Created attachment 11534 [details] POC1 Hi, A Heap-buffer-overflow problem was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf, as distributed in ELFutils 0.147. A crafted ELF input can cause segment faults and I have confirmed them with address sanitizer too. Here are the POC files. Please use "./eu-readelf -a $POC" to reproduce the error. $ git log > commit 1dabad36ee28aa76b8cf14b6426b379cabee6def > Author: Jim Wilson <jimw@sifive.com> > Date: Thu Dec 27 15:25:49 2018 -0800 > > RISC-V: Improve riscv64 core file support. > > This fixes two problems. The offset for x1 is changed from 1 to 8 because > this is a byte offset not a register skip count. Support for reading the > PC value is added. This requires changing the testsuite to match the new > readelf output for coredumps. > > Signed-off-by: Jim Wilson <jimw@sifive.com> The ASAN dumps the stack trace as follows: > ================================================================= > ==26819==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000000b4 at pc 0x7f07b3e4ee2b bp 0x7ffe3ddce530 sp 0x7ffe3ddcdcd8 > READ of size 1 at 0x6030000000b4 thread T0 > #0 0x7f07b3e4ee2a in memmove (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ae2a) > #1 0x7f07b351469c in elf32_xlatetom /home/wencheng/Experiment/elfutils/libelf/elf32_xlatetom.c:116 > #2 0x410e3c in convert /home/wencheng/Experiment/elfutils/src/readelf.c:11305 > #3 0x436e64 in handle_core_item /home/wencheng/Experiment/elfutils/src/readelf.c:11359 > #4 0x4447d4 in handle_core_items /home/wencheng/Experiment/elfutils/src/readelf.c:11641 > #5 0x4447d4 in handle_core_note /home/wencheng/Experiment/elfutils/src/readelf.c:12164 > #6 0x4a006c in handle_notes_data /home/wencheng/Experiment/elfutils/src/readelf.c:12248 > #7 0x4c5b47 in handle_notes /home/wencheng/Experiment/elfutils/src/readelf.c:12315 > #8 0x4c5b47 in process_elf_file /home/wencheng/Experiment/elfutils/src/readelf.c:1000 > #9 0x4c5b47 in process_dwflmod /home/wencheng/Experiment/elfutils/src/readelf.c:760 > #10 0x7f07b3a1fe9c in dwfl_getmodules /home/wencheng/Experiment/elfutils/libdwfl/dwfl_getmodules.c:86 > #11 0x41399c in process_file /home/wencheng/Experiment/elfutils/src/readelf.c:868 > #12 0x405df6 in main /home/wencheng/Experiment/elfutils/src/readelf.c:350 > #13 0x7f07b2f3582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) > #14 0x406ef8 in _start (/home/wencheng/Experiment/elfutils/build/bin/eu-readelf+0x406ef8) > > 0x6030000000b4 is located 0 bytes to the right of 20-byte region [0x6030000000a0,0x6030000000b4) > allocated by thread T0 here: > #0 0x7f07b3eb2b90 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90) > #1 0x7f07b3597080 in elf_getdata_rawchunk /home/wencheng/Experiment/elfutils/libelf/elf_getdata_rawchunk.c:88 > > SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ae2a) in memmove > Shadow bytes around the buggy address: > 0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c067fff8000: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 > =>0x0c067fff8010: 00 fa fa fa 00 00[04]fa fa fa fa fa fa fa fa fa > 0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb > ==26819==ABORTING
Created attachment 11535 [details] POC2
(In reply to wcventure from comment #0) > A Heap-buffer-overflow problem was discovered in the function elf32_xlatetom > in elf32_xlatetom.c in libelf, as distributed in ELFutils 0.147. A crafted > ELF input can cause segment faults and I have confirmed them with address > sanitizer too. Interesting. The same can be found running the reproducer under valgrind. The issue is that when eu-readelf -n tries to print the values of a core file ELF note and sees a NT_PLATFORM type, it doesn't check that the value is a properly zero terminated string. The simplest solution is to just not recognize such corrupt core file notes in ebl_core_note: https://sourceware.org/ml/elfutils-devel/2019-q1/msg00049.html
commit de01cc6f9446187d69b9748bb3636361c79e77a4 Author: Mark Wielaard <mark@klomp.org> Date: Wed Jan 16 15:41:31 2019 +0100 libebl: Check NT_PLATFORM core notes contain a zero terminated string. Most strings in core notes are fixed size. But NT_PLATFORM contains just a variable length string. Check that it is actually zero terminated before passing to readelf to print. https://sourceware.org/bugzilla/show_bug.cgi?id=24089 Signed-off-by: Mark Wielaard <mark@klomp.org> Pushed to master.
CVE-2019-7665 Note the CVE description is somewhat misleading, this is not a bug in libelf.