:17154)
==46771==    by 0x402111: main (readelf.c:17225)
==46771==  Address 0x52086ba is 2 bytes after a block of size 248 alloc'd
==46771==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==46771==    by 0x40566E: get_data (readelf.c:393)
==46771==    by 0x411112: process_version_sections (readelf.c:9980)
==46771==    by 0x422E63: process_object (readelf.c:16778)
==46771==    by 0x402111: process_file (readelf.c:17154)
==46771==    by 0x402111: main (readelf.c:17225)
==46771== 
==46771== Invalid read of size 1
==46771==    at 0x438E14: byte_get_little_endian (elfcomm.c:150)
==46771==    by 0x411291: process_version_sections (readelf.c:10030)
==46771==    by 0x422E63: process_object (readelf.c:16778)
==46771==    by 0x402111: process_file (readelf.c:17154)
==46771==    by 0x402111: main (readelf.c:17225)
==46771==  Address 0x52086bb is 3 bytes after a block of size 248 alloc'd
==46771==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==46771==    by 0x40566E: get_data (readelf.c:393)
==46771==    by 0x411112: process_version_sections (readelf.c:9980)
==46771==    by 0x422E63: process_object (readelf.c:16778)
==46771==    by 0x402111: process_file (readelf.c:17154)
==46771==    by 0x402111: main (readelf.c:17225)
==46771== 
==46771== Invalid read of size 1
==46771==    at 0x438E24: byte_get_little_endian (elfcomm.c:148)
==46771==    by 0x411291: process_version_sections (readelf.c:10030)
==46771==    by 0x422E63: process_object (readelf.c:16778)
==46771==    by 0x402111: process_file (readelf.c:17154)
==46771==    by 0x402111: main (readelf.c:17225)
==46771==  Address 0x52086b9 is 1 bytes after a block of size 248 alloc'd
==46771==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==46771==    by 0x40566E: get_data (readelf.c:393)
==46771==    by 0x411112: process_version_sections (readelf.c:9980)
==46771==    by 0x422E63: process_object (readelf.c:16778)
==46771==    by 0x402111: process_file (readelf.c:17154)
==46771==    by 0x402111: main (readelf.c:17225)
==46771== 
==46771== Invalid read of size 1
==46771==    at 0x438E2A: byte_get_little_endian (elfcomm.c:151)
==46771==    by 0x411291: process_version_sections (readelf.c:10030)
==46771==    by 0x422E63: process_object (readelf.c:16778)
==46771==    by 0x402111: process_file (readelf.c:17154)
==46771==    by 0x402111: main (readelf.c:17225)
==46771==  Address 0x52086bc is 4 bytes after a block of size 248 alloc'd
==46771==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==46771==    by 0x40566E: get_data (readelf.c:393)
==46771==    by 0x411112: process_version_sections (readelf.c:9980)
==46771==    by 0x422E63: process_object (readelf.c:16778)
==46771==    by 0x402111: process_file (readelf.c:17154)
==46771==    by 0x402111: main (readelf.c:17225)


ASAN says:
==38490==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000009eb8 at pc 0x724f22 bp 0x7ffc974cbe90 sp 0x7ffc974cbe88
READ of size 1 at 0x611000009eb8 thread T0
    #0 0x724f21 in byte_get_little_endian /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/elfcomm.c:148
    #1 0x4d4740 in process_version_sections /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:10029
    #2 0x48d5d6 in process_object /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:16778
    #3 0x488365 in process_file /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:17154
    #4 0x4855c3 in main /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:17225
    #5 0x7f47bbed2f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #6 0x47ddfc in _start (/home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/readelf+0x47ddfc)
Comment 1 Nick Clifton 2017-02-13 14:38:33 UTC
Hi Thuan,

  Thanks for reporting this bug.  I have checked in a patch to fix the problem.

  At issue was the code in readelf which was checking for a possible buffer
  overflow.  The code worked, but it forgot to allow for a very small overflow
  that just exceeded the buffer size.

Cheers
  Nick
Comment 2 cvs-commit@gcc.gnu.org 2017-02-13 14:39:24 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=4aeb00ad3cc6a29b32f0a4e42c2f64d55e25b76d

commit 4aeb00ad3cc6a29b32f0a4e42c2f64d55e25b76d
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Feb 13 14:35:24 2017 +0000

    Fix check for buffer overflow when processing version information.
    
    	PR binutils/21148
    	* readelf.c (process_version_sections): Include size of auxillary
    	version information when checking for buffer overflow.