Bug 23782 - Negative-size-param in call to in memchr from readelf print_debug_frame_section
Summary: Negative-size-param in call to in memchr from readelf print_debug_frame_section
Status: RESOLVED FIXED
Alias: None
Product: elfutils
Classification: Unclassified
Component: libdw (show other bugs)
Version: unspecified
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-10-16 07:18 UTC by wcventure
Modified: 2021-03-20 16:36 UTC (History)
3 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed: 2018-10-16 00:00:00

Attachments
POC1 (5.11 KB, application/octet-stream)
2018-10-16 07:18 UTC, wcventure 		Details
POC2 (3.01 KB, application/x-executable)
2018-10-16 07:18 UTC, wcventure 		Details
POC3 (3.01 KB, application/x-executable)
2018-10-16 07:18 UTC, wcventure 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description wcventure 2018-10-16 07:18:11 UTC 
Created attachment 11331 [details]
POC1

Hi,

We are doing research on fuzz testing and our fuzzer caught a Negative-size-param problem in the latest elfutils(v0.174) code base. The funciton dwfl_getmodules in dwfl_getmodules.c library does not ensure a non-negative size. Those inputs will cause the Negative-size-param Problem, Segmentation fault. I have confirmed them with address sanitizer. 

Please use the “ ./eu-readelf $POC -w ” to reproduce the bug. If you have any questions, please let me know. Thank you.

The ASAN dumps the stack trace as follows:

==31028==ERROR: AddressSanitizer: negative-size-param: (size=-4)
    #0 0x7ff2abbf4866  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x41866)
    #1 0x4973ad in print_debug_frame_section /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/readelf.c:6626
    #2 0x4598f3 in print_debug /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/readelf.c:11160
    #3 0x45e00a in process_elf_file /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/readelf.c:996
    #4 0x45e00a in process_dwflmod /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/readelf.c:760
    #5 0x7ff2ab8be2f4 in dwfl_getmodules /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/libdwfl/dwfl_getmodules.c:86
    #6 0x40d055 in process_file /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/readelf.c:868
    #7 0x4058f1 in main /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/readelf.c:350
    #8 0x7ff2aaf4682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x4064d8 in _start (/media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/build/bin/eu-readelf+0x4064d8)

Address 0x7ff2acca407d is a wild pointer.
SUMMARY: AddressSanitizer: negative-size-param (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x41866)
==31028==ABORTING
Aborted
Comment 1 wcventure 2018-10-16 07:18:33 UTC 
Created attachment 11332 [details]
POC2
Comment 2 wcventure 2018-10-16 07:18:55 UTC 
Created attachment 11333 [details]
POC3
Comment 3 Mark Wielaard 2018-10-16 12:26:43 UTC 
Thanks for the report. I retitled the bug to better show where the issue shows up. I posted a fix: https://sourceware.org/ml/elfutils-devel/2018-q4/msg00042.html
Comment 4 Mark Wielaard 2018-10-19 22:56:56 UTC 
commit 72d023b35f3639864b61bd1c11aaadc4957e6286
Author: Mark Wielaard <mark@klomp.org>
Date:   Tue Oct 16 14:22:33 2018 +0200

    readelf: Make sure readp is smaller than cieend in print_debug_frame_section.
    
    We could end up with a negative length in a call to memchr.
    
    https://sourceware.org/bugzilla/show_bug.cgi?id=23782
    
    Signed-off-by: Mark Wielaard <mark@klomp.org>
Comment 5 Mily Rose 2021-03-20 16:36:38 UTC Comment hidden (spam)