Bug 32654 - eu-readelf SEGV (head-buffer-overread) in process_symtab (src/readelf.c:2654)
Summary: eu-readelf SEGV (head-buffer-overread) in process_symtab (src/readelf.c:2654)
Status: RESOLVED FIXED
Alias: None
Product: elfutils
Classification: Unclassified
Component: tools (show other bugs)
Version: unspecified
: P2 normal
Target Milestone: ---
Assignee: Mark Wielaard
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-02-07 09:11 UTC by 孙文举
Modified: 2025-02-17 16:57 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed: 2025-02-08 00:00:00
Project(s) to access:
ssh public key:

Attachments
poc (595 bytes, application/x-executable)
2025-02-07 09:11 UTC, 孙文举 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description 孙文举 2025-02-07 09:11:16 UTC 
Created attachment 15925 [details]
poc

**Description**
A segv can occur in eu-readelf  when using the  -D and -a options with a specially crafted input file. This issue leads to buffer-overflow

**Affected Version**
elfutils 0.192

**Steps to Reproduce**

Build elfutils 0.192 with AddressSanitizer (e.g., CFLAGS="-g -fsanitize=address" ./configure && make -j).

/mnt/data/optfuzz/benchmark/elfutils-0.192/bins/bin/eu-readelf  -a -D /tmp/poc
ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
  Class:                             ELF64
  Data:                              2's complement, little endian
  Ident Version:                     1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              ???
  Machine:                           SH
  Version:                           1 (current)
  Entry point address:               0xf100000000000000
  Start of program headers:          255 (bytes into file)
  Start of section headers:          1144 (bytes into file)
  Flags:
  Size of this header:               64 (bytes)
  Size of program header entries:    0 (bytes)
  Number of program headers entries: 10
  Size of section header entries:    29760 (bytes)
  Number of section headers entries: 25441
  Section header string table index: 11627

Section Headers:
[Nr] Name                 Type         Addr             Off      Size     ES Flags Lk Inf Al

Program Headers:
  Type           Offset   VirtAddr           PhysAddr           FileSiz  MemSiz   Flg Align
  LOAD           0x0001e7 0x0000000000000000 0x0000030000000000 0x6e75746d2d200001 0x6972656e65673d65     0x686372616d2d2063
  <unknown>: 909670461 0x4f2d20672d20672d 0x662d20334f2d2032 0x6c2d6c6c6f726e75 0x73662d2073706f6f 0x6f72702d6b636174 R E 0x732d726f74636574
  LOOS+242184820 0x2f637a772f656d6f 0x5f666c6564616572 0x2f666c655f4c4641 0x6c697474756e6962 0x7274735373690073 RWE 0x732d746f6e007069
  LOPROC+6910580 0x625528203a434347 0x342e352075746e75 0x01000d0efb010134 0x1000000010101 0x362d306f6e000100 RW  0x75746e756275
  <unknown>: 9   0x1100000000 0x0000000aff7fffff 0x000000a400000009 0x3032000400000001 0x1c0000003631     0x800000000000200
  NULL           0x3930363000000000 0x0100100000000000 0x0000000000000000 0x000000 0xf100040000000100     0xff
  NULL           0x000000 0x0000000000000000 0x0000000000000000 0x280000000000000 0x000000     0x0
  NULL           0x3a900010000 0x0000000000000000 0x040000de00000000 0xf2ff000000000000 0x000000     0x600030000000000
  NULL           0x000000 0x0700030000000000 0x0000000000000000 0x000000 0x900030000000000     0x0
  NULL           0xa00030000000000 0x3930363000000000 0x0000000000000000 0x1100000000 0xaff7fffff     0xa400000009
    0: 0000000aff7fffff 704374636553 OBJECT  GLOBAL DEFAULT    UNDEF
    1: 00001c0000003631 576460752303424000 FILE    LOCAL  DEFAULT   <unknown>: 12338
    2: 3930363000000000 72075186223972352 NOTYPE  LOCAL  DEFAULT    UNDEF /mnt/data/optfuzz/benchmark/elfutils-0.192/bins/bin/eu-readelf: bad dynamic symbol

    3: 0000000000000000 -1080859512522407680 NOTYPE  LOCAL  DEFAULT    UNDEF
    4: 0000000000000000      0 NOTYPE  LOCAL  DEFAULT    UNDEF /mnt/data/optfuzz/benchmark/elfutils-0.192/bins/bin/eu-readelf: bad dynamic symbol

    5: 0000000000000000 180143985094819840 NOTYPE  LOCAL  DEFAULT    UNDEF /mnt/data/optfuzz/benchmark/elfutils-0.192/bins/bin/eu-readelf: bad dynamic symbol

    6: 0000000000000000 216176080648667136 NOTYPE  LOCAL  DEFAULT    UNDEF /mnt/data/optfuzz/benchmark/elfutils-0.192/bins/bin/eu-readelf: bad dynamic symbol

=================================================================
==1470162==ERROR: AddressSanitizer: unknown-crash on address 0x7f798c42e1e7 at pc 0x7f798f44cdcb bp 0x7ffe7c9ad050 sp 0x7ffe7c9ac7c8
READ of size 1 at 0x7f798c42e1e7 thread T0
    #0 0x7f798f44cdca in printf_common ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:546
    #1 0x7f798f44ddec in __interceptor_vprintf ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1600
    #2 0x7f798f44dee6 in __interceptor_printf ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1658
    #3 0x55ac52999d2b in process_symtab /mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:2654
    #4 0x55ac5299cd92 in handle_dynamic_symtab /mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:3062
    #5 0x55ac52999104 in print_symtab /mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:2582
    #6 0x55ac5298df39 in process_elf_file /mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:1064
    #7 0x55ac5298cb5b in process_dwflmod /mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:840
    #8 0x7f798ff51708 in dwfl_getmodules /mnt/data/optfuzz/benchmark/elfutils-0.192/libdwfl/dwfl_getmodules.c:86
    #9 0x55ac5298d5b9 in process_file /mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:948
    #10 0x55ac5298b1e6 in main /mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:417
    #11 0x7f798f1c6082 in __libc_start_main ../csu/libc-start.c:308
    #12 0x55ac52988b2d in _start (/mnt/data/optfuzz/benchmark/elfutils-0.192/bins/bin/eu-readelf+0x6bb2d)

Address 0x7f798c42e1e7 is a wild pointer.
SUMMARY: AddressSanitizer: unknown-crash ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:546 in printf_common
Shadow bytes around the buggy address:
  0x0fefb187dbe0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fefb187dbf0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fefb187dc00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fefb187dc10: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fefb187dc20: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
=>0x0fefb187dc30: fe fe fe fe fe fe fe fe fe fe fe fe[fe]fe fe fe
  0x0fefb187dc40: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fefb187dc50: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fefb187dc60: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fefb187dc70: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fefb187dc80: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1470162==ABORTING

**Env**
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.6 LTS
Release:        20.04
Codename:       focal
Comment 1 Mark Wielaard 2025-02-08 21:23:55 UTC 
Replicated with valgrind and eu-readelf --syms -D

==722925== Invalid read of size 1
==722925==    at 0x484B0E6: strlen (vg_replace_strmem.c:505)
==722925==    by 0x49B0057: __printf_buffer (vfprintf-process-arg.c:435)
==722925==    by 0x49B0D92: __vfprintf_internal (vfprintf-internal.c:1544)
==722925==    by 0x49A4BF2: printf (printf.c:33)
==722925==    by 0x4091E2: process_symtab (readelf.c:2654)
==722925==    by 0x40A31C: handle_dynamic_symtab (readelf.c:3062)
==722925==    by 0x408D47: print_symtab (readelf.c:2582)
==722925==    by 0x4044CE: process_elf_file (readelf.c:1064)
==722925==    by 0x403B91: process_dwflmod (readelf.c:840)
==722925==    by 0x48BD942: dwfl_getmodules (dwfl_getmodules.c:86)
==722925==    by 0x403FC5: process_file (readelf.c:948)
==722925==    by 0x402AE0: main (readelf.c:417)
==722925==  Address 0x49681e7 is not stack'd, malloc'd or (recently) free'd

The issue is that with -D we aren't using elf_strptr, which will validate the string, but use the string from the symstr_data->d_buf directly without checking it is a valid string.

Issue introduced when support for -D/--dynamic was added by commit 4d8de4b2fa05 ("readelf: display dynamic symtab without section headers")
Comment 2 Mark Wielaard 2025-02-14 08:06:33 UTC 
commit 5e5c0394d82c53e97750fe7b18023e6f84157b81
Author: Mark Wielaard <mark@klomp.org>
Date:   Sat Feb 8 21:44:56 2025 +0100

    libelf, readelf: Use validate_str also to check dynamic symstr data
    
    When dynsym/str was read through eu-readelf --dynamic by readelf
    process_symtab the string data was not validated, possibly printing
    unallocated memory past the end of the symstr data. Fix this by
    turning the elf_strptr validate_str function into a generic
    lib/system.h helper function and use it in readelf to validate the
    strings before use.
    
            * libelf/elf_strptr.c (validate_str): Remove to...
            * lib/system.h (validate_str): ... here. Make inline, simplify
            check and document.
            * src/readelf.c (process_symtab): Use validate_str on symstr_data.
    
    https://sourceware.org/bugzilla/show_bug.cgi?id=32654
    
    Signed-off-by: Mark Wielaard <mark@klomp.org>
Comment 3 Mark Wielaard 2025-02-17 16:57:30 UTC 
Note that someone created CVE-2025-1365 for this bug without following our SECURITY policy: https://sourceware.org/cgit/elfutils/tree/SECURITY

This is NOT a security issue according to our policy:

  Since most elfutils tools are run in short-lived, local, interactive,
  development context rather than remotely "in production", we generally
  treat malfunctions as ordinary bugs rather than security vulnerabilities.

We request that people who report suspected security vulnerabilities report them through the contacts in our SECURITY policy and not through non-affiliated CNAs.