Bug 24243 - readelf: heap buffer overflow in process_mips_specific
Summary: readelf: heap buffer overflow in process_mips_specific
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.33 (HEAD)
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-02-20 08:12 UTC by spinpx
Modified: 2019-03-01 07:17 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
Heap buffer overflow input (183 bytes, application/x-executable)
2019-02-20 08:12 UTC, spinpx
Details

Note You need to log in before you can comment on or make changes to this bug.
Description spinpx 2019-02-20 08:12:12 UTC
Created attachment 11623 [details]
Heap buffer overflow input

- Intel Xeon Gold 5118 processors and 256 GB memory
- Linux n18-065-139 4.19.0-1-amd64 #1 SMP Debian 4.19.12-1 (2018-12-22) x86_64 GNU/Linux
- clang version 4.0.0 (tags/RELEASE_400/final)
- version: commit c72e75a64030b0f6535a80481f37968ad55c333a (Feb 19 2019)
- run: readelf -a input_file

- asan_report:
ELF Header:
  Magic:   7f 45 4c 46 01 01 01 00 00 2d 00 00 00 00 00 00 
  Class:                             ELF32
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           MIPS R3000
  Version:                           0x1
  Entry point address:               0x70000029
  Start of program headers:          52 (bytes into file)
  Start of section headers:          164 (bytes into file)
  Flags:                             0x0
  Size of this header:               52 (bytes)
  Size of program headers:           32 (bytes)
  Number of program headers:         2
  Size of section headers:           40 (bytes)
  Number of section headers:         4
  Section header string table index: 3
readelf: Warning: Section 1 has an out of range sh_link value of 127

Section Headers:
  [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
  [ 0]                   NULL            00001000 000000 000000 00      0   0  0
  [ 1] .text             MIPS_OPTIONS    08048074 000074 000001 00  AX 127   0  4
readelf: Warning: section 1: sh_link value of 127 is larger than the number of sections
  [ 2] .data             LOUSER+0x5dff00 08000000 000080 00000d 00 WADop  0 57087  4
  [ 3] .shstrtab         STRTAB          00000000 00008c 000017 00      0   0  1
Key to Flags:
  W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
  L (link order), O (extra OS processing required), G (group), T (TLS),
  C (compressed), x (unknown), o (OS specific), E (exclude),
  p (processor specific)

There are no section groups in this file.

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  DYNAMIC        0x000000 0x08048000 0x08048000 0x00090 0x00080 R E 0x1000
readelf: Error: no .dynamic section in the dynamic segment
  LOAD           0x17000080 0x08049080 0x08049080 0x0000c 0x0000c RW  0x1000

 Section to Segment mapping:
  Segment Sections...
   00     .text 
   01     
  Tag        Type                         Name/Value
 0x464c457f (<unknown>: 464c457f)        0x10101
 0x00002d00 (<unknown>: 2d00)            0x0
 0x00080002 (<unknown>: 80002)           0x1
 0x70000029 (MIPS_OPTIONS)               0x34
 0x000000a4 (<unknown>: a4)              0x0
 0x00200034 (<unknown>: 200034)          0x280002
 0x00030004 (<unknown>: 30004)           0x2
 0x00000000 (NULL)                       0x8048000

There are no relocations in this file.

The decoding of unwind sections for machine type MIPS R3000 is not currently supported.

No version information found in this file.
readelf: Warning: Virtual address 0x34 not located in any PT_LOAD segment.
=================================================================
==395575==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000f1 at pc 0x00000057a23d bp 0x7fff14a78db0 sp 0x7fff14a78da8
WRITE of size 1 at 0x6020000000f1 thread T0
    #0 0x57a23c in process_mips_specific /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:16211:21
    #1 0x5255f7 in process_arch_specific /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:18994:14
    #2 0x505ccf in process_object /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:19309:9
    #3 0x4f547d in process_file /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:19715:13
    #4 0x4f3ec8 in main /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:19774:11
    #5 0x7f8ee3f4709a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #6 0x41d4b9 in _start (/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/readelf+0x41d4b9)

0x6020000000f1 is located 0 bytes to the right of 1-byte region [0x6020000000f0,0x6020000000f1)
allocated by thread T0 here:
    #0 0x4c41ac in malloc /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66:3
    #1 0x5eacf7 in xmalloc /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/xmalloc.c:147:12
    #2 0x5890e9 in cmalloc /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/dwarf.c:9576:10
    #3 0x57a01a in process_mips_specific /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:16194:15
    #4 0x5255f7 in process_arch_specific /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:18994:14
    #5 0x505ccf in process_object /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:19309:9
    #6 0x4f547d in process_file /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:19715:13
    #7 0x4f3ec8 in main /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:19774:11
    #8 0x7f8ee3f4709a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

SUMMARY: AddressSanitizer: heap-buffer-overflow /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:16211:21 in process_mips_specific
Shadow bytes around the buggy address:
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa fd fa fa fa 00 04 fa fa 00 04 fa fa 00 04
=>0x0c047fff8010: fa fa 00 01 fa fa fd fa fa fa 02 fa fa fa[01]fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==395575==ABORTING
Comment 1 cvs-commit@gcc.gnu.org 2019-02-20 17:05:00 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7fc0c668f2aceb8582d74db1ad2528e2bba8a921

commit 7fc0c668f2aceb8582d74db1ad2528e2bba8a921
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Feb 20 17:03:47 2019 +0000

    Fix a illegal memory access fault when parsing a corrupt MIPS option section using readelf.
    
    	PR 24243
    	* readelf.c (process_mips_specific): Check for an options section
    	that is too small to even contain a single option.
Comment 2 Nick Clifton 2019-02-20 17:06:56 UTC
Hi Spinpx,

  Thanks for reporting this bug.  I have checked in a patch to add an extra
  check when processing MIPS option sections, which will stop this kind of
  illegal memory access.

Cheers
  Nick
Comment 3 spinpx 2019-03-01 07:17:43 UTC
CVE-2019-9077