Created attachment 10899 [details] poc On latest version (elfutils-0.170) and master branch of elfutils: there is a global-buffer-overflow in ebl_dynamic_tag_name function of (libebl/ebldynamictagname.c), which can be triggered by the POC below. To reproduce the issue, compile elfutils with asan and run: ./bin/eu-readelf -a $POC ==13884==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000006c18d0 at pc 0x00000048e6b4 bp 0x7fffffffc5c0 sp 0x7fffffffc5b8 READ of size 8 at 0x0000006c18d0 thread T0 #0 0x48e6b3 in ebl_dynamic_tag_name /u/xw48/GreedyFuzzing/product/elfutils/master-test/src/libebl/ebldynamictagname.c:59 #1 0x47602b in handle_dynamic /u/xw48/GreedyFuzzing/product/elfutils/master-test/src/src/readelf.c:1708 #2 0x47602b in print_dynamic /u/xw48/GreedyFuzzing/product/elfutils/master-test/src/src/readelf.c:1813 #3 0x47602b in process_elf_file /u/xw48/GreedyFuzzing/product/elfutils/master-test/src/src/readelf.c:911 #4 0x479fde in process_dwflmod /u/xw48/GreedyFuzzing/product/elfutils/master-test/src/src/readelf.c:707 #5 0x7fe8230dc22c in dwfl_getmodules /u/xw48/GreedyFuzzing/product/elfutils/master-test/src/libdwfl/dwfl_getmodules.c:86 #6 0x412568 in process_file /u/xw48/GreedyFuzzing/product/elfutils/master-test/src/src/readelf.c:806 #7 0x4059f3 in main /u/xw48/GreedyFuzzing/product/elfutils/master-test/src/src/readelf.c:322 #8 0x7fe8229b5c04 in __libc_start_main (/lib64/libc.so.6+0x21c04) #9 0x406493 (/home/xw48/GreedyFuzzing/product/elfutils/master-test/exe_asan/bin/eu-readelf+0x406493)
Thanks. The issue is that there is a new standard SYMTAB_SHNDX which we got through the new elf.h, but didn't handle in ebldynamictagname.c. To fix this, and to prevent this from happening in the future I proposed the following patch: commit 92581d7eb483cb039e60112b0a03a04c2ffa4df4 Author: Mark Wielaard <mark@klomp.org> Date: Fri Mar 16 19:42:17 2018 +0100 libebl: Handle SYMTAB_SHNDX in ebl_dynamic_tag_name. SYMTAB_SHNDX was introduced when elf.h was imported, but not yet handled in ebl_dynamic_tag_name. Handle it and add an eu_static_assert to make sure stdtags always contains DT_NUM entries. https://sourceware.org/bugzilla/show_bug.cgi?id=22976 Signed-off-by: Mark Wielaard <mark@klomp.org> https://sourceware.org/ml/elfutils-devel/2018-q1/msg00078.html
Pushed to master
I noticed there is a CVE linked to this bug report: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8769 Note that this bug was NOT in a released version of elfutils. It was introduced by the import of elf.h by: commit 88f3d2daa107b09fdba376a82bce7ed534c93645 Author: Mark Wielaard <mark@klomp.org> Date: Sat Feb 17 00:23:19 2018 +0100 libelf: Sync elf.h from glibc. Signed-off-by: Mark Wielaard <mark@klomp.org> This was done after 0.170 was released. But that commit was backported into the Fedora elfutils package as part of the elfutils-0.170-elf_sync.patch to add some other non-related PowerPC improvements.