Bug 31058 - global-buffer-overflow exists in the function ebl_machine_flag_name in eblmachineflagname.c
Summary: global-buffer-overflow exists in the function ebl_machine_flag_name in eblmac...
Alias: None
Product: elfutils
Classification: Unclassified
Component: tools (show other bugs)
Version: unspecified
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
Depends on:
Reported: 2023-11-13 03:08 UTC by 徐金羽
Modified: 2024-02-28 14:48 UTC (History)
2 users (show)

See Also:
Last reconfirmed:

poc (9.83 KB, application/x-object)
2023-11-13 03:08 UTC, 徐金羽

Note You need to log in before you can comment on or make changes to this bug.
Description 徐金羽 2023-11-13 03:08:44 UTC
Created attachment 15216 [details]

System info
Ubuntu x86_64, clang 12.0
version: readelf (elfutils) 0.190

Command line
./readelf -a poc

poc:https://github.com/SEU-SSL/Poc/blob/main/elfutils/id_000121%2Csig_08%2Csrc_002748%2B003088%2Cop_splice%2Crep_128(Alternatively, download it in the attachment.)

AddressSanitizer output
==3674715==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000005fe002 at pc 0x000000430d96 bp 0x7ffc65cae250 sp 0x7ffc65cada10
READ of size 1 at 0x0000005fe002 thread T0
 #0 0x430d95 in strlen (/src/elfutils-0.190/src/readelf+0x430d95)
 #1 0x53f152 in ebl_machine_flag_name /src/elfutils-0.190/libebl/eblmachineflagname.c:73:17
 #2 0x4cf3ad in print_ehdr /src/elfutils-0.190/src/readelf.c:1181:4
 #3 0x4cf3ad in process_elf_file /src/elfutils-0.190/src/readelf.c:1050:5
 #4 0x4cddf4 in process_dwflmod /src/elfutils-0.190/src/readelf.c:840:3
 #5 0x7fba8f0d800d in dwfl_getmodules /src/elfutils-0.190/libdwfl/dwfl_getmodules.c:86:16
 #6 0x4cb8e1 in process_file /src/elfutils-0.190/src/readelf.c:948:7
 #7 0x4cad48 in main /src/elfutils-0.190/src/readelf.c:417:7
 #8 0x7fba8ebac082 in __libc_start_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16
 #9 0x41ec2d in _start (/src/elfutils-0.190/src/readelf+0x41ec2d)

0x0000005fe002 is located 30 bytes to the left of global variable '<string literal>' defined in 'arm_machineflagname.c:59:11' (0x5fe020) of size 34
 '<string literal>' is ascii string 'dynamic symbols use segment index'
0x0000005fe002 is located 28 bytes to the right of global variable 'vername' defined in 'arm_machineflagname.c:42:25' (0x5fdfa0) of size 70
SUMMARY: AddressSanitizer: global-buffer-overflow (/src/elfutils-0.190/src/readelf+0x430d95) in strlen
Shadow bytes around the buggy address:
 0x0000800b7bb0: f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
 0x0000800b7bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x0000800b7bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 f9
 0x0000800b7be0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
 0x0000800b7bf0: 00 00 00 00 00 00 00 00 00 00 00 00 06 f9 f9 f9
=>0x0000800b7c00:[f9]f9 f9 f9 00 00 00 00 02 f9 f9 f9 f9 f9 f9 f9
 0x0000800b7c10: 00 00 00 07 f9 f9 f9 f9 00 00 05 f9 f9 f9 f9 f9
 0x0000800b7c20: 00 07 f9 f9 f9 f9 f9 f9 00 07 f9 f9 f9 f9 f9 f9
 0x0000800b7c30: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
 0x0000800b7c40: 00 00 05 f9 f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9
 0x0000800b7c50: 00 00 f9 f9 f9 f9 f9 f9 00 00 05 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
 Addressable: 00
 Partially addressable: 01 02 03 04 05 06 07
 Heap left redzone: fa
 Freed heap region: fd
 Stack left redzone: f1
 Stack mid redzone: f2
 Stack right redzone: f3
 Stack after return: f5
 Stack use after scope: f8
 Global redzone: f9
 Global init order: f6
 Poisoned by user: f7
 Container overflow: fc
 Array cookie: ac
 Intra object redzone: bb
 ASan internal: fe
 Left alloca redzone: ca
 Right alloca redzone: cb
 Shadow gap: cc
Comment 1 Mark Wielaard 2023-11-13 21:59:03 UTC
Thanks, fixed with this commit so no random global strings are returned.

commit 373f5212677235fc3ca6068b887111554790f944
Author: Mark Wielaard <mark@klomp.org>
Date:   Mon Nov 13 22:38:10 2023 +0100

    backends: Fix arm_machine_flag_name version string.
    arm_machine_flag_name checks the version byte and if not zero returns
    a version string. There are only 5 versions defined. So check the
    version byte is not larger.
            * backends/arm_machineflagname.c (arm_machine_flag_name):
            Check version <= 0, otherwise return NULL.
    Signed-off-by: Mark Wielaard <mark@klomp.org>
Comment 2 Mark Wielaard 2024-02-20 21:36:44 UTC
Note that this issue was discussed when rediscovered again on January 9 by someone else running a fuzzer.

The conclusion then was that this was a normal bug and not a security issue.

Crashes in the standalone utilities on untrustworthy
inputs are not normally seen as security issues, because they don't
cause privilege escalation. See our SECURITY policy at:
Comment 3 Mark Wielaard 2024-02-21 01:32:33 UTC
Also note that no actual crash occurs unless the eu-readelf is instrumented with AddressSanitizer. Otherwise eu-readelf will just print a random global string.
Comment 4 Mark Wielaard 2024-02-28 14:48:00 UTC
This bug is referenced from CVE-2024-25260. But the CVE description "NULL pointer dereference via the handle_verdef() function at readelf.c" doesn't match this bug. And the supposed reproducer referenced from the CVE doesn't show a NULL pointer dereference, and doesn't match this bug report either.