[Bug libelf/23528] When executing ./eu-nm or ./eu-readelf -aAdehIlnrsSVcp -w, AddressSanitizer catch a double-free crash.

mark at klomp dot org sourceware-bugzilla@sourceware.org
Wed Aug 15 13:20:00 GMT 2018


https://sourceware.org/bugzilla/show_bug.cgi?id=23528

--- Comment #1 from Mark Wielaard <mark at klomp dot org> ---
Replicated under valgrind:

$ valgrind -q eu-readelf -S Double-free-libelf

==13892== Invalid free() / delete / delete[] / realloc()
==13892==    at 0x48369EB: free (vg_replace_malloc.c:530)
==13892==    by 0x4899094: elf_end (elf_end.c:171)
==13892==    by 0x4868619: free_file (dwfl_module.c:57)
==13892==    by 0x4868787: __libdwfl_module_free (dwfl_module.c:113)
==13892==    by 0x4868370: dwfl_end (dwfl_end.c:54)
==13892==    by 0x114617: process_file (readelf.c:873)
==13892==    by 0x111C13: main (readelf.c:350)
==13892==  Address 0x51138b0 is 0 bytes inside a block of size 36 free'd
==13892==    at 0x48369EB: free (vg_replace_malloc.c:530)
==13892==    by 0x48A5C46: __libelf_reset_rawdata (elf_compress.c:325)
==13892==    by 0x48A5D80: elf_compress (elf_compress.c:514)
==13892==    by 0x4869F00: relocate_section (relocate.c:507)
==13892==    by 0x486A567: __libdwfl_relocate (relocate.c:752)
==13892==    by 0x486EB5B: dwfl_module_getelf (dwfl_module_getelf.c:52)
==13892==    by 0x11E764: process_elf_file (readelf.c:901)
==13892==    by 0x11E764: process_dwflmod (readelf.c:760)
==13892==    by 0x486C450: dwfl_getmodules (dwfl_getmodules.c:86)
==13892==    by 0x1143BF: process_file (readelf.c:868)
==13892==    by 0x111C13: main (readelf.c:350)
==13892==  Block was alloc'd at
==13892==    at 0x48357BF: malloc (vg_replace_malloc.c:299)
==13892==    by 0x48A59E7: __libelf_decompress (elf_compress.c:223)
==13892==    by 0x48A60D4: elf_compress_gnu (elf_compress_gnu.c:178)
==13892==    by 0x4869F68: relocate_section (relocate.c:504)
==13892==    by 0x486A567: __libdwfl_relocate (relocate.c:752)
==13892==    by 0x486EB5B: dwfl_module_getelf (dwfl_module_getelf.c:52)
==13892==    by 0x11E764: process_elf_file (readelf.c:901)
==13892==    by 0x11E764: process_dwflmod (readelf.c:760)
==13892==    by 0x486C450: dwfl_getmodules (dwfl_getmodules.c:86)
==13892==    by 0x1143BF: process_file (readelf.c:868)
==13892==    by 0x111C13: main (readelf.c:350)

The issue is this section:

[10] .zdebug_abbrev       PROGBITS     00000000 00011d 00002b  0 NGTC   0   0 
1

Note how it claims to be both gnu style compressed (starts with .zdebug) and
gabi compressed (has SHF_COMPRESSED flag C).

Then the code in relocate.c tries to decompress the section data twice:

  if (strncmp (tname, ".zdebug", strlen ("zdebug")) == 0)
    elf_compress_gnu (tscn, 0, 0);

  if ((tshdr->sh_flags & SHF_COMPRESSED) != 0)
    if (elf_compress (tscn, 0, 0) < 0)
      return DWFL_E_LIBELF;

So it tries to decompress twice. The second call sees that the data is already
decompressed and assumes it was done implicitly by some call to elf_strptr, and
so just uses the decompressed data to setup the decompressed section data
again, throwing away the buffer that elf_compress_gnu has already setup.
elf_end then tries to free this data buffer again.

The most direct fix is to just make relocate.c not decompress twice in
different ways:

diff --git a/libdwfl/relocate.c b/libdwfl/relocate.c
index 9afcdebe..81750cd3 100644
--- a/libdwfl/relocate.c
+++ b/libdwfl/relocate.c
@@ -238,8 +238,7 @@ resolve_symbol (Dwfl_Module *referer, struct
reloc_symtab_cache *symtab,
          /* If the section is already decompressed, that isn't an error.  */
          if (strncmp (sname, ".zdebug", strlen (".zdebug")) == 0)
            elf_compress_gnu (scn, 0, 0);
-
-         if ((shdr->sh_flags & SHF_COMPRESSED) != 0)
+         else if ((shdr->sh_flags & SHF_COMPRESSED) != 0)
            if (elf_compress (scn, 0, 0) < 0)
              return DWFL_E_LIBELF;

@@ -502,8 +501,7 @@ relocate_section (Dwfl_Module *mod, Elf *relocated, const
GElf_Ehdr *ehdr,

   if (strncmp (tname, ".zdebug", strlen ("zdebug")) == 0)
     elf_compress_gnu (tscn, 0, 0);
-
-  if ((tshdr->sh_flags & SHF_COMPRESSED) != 0)
+  else if ((tshdr->sh_flags & SHF_COMPRESSED) != 0)
     if (elf_compress (tscn, 0, 0) < 0)
       return DWFL_E_LIBELF;

@@ -523,8 +521,7 @@ relocate_section (Dwfl_Module *mod, Elf *relocated, const
GElf_Ehdr *ehdr,

   if (strncmp (sname, ".zdebug", strlen ("zdebug")) == 0)
     elf_compress_gnu (scn, 0, 0);
-
-  if ((shdr->sh_flags & SHF_COMPRESSED) != 0)
+  else if ((shdr->sh_flags & SHF_COMPRESSED) != 0)
     if (elf_compress (scn, 0, 0) < 0)
       return DWFL_E_LIBELF;


But we can probably fix it in elf_compress[_gnu] by better checks or just by
refusing to elf_compress_gnu if the section already has the SHF_COMPRESSED flag
set.

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the Elfutils-devel mailing list