24398 – eu-readelf print_debug_macinfo_section might read past end of CU list

Bug 24398 - eu-readelf print_debug_macinfo_section might read past end of CU list

Summary: eu-readelf print_debug_macinfo_section might read past end of CU list

Status:	RESOLVED FIXED

Alias:	None

Product:	elfutils
Classification:	Unclassified
Component:	tools (show other bugs)
Version:	unspecified

Importance:	P2 normal
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-03-29 06:22 UTC by wcventure
Modified:	2019-03-29 09:58 UTC (History)
CC List:	2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
POC (3.93 KB, application/x-executable) 2019-03-29 06:22 UTC, wcventure	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description wcventure 2019-03-29 06:22:57 UTC

Created attachment 11709 [details]
POC

Hi, 

An invalid address deference problem was discovered in the print_debug_macinfo_section function __libdw_next_unit in libdw/dwarf_filesrc.c in libdw, as distributed in Elfutils 0.176(release version). A crafted ELF input can cause segment faults and I have confirmed them with address sanitizer too.

Here are the POC files. Please use "./eu-readelf -w $POC" to reproduce the error.

> ASAN:SIGSEGV
> =================================================================
> ==7264==ERROR: AddressSanitizer: SEGV on unknown address 0x02007c2b0d91 (pc 0x7fe377095ed7 bp 0x7fff0ae365f0 sp 0x7fff0ae36380 T0)
>     #0 0x7fe377095ed6 in dwarf_filesrc /elfutils-0.176/libdw/dwarf_filesrc.c:41
>     #1 0x435ca5 in print_debug_macinfo_section /elfutils-0.176/src/readelf.c:9701
>     #2 0x4553a6 in print_debug /elfutils-0.176/src/readelf.c:11222
>     #3 0x45c74e in process_elf_file /elfutils-0.176/src/readelf.c:998
>     #4 0x4639cf in process_dwflmod /elfutils-0.176/src/readelf.c:760
>     #5 0x7fe3771220b8 in dwfl_getmodules /elfutils-0.176/libdwfl/dwfl_getmodules.c:86
>     #6 0x40c28b in process_file /elfutils-0.176/src/readelf.c:868
>     #7 0x405a8a in main /elfutils-0.176/src/readelf.c:350
>     #8 0x7fe3767ac82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
>     #9 0x406cd8 in _start (/elfutils-0.176_ASAN/build/bin/eu-readelf+0x406cd8)
> 
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV /elfutils-0.176/libdw/dwarf_filesrc.c:41 dwarf_filesrc
> ==7264==ABORTING

Comment 1 Mark Wielaard 2019-03-29 09:58:14 UTC

Under valgrind -q --track-origins=yes eu-readelf --debug-dump=macinfo POC.macinfo it shows:

==8148== Conditional jump or move depends on uninitialised value(s)
==8148==    at 0x8059AC3: print_debug_macinfo_section (readelf.c:9693)
==8148==    by 0x8056509: print_debug (readelf.c:11222)
==8148==    by 0x8058790: process_elf_file (readelf.c:998)
==8148==    by 0x805970B: process_dwflmod (readelf.c:760)
==8148==    by 0x40628B6: dwfl_getmodules (dwfl_getmodules.c:86)
==8148==    by 0x804D9C2: process_file (readelf.c:868)
==8148==    by 0x804B03F: main (readelf.c:350)
==8148==  Uninitialised value was created by a stack allocation
==8148==    at 0x8059756: print_debug_macinfo_section (readelf.c:9565)
==8148== 

That is this code:

          /* Find the CU DIE for this file.  */
          size_t macoff = readp - (const unsigned char *) data->d_buf;
          const char *fname = "???";
          if (macoff >= cus[0].offset)
            {
              while (macoff >= cus[1].offset && cus[1].offset != data->d_size)
                ++cus;

              if (cus[0].files == NULL
                && dwarf_getsrcfiles (&cus[0].die, &cus[0].files, NULL) != 0)
                cus[0].files = (Dwarf_Files *) -1l;

              if (cus[0].files != (Dwarf_Files *) -1l)
                fname = (dwarf_filesrc (cus[0].files, u128_2, NULL, NULL)
                         ?: "???");
            }

The cus[1].offset != data->d_size makes sure we don't go past the end of the cus list. The last element of cus is the sentinel:

  /* Add sentinel.  */
  cus[nculist].offset = data->d_size;
  cus[nculist].files = (Dwarf_Files *) -1l;
  if (nculist > 0)
    {
      for (size_t cnt = nculist - 1; culist != NULL; --cnt)
        {
          assert (cnt < nculist);
          cus[cnt] = *culist;
          culist = culist->next;
        }

      /* Sort the array according to the offset in the .debug_macinfo
         section.  Note we keep the sentinel at the end.  */
      qsort (cus, nculist, sizeof (*cus), mac_compare);
    }

The issue here is that there are no cus at all, so cus[0] is the sentinal.
But that is not checked. Fixed by:

diff --git a/src/readelf.c b/src/readelf.c
index 33706bd..0bb9800 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -9688,7 +9688,7 @@ print_debug_macinfo_section (Dwfl_Module *dwflmod __attribute__ ((unused)),
 	  /* Find the CU DIE for this file.  */
 	  size_t macoff = readp - (const unsigned char *) data->d_buf;
 	  const char *fname = "???";
-	  if (macoff >= cus[0].offset)
+	  if (macoff >= cus[0].offset && cus[0].offset != data->d_size)
 	    {
 	      while (macoff >= cus[1].offset && cus[1].offset != data->d_size)
 		++cus;

commit 34ff3ca2e86f8a4915500b92a8e00d6f52aa546c
Author: Mark Wielaard <mark@klomp.org>
Date:   Fri Mar 29 10:53:27 2019 +0100

    readelf: print_debug_macinfo_section, check cus[0] is not the sentinel.
    
    If there are no CUs at all we can not find any CU DIE file.
    
    https://sourceware.org/bugzilla/show_bug.cgi?id=24398
    
    Signed-off-by: Mark Wielaard <mark@klomp.org>