This is the mail archive of the
elfutils-devel@sourceware.org
mailing list for the elfutils project.
[Bug libdw/24140] New: A Heap-buffer-overflow problem was discovered in the function __libdw_next_unit in dwarf_nextcu.c in libdw
- From: "wcventure at 126 dot com" <sourceware-bugzilla at sourceware dot org>
- To: elfutils-devel at sourceware dot org
- Date: Sat, 26 Jan 2019 08:16:29 +0000
- Subject: [Bug libdw/24140] New: A Heap-buffer-overflow problem was discovered in the function __libdw_next_unit in dwarf_nextcu.c in libdw
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=24140
Bug ID: 24140
Summary: A Heap-buffer-overflow problem was discovered in the
function __libdw_next_unit in dwarf_nextcu.c in libdw
Product: elfutils
Version: unspecified
Status: UNCONFIRMED
Severity: critical
Priority: P2
Component: libdw
Assignee: unassigned at sourceware dot org
Reporter: wcventure at 126 dot com
CC: elfutils-devel at sourceware dot org
Target Milestone: ---
Created attachment 11574
--> https://sourceware.org/bugzilla/attachment.cgi?id=11574&action=edit
POC
Hi,
A Heap-buffer-overflow problem was discovered in the function __libdw_next_unit
in dwarf_nextcu.c in libdw, as distributed in Elfutils 0.175. A crafted ELF
input can cause segment faults and I have confirmed them with address sanitizer
too.
Here are the POC files. Please use "./eu-nm -C $POC" to reproduce the error.
$git log
> commit a17c2c0917901ffa542ac4d3e327d46742219e04
> Author: Mark Wielaard <mark@klomp.org>
> Date: Tue Jan 22 15:55:18 2019 +0100
>
> readelf: Don't go past end of line data reading unknown opcode parameters.
>
> https://sourceware.org/bugzilla/show_bug.cgi?id=24116
>
> Signed-off-by: Mark Wielaard <mark@klomp.org>
The ASAN dumps the stack trace as follows:
> =================================================================
> ==12766==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000032 at pc 0x7f1605a83c52 bp 0x7ffeba226910 sp 0x7ffeba226900
> READ of size 2 at 0x603000000032 thread T0
> #0 0x7f1605a83c51 in __libdw_next_unit /home/wencheng/Experiment/elfutils/libdw/dwarf_nextcu.c:249
> #1 0x7f1605a83f3c in dwarf_next_unit /home/wencheng/Experiment/elfutils/libdw/dwarf_nextcu.c:46
> #2 0x7f1605a83f3c in dwarf_nextcu /home/wencheng/Experiment/elfutils/libdw/dwarf_nextcu.c:294
> #3 0x408273 in get_local_names /home/wencheng/Experiment/elfutils/src/nm.c:627
> #4 0x408273 in show_symbols /home/wencheng/Experiment/elfutils/src/nm.c:1285
> #5 0x40e5bd in handle_elf /home/wencheng/Experiment/elfutils/src/nm.c:1578
> #6 0x40387c in process_file /home/wencheng/Experiment/elfutils/src/nm.c:374
> #7 0x40387c in main /home/wencheng/Experiment/elfutils/src/nm.c:249
> #8 0x7f1604e6782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
> #9 0x404568 in _start (/home/wencheng/Experiment/elfutils/build/bin/eu-nm+0x404568)
>
> 0x603000000032 is located 2 bytes to the right of 32-byte region [0x603000000010,0x603000000030)
> allocated by thread T0 here:
> #0 0x7f1605f4ab90 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90)
> #1 0x7f16057feec3 in convert_data /home/wencheng/Experiment/elfutils/libelf/elf_getdata.c:157
> #2 0x7f16057feec3 in __libelf_set_data_list_rdlock /home/wencheng/Experiment/elfutils/libelf/elf_getdata.c:447
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow /home/wencheng/Experiment/elfutils/libdw/dwarf_nextcu.c:249 in __libdw_next_unit
> Shadow bytes around the buggy address:
> 0x0c067fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0c067fff8000: fa fa 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa
> 0x0c067fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
> ==12766==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.