Bug 21149 - readelf - several invalid read
Summary: readelf - several invalid read
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.29
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-02-13 10:09 UTC by Thuan Pham
Modified: 2017-02-15 14:29 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
Bug triggering input (1.33 KB, application/x-object)
2017-02-13 10:09 UTC, Thuan Pham
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Thuan Pham 2017-02-13 10:09:04 UTC
Created attachment 9816 [details]
Bug triggering input

Dear all,

This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks also to Marcel Böhme. 

This bug was found on Ubuntu 14.04 64-bit & binutils was checkout from main repository at git://sourceware.org/git/binutils-gdb.git. Its commit is 53f7e8ea7fad1fcff1b58f4cbd74e192e0bcbc1d (Fri Feb 10 00:00:16 2017) 

binutils was built with ASAN using gcc-6.2 and clang-3.4. The configure command was:

CC=clang CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=undefined,address -fno-omit-frame-pointer -g -Wno-error" ../configure --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim

To reproduce:
Download the attached file - bug_15
readelf -zxt bug_15


Valgrind says:
==81060== Invalid read of size 1
==81060==    at 0x438D7C: byte_get_little_endian (elfcomm.c:211)
==81060==    by 0x408707: get_compression_header (readelf.c:5735)
==81060==    by 0x40EADA: dump_section_as_bytes (readelf.c:12700)
==81060==    by 0x42332E: process_section_contents (readelf.c:13082)
==81060==    by 0x42332E: process_object (readelf.c:16780)
==81060==    by 0x402111: process_file (readelf.c:17154)
==81060==    by 0x402111: main (readelf.c:17225)
==81060==  Address 0x5203c62 is 0 bytes after a block of size 18 alloc'd
==81060==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==81060==    by 0x40566E: get_data (readelf.c:393)
==81060==    by 0x40E7EB: dump_section_as_bytes (readelf.c:12685)
==81060==    by 0x42332E: process_section_contents (readelf.c:13082)
==81060==    by 0x42332E: process_object (readelf.c:16780)
==81060==    by 0x402111: process_file (readelf.c:17154)
==81060==    by 0x402111: main (readelf.c:17225)
==81060== 
==81060== Invalid read of size 1
==81060==    at 0x438D92: byte_get_little_endian (elfcomm.c:212)
==81060==    by 0x408707: get_compression_header (readelf.c:5735)
==81060==    by 0x40EADA: dump_section_as_bytes (readelf.c:12700)
==81060==    by 0x42332E: process_section_contents (readelf.c:13082)
==81060==    by 0x42332E: process_object (readelf.c:16780)
==81060==    by 0x402111: process_file (readelf.c:17154)
==81060==    by 0x402111: main (readelf.c:17225)
==81060==  Address 0x5203c63 is 1 bytes after a block of size 18 alloc'd
==81060==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==81060==    by 0x40566E: get_data (readelf.c:393)
==81060==    by 0x40E7EB: dump_section_as_bytes (readelf.c:12685)
==81060==    by 0x42332E: process_section_contents (readelf.c:13082)
==81060==    by 0x42332E: process_object (readelf.c:16780)
==81060==    by 0x402111: process_file (readelf.c:17154)
==81060==    by 0x402111: main (readelf.c:17225)
==81060== 
==81060== Invalid read of size 1
==81060==    at 0x438D9D: byte_get_little_endian (elfcomm.c:213)
==81060==    by 0x408707: get_compression_header (readelf.c:5735)
==81060==    by 0x40EADA: dump_section_as_bytes (readelf.c:12700)
==81060==    by 0x42332E: process_section_contents (readelf.c:13082)
==81060==    by 0x42332E: process_object (readelf.c:16780)
==81060==    by 0x402111: process_file (readelf.c:17154)
==81060==    by 0x402111: main (readelf.c:17225)
==81060==  Address 0x5203c64 is 2 bytes after a block of size 18 alloc'd
==81060==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==81060==    by 0x40566E: get_data (readelf.c:393)
==81060==    by 0x40E7EB: dump_section_as_bytes (readelf.c:12685)
==81060==    by 0x42332E: process_section_contents (readelf.c:13082)
==81060==    by 0x42332E: process_object (readelf.c:16780)
==81060==    by 0x402111: process_file (readelf.c:17154)
==81060==    by 0x402111: main (readelf.c:17225)
==81060== 
==81060== Invalid read of size 1
==81060==    at 0x438DA8: byte_get_little_endian (elfcomm.c:214)
==81060==    by 0x408707: get_compression_header (readelf.c:5735)
==81060==    by 0x40EADA: dump_section_as_bytes (readelf.c:12700)
==81060==    by 0x42332E: process_section_contents (readelf.c:13082)
==81060==    by 0x42332E: process_object (readelf.c:16780)
==81060==    by 0x402111: process_file (readelf.c:17154)
==81060==    by 0x402111: main (readelf.c:17225)
==81060==  Address 0x5203c65 is 3 bytes after a block of size 18 alloc'd
==81060==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==81060==    by 0x40566E: get_data (readelf.c:393)
==81060==    by 0x40E7EB: dump_section_as_bytes (readelf.c:12685)
==81060==    by 0x42332E: process_section_contents (readelf.c:13082)
==81060==    by 0x42332E: process_object (readelf.c:16780)
==81060==    by 0x402111: process_file (readelf.c:17154)
==81060==    by 0x402111: main (readelf.c:17225)
==81060== 
==81060== Invalid read of size 1
==81060==    at 0x438DB3: byte_get_little_endian (elfcomm.c:215)
==81060==    by 0x408707: get_compression_header (readelf.c:5735)
==81060==    by 0x40EADA: dump_section_as_bytes (readelf.c:12700)
==81060==    by 0x42332E: process_section_contents (readelf.c:13082)
==81060==    by 0x42332E: process_object (readelf.c:16780)
==81060==    by 0x402111: process_file (readelf.c:17154)
==81060==    by 0x402111: main (readelf.c:17225)
==81060==  Address 0x5203c66 is 4 bytes after a block of size 18 alloc'd
==81060==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==81060==    by 0x40566E: get_data (readelf.c:393)
==81060==    by 0x40E7EB: dump_section_as_bytes (readelf.c:12685)
==81060==    by 0x42332E: process_section_contents (readelf.c:13082)
==81060==    by 0x42332E: process_object (readelf.c:16780)
==81060==    by 0x402111: process_file (readelf.c:17154)
==81060==    by 0x402111: main (readelf.c:17225)
==81060== 
==81060== Invalid read of size 1
==81060==    at 0x438DBE: byte_get_little_endian (elfcomm.c:216)
==81060==    by 0x408707: get_compression_header (readelf.c:5735)
==81060==    by 0x40EADA: dump_section_as_bytes (readelf.c:12700)
==81060==    by 0x42332E: process_section_contents (readelf.c:13082)
==81060==    by 0x42332E: process_object (readelf.c:16780)
==81060==    by 0x402111: process_file (readelf.c:17154)
==81060==    by 0x402111: main (readelf.c:17225)
==81060==  Address 0x5203c67 is 5 bytes after a block of size 18 alloc'd
==81060==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==81060==    by 0x40566E: get_data (readelf.c:393)
==81060==    by 0x40E7EB: dump_section_as_bytes (readelf.c:12685)
==81060==    by 0x42332E: process_section_contents (readelf.c:13082)
==81060==    by 0x42332E: process_object (readelf.c:16780)
==81060==    by 0x402111: process_file (readelf.c:17154)
==81060==    by 0x402111: main (readelf.c:17225)


ASAN says:
==71214==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000ef92 at pc 0x7269ba bp 0x7fff700914d0 sp 0x7fff700914c8
READ of size 1 at 0x60300000ef92 thread T0
    #0 0x7269b9 in byte_get_little_endian /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/elfcomm.c:209
    #1 0x5662f4 in get_compression_header /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:5735
    #2 0x55c685 in dump_section_as_bytes /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:12701
    #3 0x4e1320 in process_section_contents /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:13082
    #4 0x48d610 in process_object /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:16780
    #5 0x488365 in process_file /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:17154
    #6 0x4855c3 in main /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:17225
    #7 0x7f838215af44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #8 0x47ddfc in _start (/home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/readelf+0x47ddfc)
Comment 1 cvs-commit@gcc.gnu.org 2017-02-13 14:54:04 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ebdf1ebfa551fd4624c3cd05401aa3c01ea2ebbe

commit ebdf1ebfa551fd4624c3cd05401aa3c01ea2ebbe
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Feb 13 14:52:48 2017 +0000

    Fix invalid memory access attempting to read the compression header of a too-small compressed section.
    
    	PR binutils/21149
    	* readelf.c (get_compression_header): Add size parameter.  Check
    	size against sizeof compression header before attempting to
    	extract the header.
    	(process_section_headers): Pass size to get_compression_header.
    	(dump_section_as_strings): Likewise.
    	(dump_section_as_bytes): Likewise.
    	(load_specific_debug_section): Likewise.
Comment 2 Nick Clifton 2017-02-13 14:55:39 UTC
Hi Thuan,

  Thanks for reporting this bug.  I have checked in a patch to fix it.

  The problem here was that the code to read the compression header at
  the start of a compressed section was assuming that enough bytes were
  available in the section for the header.  I added code to check this
  assumption before attempting to extract the header.

Cheers
  Nick
Comment 3 Thuan Pham 2017-02-15 14:29:31 UTC
Thanks Nick. The bug has been resolved.