29799 – A heap buffer overflow was found in display_debug_section in binutils-2.40 (HEAD)

Bug 29799 - A heap buffer overflow was found in display_debug_section in binutils-2.40 (HEAD)

Summary: A heap buffer overflow was found in display_debug_section in binutils-2.40 (H...

Status:	RESOLVED FIXED

Alias:	None

Product:	binutils
Classification:	Unclassified
Component:	binutils (show other bugs)
Version:	2.40

Importance:	P2 normal
Target Milestone:	---
Assignee:	Alan Modra

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-11-17 15:36 UTC by 15664243668
Modified:	2022-11-18 02:13 UTC (History)
CC List:	0 users

See Also:
Host:
Target:
Build:
Last reconfirmed:	2022-11-18 00:00:00

Flags:	15664243668: security?

Attachments
readelf poc file (413 bytes, application/octet-stream) 2022-11-17 15:36 UTC, 15664243668	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description 15664243668 2022-11-17 15:36:25 UTC

Created attachment 14460 [details]
readelf poc file

Hi

There is a heap buffer overflow bug in binutils-2.40 (commit ab11c890).

The bug is triggered in display_debug_section() at binutils/readelf.c:16319 when parsing the debug sections of a malformed ELF file.

To reproduce this bug, use:

1. compile binutils-2.39 with clang-6.0 and address sanitizer:
```sh
./configure --disable-shared --disable-gdb --disable-werror
make
```

2. use readelf to process the PoC file (see attachment):
```sh
readelf -w ./poc2
```

The address sanitizer reports are as follows.
```
===
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e0000000e3 at pc 0x5555556ef069 bp 0x7fffffffe040 sp 0x7fffffffe030
READ of size 1 at 0x60e0000000e3 thread T0
    #0 0x5555556ef068 in byte_get_little_endian ../../binutils/elfcomm.c:118
    #1 0x5555556e88ff in display_gdb_index ../../binutils/dwarf.c:10548
    #2 0x55555567410a in display_debug_section ../../binutils/readelf.c:16319
    #3 0x555555674606 in process_section_contents ../../binutils/readelf.c:16415
    #4 0x55555569169e in process_object ../../binutils/readelf.c:22438
    #5 0x555555693930 in process_file ../../binutils/readelf.c:22861
    #6 0x555555693d8f in main ../../binutils/readelf.c:22932
    #7 0x7ffff6a48c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    #8 0x55555561ba79 in _start (/home/binutils-gdb/obj-asan/binutils/readelf+0xc7a79)

0x60e0000000e3 is located 10 bytes to the right of 153-byte region [0x60e000000040,0x60e0000000d9)
allocated by thread T0 here:
    #0 0x7ffff6ef6b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
    #1 0x555555627377 in get_data ../../binutils/readelf.c:498
    #2 0x555555672b0b in load_specific_debug_section ../../binutils/readelf.c:15940
    #3 0x5555556740ad in display_debug_section ../../binutils/readelf.c:16313
    #4 0x555555674606 in process_section_contents ../../binutils/readelf.c:16415
    #5 0x55555569169e in process_object ../../binutils/readelf.c:22438
    #6 0x555555693930 in process_file ../../binutils/readelf.c:22861
    #7 0x555555693d8f in main ../../binutils/readelf.c:22932
    #8 0x7ffff6a48c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../binutils/elfcomm.c:118 in byte_get_little_endian
Shadow bytes around the buggy address:
  0x0c1c7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c1c7fff8010: 00 00 00 00 00 00 00 00 00 00 00 01[fa]fa fa fa
  0x0c1c7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
```

More detailed causes of this bug is to be analyzed.

Comment 1 Sourceware Commits 2022-11-18 01:04:03 UTC

The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=69bfd1759db41c8d369f9dcc98a135c5a5d97299

commit 69bfd1759db41c8d369f9dcc98a135c5a5d97299
Author: Alan Modra <amodra@gmail.com>
Date:   Fri Nov 18 11:29:13 2022 +1030

    PR29799 heap buffer overflow in display_gdb_index dwarf.c:10548
    
            PR 29799
            * dwarf.c (display_gdb_index): Typo fix.

Comment 2 Alan Modra 2022-11-18 02:13:42 UTC

Fixed