Created attachment 11623 [details] Heap buffer overflow input - Intel Xeon Gold 5118 processors and 256 GB memory - Linux n18-065-139 4.19.0-1-amd64 #1 SMP Debian 4.19.12-1 (2018-12-22) x86_64 GNU/Linux - clang version 4.0.0 (tags/RELEASE_400/final) - version: commit c72e75a64030b0f6535a80481f37968ad55c333a (Feb 19 2019) - run: readelf -a input_file - asan_report: ELF Header: Magic: 7f 45 4c 46 01 01 01 00 00 2d 00 00 00 00 00 00 Class: ELF32 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: EXEC (Executable file) Machine: MIPS R3000 Version: 0x1 Entry point address: 0x70000029 Start of program headers: 52 (bytes into file) Start of section headers: 164 (bytes into file) Flags: 0x0 Size of this header: 52 (bytes) Size of program headers: 32 (bytes) Number of program headers: 2 Size of section headers: 40 (bytes) Number of section headers: 4 Section header string table index: 3 readelf: Warning: Section 1 has an out of range sh_link value of 127 Section Headers: [Nr] Name Type Addr Off Size ES Flg Lk Inf Al [ 0] NULL 00001000 000000 000000 00 0 0 0 [ 1] .text MIPS_OPTIONS 08048074 000074 000001 00 AX 127 0 4 readelf: Warning: section 1: sh_link value of 127 is larger than the number of sections [ 2] .data LOUSER+0x5dff00 08000000 000080 00000d 00 WADop 0 57087 4 [ 3] .shstrtab STRTAB 00000000 00008c 000017 00 0 0 1 Key to Flags: W (write), A (alloc), X (execute), M (merge), S (strings), I (info), L (link order), O (extra OS processing required), G (group), T (TLS), C (compressed), x (unknown), o (OS specific), E (exclude), p (processor specific) There are no section groups in this file. Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align DYNAMIC 0x000000 0x08048000 0x08048000 0x00090 0x00080 R E 0x1000 readelf: Error: no .dynamic section in the dynamic segment LOAD 0x17000080 0x08049080 0x08049080 0x0000c 0x0000c RW 0x1000 Section to Segment mapping: Segment Sections... 00 .text 01 Tag Type Name/Value 0x464c457f (<unknown>: 464c457f) 0x10101 0x00002d00 (<unknown>: 2d00) 0x0 0x00080002 (<unknown>: 80002) 0x1 0x70000029 (MIPS_OPTIONS) 0x34 0x000000a4 (<unknown>: a4) 0x0 0x00200034 (<unknown>: 200034) 0x280002 0x00030004 (<unknown>: 30004) 0x2 0x00000000 (NULL) 0x8048000 There are no relocations in this file. The decoding of unwind sections for machine type MIPS R3000 is not currently supported. No version information found in this file. readelf: Warning: Virtual address 0x34 not located in any PT_LOAD segment. ================================================================= ==395575==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000f1 at pc 0x00000057a23d bp 0x7fff14a78db0 sp 0x7fff14a78da8 WRITE of size 1 at 0x6020000000f1 thread T0 #0 0x57a23c in process_mips_specific /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:16211:21 #1 0x5255f7 in process_arch_specific /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:18994:14 #2 0x505ccf in process_object /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:19309:9 #3 0x4f547d in process_file /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:19715:13 #4 0x4f3ec8 in main /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:19774:11 #5 0x7f8ee3f4709a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) #6 0x41d4b9 in _start (/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/readelf+0x41d4b9) 0x6020000000f1 is located 0 bytes to the right of 1-byte region [0x6020000000f0,0x6020000000f1) allocated by thread T0 here: #0 0x4c41ac in malloc /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66:3 #1 0x5eacf7 in xmalloc /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/xmalloc.c:147:12 #2 0x5890e9 in cmalloc /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/dwarf.c:9576:10 #3 0x57a01a in process_mips_specific /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:16194:15 #4 0x5255f7 in process_arch_specific /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:18994:14 #5 0x505ccf in process_object /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:19309:9 #6 0x4f547d in process_file /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:19715:13 #7 0x4f3ec8 in main /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:19774:11 #8 0x7f8ee3f4709a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) SUMMARY: AddressSanitizer: heap-buffer-overflow /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:16211:21 in process_mips_specific Shadow bytes around the buggy address: 0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff8000: fa fa fd fa fa fa 00 04 fa fa 00 04 fa fa 00 04 =>0x0c047fff8010: fa fa 00 01 fa fa fd fa fa fa 02 fa fa fa[01]fa 0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==395575==ABORTING
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7fc0c668f2aceb8582d74db1ad2528e2bba8a921 commit 7fc0c668f2aceb8582d74db1ad2528e2bba8a921 Author: Nick Clifton <nickc@redhat.com> Date: Wed Feb 20 17:03:47 2019 +0000 Fix a illegal memory access fault when parsing a corrupt MIPS option section using readelf. PR 24243 * readelf.c (process_mips_specific): Check for an options section that is too small to even contain a single option.
Hi Spinpx, Thanks for reporting this bug. I have checked in a patch to add an extra check when processing MIPS option sections, which will stop this kind of illegal memory access. Cheers Nick
CVE-2019-9077
Have to seen the great fun here just seen the web site here https://solitairetimes.com and getting the information for free solitaire games without download i am glad for the given this post for me.