23542 – heap-buffer-overflow in /elfutils/src/elflint.c:2055 check_sysv_hash

Bug 23542 - heap-buffer-overflow in /elfutils/src/elflint.c:2055 check_sysv_hash

Summary: heap-buffer-overflow in /elfutils/src/elflint.c:2055 check_sysv_hash

Status:	RESOLVED FIXED

Alias:	None

Product:	elfutils
Classification:	Unclassified
Component:	general (show other bugs)
Version:	unspecified

Importance:	P2 normal
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-08-17 04:11 UTC by wcventure
Modified:	2018-08-18 20:50 UTC (History)
CC List:	2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
./eu-elflint --strict @@ (1.11 KB, application/octet-stream) 2018-08-17 04:11 UTC, wcventure	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description wcventure 2018-08-17 04:11:10 UTC

Created attachment 11190 [details]
./eu-elflint --strict @@

==123497==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61300000dfd4 at pc 0x000000432311 bp 0x7ffc0e4d29c0 sp 0x7ffc0e4d29b0
READ of size 4 at 0x61300000dfd4 thread T0
    #0 0x432310 in check_sysv_hash /home/wcventure/Documents/Cproject/elfutils/src/elflint.c:2055
    #1 0x432310 in check_hash /home/wcventure/Documents/Cproject/elfutils/src/elflint.c:2355
    #2 0x439613 in check_sections /home/wcventure/Documents/Cproject/elfutils/src/elflint.c:4161
    #3 0x440395 in process_elf_file /home/wcventure/Documents/Cproject/elfutils/src/elflint.c:4739
    #4 0x440395 in process_file /home/wcventure/Documents/Cproject/elfutils/src/elflint.c:242
    #5 0x402e55 in main /home/wcventure/Documents/Cproject/elfutils/src/elflint.c:175
    #6 0x7f81b5bba82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #7 0x403b08 in _start (/home/wcventure/Documents/Cproject/elfutils/build/bin/eu-elflint+0x403b08)

0x61300000dfd5 is located 0 bytes to the right of 341-byte region [0x61300000de80,0x61300000dfd5)
allocated by thread T0 here:
    #0 0x7f81b64a4602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x7f81b61babff in convert_data /home/wcventure/Documents/Cproject/elfutils/libelf/elf_getdata.c:164
    #2 0x7f81b61babff in __libelf_set_data_list_rdlock /home/wcventure/Documents/Cproject/elfutils/libelf/elf_getdata.c:431

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/wcventure/Documents/Cproject/elfutils/src/elflint.c:2055 check_sysv_hash
Shadow bytes around the buggy address:
  0x0c267fff9ba0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c267fff9bb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c267fff9bc0: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff9be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c267fff9bf0: 00 00 00 00 00 00 00 00 00 00[05]fa fa fa fa fa
  0x0c267fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==123497==ABORTING

Comment 1 Mark Wielaard 2018-08-17 20:19:18 UTC

Replicated under valgrind:

==12265== Conditional jump or move depends on uninitialised value(s)
==12265==    at 0x1111E9: check_sysv_hash (elflint.c:2056)
==12265==    by 0x1111E9: check_hash.isra.14 (elflint.c:2356)
==12265==    by 0x117B80: check_sections (elflint.c:4162)
==12265==    by 0x119364: process_elf_file (elflint.c:4740)
==12265==    by 0x119364: process_file (elflint.c:242)
==12265==    by 0x10C57C: main (elflint.c:175)


The issue is that the sanity check at the start of the function overflows because it does 32bit unsigned arithmetic. Changing it to do unsigned long long arithmetic makes the check catch the issue:

diff --git a/src/elflint.c b/src/elflint.c
index eec799b2..9d49c47f 100644
--- a/src/elflint.c
+++ b/src/elflint.c
@@ -2023,7 +2023,7 @@ check_sysv_hash (Ebl *ebl, GElf_Shdr *shdr, Elf_Data *data, int idx,
   Elf32_Word nbucket = ((Elf32_Word *) data->d_buf)[0];
   Elf32_Word nchain = ((Elf32_Word *) data->d_buf)[1];
 
-  if (shdr->sh_size < (2 + nbucket + nchain) * sizeof (Elf32_Word))
+  if (shdr->sh_size  < (2ULL + nbucket + nchain) * sizeof (Elf32_Word))
     {
       ERROR (gettext ("\
 section [%2d] '%s': hash table section is too small (is %ld, expected %ld)\n"),

Comment 2 Mark Wielaard 2018-08-18 20:50:02 UTC

commit c9f90a70900e753dde15cc9348dcf7de08b031eb
Author: Mark Wielaard <mark@klomp.org>
Date:   Sat Aug 18 13:17:45 2018 +0200

    elflint: Fix check_sysv_hash[64] sanity checks to not overflow.
    
    The sanity checks for how many words were needed in the section could
    overflow causing errors. Fix the checks.
    
    https://sourceware.org/bugzilla/show_bug.cgi?id=23542
    
    Signed-off-by: Mark Wielaard <mark@klomp.org>