This is the mail archive of the elfutils-devel@sourceware.org mailing list for the elfutils project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug libelf/25077] New: AddressSanitizer: heap-buffer-overflow at libelf/elf32_updatefile.c:772

From: "leftcopy.chx at gmail dot com" <sourceware-bugzilla at sourceware dot org>
To: elfutils-devel at sourceware dot org
Date: Tue, 08 Oct 2019 03:19:11 +0000
Subject: [Bug libelf/25077] New: AddressSanitizer: heap-buffer-overflow at libelf/elf32_updatefile.c:772
Auto-submitted: auto-generated

https://sourceware.org/bugzilla/show_bug.cgi?id=25077

            Bug ID: 25077
           Summary: AddressSanitizer: heap-buffer-overflow at
                    libelf/elf32_updatefile.c:772
           Product: elfutils
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: libelf
          Assignee: unassigned at sourceware dot org
          Reporter: leftcopy.chx at gmail dot com
                CC: elfutils-devel at sourceware dot org
  Target Milestone: ---

Created attachment 12030
  --> https://sourceware.org/bugzilla/attachment.cgi?id=12030&action=edit
pocs and error message

As of 47780c9e, libelf may suffer from a heap-buffer-overflow vulnerability
when executing `./eu-unstrip $FILE ./stripped -o /dev/null`, where elfutils is
built with ASAN. The attachment contains the required files for reproduction.
The error message is like:


==32515==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6150000009d6 at pc 0x7ffff6e670ae bp 0x7fffffff1290 sp 0x7fffffff0a38
READ of size 60432 at 0x6150000009d6 thread T0
    #0 0x7ffff6e670ad  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x4d0ad)
    #1 0x7ffff6c10de4 in pwrite_retry ../lib/system.h:95
    #2 0x7ffff6c10de4 in __elf64_updatefile
/home/hongxu/FOT/Targets/elfutils/eu-orig/libelf/elf32_updatefile.c:772
    #3 0x7ffff6c0ce98 in write_file
/home/hongxu/FOT/Targets/elfutils/eu-orig/libelf/elf_update.c:132
    #4 0x7ffff6c0ce98 in elf_update
/home/hongxu/FOT/Targets/elfutils/eu-orig/libelf/elf_update.c:231
    #5 0x55555556b4ec in copy_elided_sections
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2074
    #6 0x55555556bea1 in handle_file
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2162
    #7 0x55555556c760 in handle_explicit_files
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2227
    #8 0x55555556f1f6 in main
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2562
    #9 0x7ffff6596b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #10 0x555555559a89 in _start
(/home/hongxu/FOT/Targets/elfutils/eu-asan/install/bin/eu-unstrip+0x5a89)

0x6150000009d6 is located 0 bytes to the right of 470-byte region
[0x615000000800,0x6150000009d6)
allocated by thread T0 here:
    #0 0x7ffff6ef8d38 in __interceptor_calloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded38)
    #1 0x55555556f4aa in xcalloc
/home/hongxu/FOT/Targets/elfutils/eu-asan/lib/xmalloc.c:63
    #2 0x55555555db16 in adjust_relocs
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:565
    #3 0x55555556a62a in copy_elided_sections
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:1960
    #4 0x55555556bea1 in handle_file
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2162
    #5 0x55555556c760 in handle_explicit_files
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2227
    #6 0x55555556f1f6 in main
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2562
    #7 0x7ffff6596b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0x4d0ad) 
Shadow bytes around the buggy address:
  0x0c2a7fff80e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c2a7fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2a7fff8130: 00 00 00 00 00 00 00 00 00 00[06]fa fa fa fa fa
  0x0c2a7fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==32515==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Follow-Ups:
- [Bug libelf/25077] AddressSanitizer: heap-buffer-overflow at libelf/elf32_updatefile.c:772
  - From: mark at klomp dot org
- [Bug tools/25077] unstrip bad handling of sh_entsize of the symver section
  - From: mark at klomp dot org
- [Bug tools/25077] unstrip bad handling of sh_entsize of the symver section
  - From: leftcopy.chx at gmail dot com
- [Bug tools/25077] unstrip bad handling of sh_entsize of the symver section
  - From: mark at klomp dot org
- [Bug tools/25077] unstrip bad handling of sh_entsize of the symver section
  - From: leftcopy.chx at gmail dot com
- [Bug tools/25077] unstrip bad handling of sh_entsize of the symver section
  - From: mark at klomp dot org

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]