Created attachment 10851 [details] poc On latest version (0.170) and master branch of elfutils: there is a heap-buffer-buffer overflow in check_group function of src/elflint.c file, which could be triggered by the poc below. This issue is caused by a invalid access in elflint.c:2719. Note that this issue is different from Bug 21320, which is already fixed in version 0.169. To reproduce the issue, run: ./eu-elflint -d $POC ==128199==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000000140 at pc 0x000000420193 bp 0x7ffe6213d5a0 sp 0x7ffe6213d598 READ of size 4 at 0x612000000140 thread T0 #0 0x420192 in check_group /u/tmp/folder/product/elfutils/master/src/src/elflint.c:2719 #1 0x4359f1 in check_sections /u/tmp/folder/product/elfutils/master/src/src/elflint.c:4176 #2 0x43e086 in process_elf_file /u/tmp/folder/product/elfutils/master/src/src/elflint.c:4740 #3 0x43e086 in process_file /u/tmp/folder/product/elfutils/master/src/src/elflint.c:243 #4 0x403241 in main /u/tmp/folder/product/elfutils/master/src/src/elflint.c:176 #5 0x7f5f40d47c04 in __libc_start_main (/lib64/libc.so.6+0x21c04) #6 0x404263 (/home/tmp/folder/product/elfutils/master/exe_asan/bin/eu-elflint+0x404263) 0x612000000141 is located 0 bytes to the right of 257-byte region [0x612000000040,0x612000000141) allocated by thread T0 here: #0 0x7f5f416773b0 in __interceptor_malloc ../../../../gcc5-src/libsanitizer/asan/asan_malloc_linux.cc:86 #1 0x7f5f4113bedc in convert_data /u/tmp/folder/product/elfutils/master/src/libelf/elf_getdata.c:166 #2 0x7f5f4113bedc in __libelf_set_data_list_rdlock /u/tmp/folder/product/elfutils/master/src/libelf/elf_getdata.c:434 SUMMARY: AddressSanitizer: heap-buffer-overflow /u/tmp/folder/product/elfutils/master/src/src/elflint.c:2719 in check_group Shadow bytes around the buggy address: 0x0c247fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c247fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c247fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c247fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c247fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c247fff8020: 00 00 00 00 00 00 00 00[01]fa fa fa fa fa fa fa 0x0c247fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c247fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c247fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c247fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c247fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==128199==ABORTING
Proposed patch: https://sourceware.org/ml/elfutils-devel/2018-q1/msg00055.html
commit 22e282071021fc5ada2b9294bfa7e25fbd62a9d6 Author: Mark Wielaard <mark@klomp.org> Date: Mon Feb 26 22:53:10 2018 +0100 elflint: Make sure we can read a whole element when iterating over group. Change the for loop so that we can always read a full element. https://sourceware.org/bugzilla/show_bug.cgi?id=22892 Signed-off-by: Mark Wielaard <mark@klomp.org>