Bug 24242 - readelf: heap buffer overflow in byte_get_little_endian
Summary: readelf: heap buffer overflow in byte_get_little_endian
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.33
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
: 24245 (view as bug list)
Depends on:
Blocks:
 
Reported: 2019-02-20 07:48 UTC by spinpx
Modified: 2019-02-20 17:28 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
Heap buffer overflow input (132 bytes, application/x-executable)
2019-02-20 07:48 UTC, spinpx 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description spinpx 2019-02-20 07:48:02 UTC 
Created attachment 11622 [details]
Heap buffer overflow input

- Intel Xeon Gold 5118 processors and 256 GB memory
- Linux n18-065-139 4.19.0-1-amd64 #1 SMP Debian 4.19.12-1 (2018-12-22) x86_64 GNU/Linux
- clang version 4.0.0 (tags/RELEASE_400/final)
- version: commit c72e75a64030b0f6535a80481f37968ad55c333a (Feb 19 2019)
- run: readelf -a input_file

- asan_report:
ELF Header:
  Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 34 00 20 e9 
  Class:                             ELF32
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Intel IA-64
  Version:                           0xee000001
  Entry point address:               0x8048074
  Start of program headers:          52 (bytes into file)
  Start of section headers:          164 (bytes into file)
  Flags:                             0xde000000, 32-bit
  Size of this header:               51 (bytes)
  Size of program headers:           32 (bytes)
  Number of program headers:         2
  Size of section headers:           40 (bytes)
  Number of section headers:         4
  Section header string table index: 3
readelf: Error: Reading 160 bytes extends past end of file for section headers
readelf: Error: Section headers are not available!
=================================================================
==328304==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d0000000c1 at pc 0x0000005dd1d6 bp 0x7ffc427f3900 sp 0x7ffc427f38f8
READ of size 1 at 0x60d0000000c1 thread T0
    #0 0x5dd1d5 in byte_get_little_endian /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/elfcomm.c:210:22
    #1 0x56f778 in print_ia64_vms_note /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:17982:24
    #2 0x56c09f in process_note /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:18579:12
    #3 0x56a944 in process_notes_at /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:18769:13
    #4 0x5693a9 in process_corefile_note_segments /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:18799:8
    #5 0x5691c6 in process_note_sections /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:18927:12
    #6 0x524199 in process_notes /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:18940:12
    #7 0x505c9d in process_object /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:19303:9
    #8 0x4f547d in process_file /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:19715:13
    #9 0x4f3ec8 in main /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:19774:11
    #10 0x7fe5604f009a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #11 0x41d4b9 in _start (/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/readelf+0x41d4b9)

0x60d0000000c1 is located 0 bytes to the right of 129-byte region [0x60d000000040,0x60d0000000c1)
allocated by thread T0 here:
    #0 0x4c41ac in malloc /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66:3
    #1 0x4f179f in get_data /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:426:9
    #2 0x56965e in process_notes_at /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:18635:36
    #3 0x5693a9 in process_corefile_note_segments /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:18799:8
    #4 0x5691c6 in process_note_sections /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:18927:12
    #5 0x524199 in process_notes /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:18940:12
    #6 0x505c9d in process_object /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:19303:9
    #7 0x4f547d in process_file /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:19715:13
    #8 0x4f3ec8 in main /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:19774:11
    #9 0x7fe5604f009a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

SUMMARY: AddressSanitizer: heap-buffer-overflow /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/elfcomm.c:210:22 in byte_get_little_endian
Shadow bytes around the buggy address:
  0x0c1a7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a7fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c1a7fff8010: 00 00 00 00 00 00 00 00[01]fa fa fa fa fa fa fa
  0x0c1a7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==328304==ABORTING
Comment 1 Sourceware Commits 2019-02-20 15:36:21 UTC 
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8d18bf796bf70d71eb23f4247e29a1fab5f3c5c7

commit 8d18bf796bf70d71eb23f4247e29a1fab5f3c5c7
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Feb 20 15:35:06 2019 +0000

    Harden readelf's IA64 note display function so that it can handle corrupt notes.
    
    	PR 24242
    	* readelf.c (print_ia64_vms_note): Harden against corrupt notes.
Comment 2 Nick Clifton 2019-02-20 15:38:16 UTC 
Hi Spinpx,

  Thanks for reporting this bug.  I have checked in a patch to harden the
  IA64 note display function in readelf, so this particular problem should
  no longer occur.

Cheers
  Nick
Comment 3 Nick Clifton 2019-02-20 17:28:29 UTC 
*** Bug 24245 has been marked as a duplicate of this bug. ***