31058 – global-buffer-overflow exists in the function ebl_machine_flag_name in eblmachineflagname.c

Bug 31058 - global-buffer-overflow exists in the function ebl_machine_flag_name in eblmachineflagname.c

Summary: global-buffer-overflow exists in the function ebl_machine_flag_name in eblmac...

Status:	RESOLVED FIXED

Alias:	None

Product:	elfutils
Classification:	Unclassified
Component:	tools (show other bugs)
Version:	unspecified

Importance:	P2 normal
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-11-13 03:08 UTC by 徐金羽
Modified:	2024-02-28 14:48 UTC (History)
CC List:	2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
poc (9.83 KB, application/x-object) 2023-11-13 03:08 UTC, 徐金羽	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description 徐金羽 2023-11-13 03:08:44 UTC

Created attachment 15216 [details]
poc

System info
Ubuntu x86_64, clang 12.0
version: readelf (elfutils) 0.190

Command line
./readelf -a poc

Poc
poc:https://github.com/SEU-SSL/Poc/blob/main/elfutils/id_000121%2Csig_08%2Csrc_002748%2B003088%2Cop_splice%2Crep_128（Alternatively, download it in the attachment.）

AddressSanitizer output
==3674715==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000005fe002 at pc 0x000000430d96 bp 0x7ffc65cae250 sp 0x7ffc65cada10
READ of size 1 at 0x0000005fe002 thread T0
 #0 0x430d95 in strlen (/src/elfutils-0.190/src/readelf+0x430d95)
 #1 0x53f152 in ebl_machine_flag_name /src/elfutils-0.190/libebl/eblmachineflagname.c:73:17
 #2 0x4cf3ad in print_ehdr /src/elfutils-0.190/src/readelf.c:1181:4
 #3 0x4cf3ad in process_elf_file /src/elfutils-0.190/src/readelf.c:1050:5
 #4 0x4cddf4 in process_dwflmod /src/elfutils-0.190/src/readelf.c:840:3
 #5 0x7fba8f0d800d in dwfl_getmodules /src/elfutils-0.190/libdwfl/dwfl_getmodules.c:86:16
 #6 0x4cb8e1 in process_file /src/elfutils-0.190/src/readelf.c:948:7
 #7 0x4cad48 in main /src/elfutils-0.190/src/readelf.c:417:7
 #8 0x7fba8ebac082 in __libc_start_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16
 #9 0x41ec2d in _start (/src/elfutils-0.190/src/readelf+0x41ec2d)

0x0000005fe002 is located 30 bytes to the left of global variable '<string literal>' defined in 'arm_machineflagname.c:59:11' (0x5fe020) of size 34
 '<string literal>' is ascii string 'dynamic symbols use segment index'
0x0000005fe002 is located 28 bytes to the right of global variable 'vername' defined in 'arm_machineflagname.c:42:25' (0x5fdfa0) of size 70
SUMMARY: AddressSanitizer: global-buffer-overflow (/src/elfutils-0.190/src/readelf+0x430d95) in strlen
Shadow bytes around the buggy address:
 0x0000800b7bb0: f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
 0x0000800b7bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x0000800b7bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 f9
 0x0000800b7be0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
 0x0000800b7bf0: 00 00 00 00 00 00 00 00 00 00 00 00 06 f9 f9 f9
=>0x0000800b7c00:[f9]f9 f9 f9 00 00 00 00 02 f9 f9 f9 f9 f9 f9 f9
 0x0000800b7c10: 00 00 00 07 f9 f9 f9 f9 00 00 05 f9 f9 f9 f9 f9
 0x0000800b7c20: 00 07 f9 f9 f9 f9 f9 f9 00 07 f9 f9 f9 f9 f9 f9
 0x0000800b7c30: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
 0x0000800b7c40: 00 00 05 f9 f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9
 0x0000800b7c50: 00 00 f9 f9 f9 f9 f9 f9 00 00 05 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
 Addressable: 00
 Partially addressable: 01 02 03 04 05 06 07
 Heap left redzone: fa
 Freed heap region: fd
 Stack left redzone: f1
 Stack mid redzone: f2
 Stack right redzone: f3
 Stack after return: f5
 Stack use after scope: f8
 Global redzone: f9
 Global init order: f6
 Poisoned by user: f7
 Container overflow: fc
 Array cookie: ac
 Intra object redzone: bb
 ASan internal: fe
 Left alloca redzone: ca
 Right alloca redzone: cb
 Shadow gap: cc
==3674715==ABORTING

Comment 1 Mark Wielaard 2023-11-13 21:59:03 UTC

Thanks, fixed with this commit so no random global strings are returned.

commit 373f5212677235fc3ca6068b887111554790f944
Author: Mark Wielaard <mark@klomp.org>
Date:   Mon Nov 13 22:38:10 2023 +0100

    backends: Fix arm_machine_flag_name version string.
    
    arm_machine_flag_name checks the version byte and if not zero returns
    a version string. There are only 5 versions defined. So check the
    version byte is not larger.
    
            * backends/arm_machineflagname.c (arm_machine_flag_name):
            Check version <= 0, otherwise return NULL.
    
    https://sourceware.org/bugzilla/show_bug.cgi?id=31058
    
    Signed-off-by: Mark Wielaard <mark@klomp.org>

Comment 2 Mark Wielaard 2024-02-20 21:36:44 UTC

Note that this issue was discussed when rediscovered again on January 9 by someone else running a fuzzer.

The conclusion then was that this was a normal bug and not a security issue.

Crashes in the standalone utilities on untrustworthy
inputs are not normally seen as security issues, because they don't
cause privilege escalation. See our SECURITY policy at:
https://sourceware.org/cgit/elfutils/tree/SECURITY

Comment 3 Mark Wielaard 2024-02-21 01:32:33 UTC

Also note that no actual crash occurs unless the eu-readelf is instrumented with AddressSanitizer. Otherwise eu-readelf will just print a random global string.

Comment 4 Mark Wielaard 2024-02-28 14:48:00 UTC

This bug is referenced from CVE-2024-25260. But the CVE description "NULL pointer dereference via the handle_verdef() function at readelf.c" doesn't match this bug. And the supposed reproducer referenced from the CVE doesn't show a NULL pointer dereference, and doesn't match this bug report either.