[Bug backends/23529] heap-buffer-overflow in eu-readelf

mark at klomp dot org sourceware-bugzilla@sourceware.org
Wed Aug 15 15:35:00 GMT 2018


https://sourceware.org/bugzilla/show_bug.cgi?id=23529

Mark Wielaard <mark at klomp dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mark at klomp dot org

--- Comment #1 from Mark Wielaard <mark at klomp dot org> ---
Replicated with valgrind:

valgrind -q eu-readelf --debug-dump=abbrev Buffer-over-readelf

==21205== Invalid read of size 1
==21205==    at 0x4855B45: __libdw_get_uleb128_unchecked (memory-access.h:97)
==21205==    by 0x4855B45: dwarf_getabbrevattr_data (dwarf_getabbrevattr.c:60)
==21205==    by 0x116573: print_debug_abbrev_section (readelf.c:5045)
==21205==    by 0x11E090: print_debug (readelf.c:11143)
==21205==    by 0x11FEA9: process_elf_file (readelf.c:996)
==21205==    by 0x11FEA9: process_dwflmod (readelf.c:760)
==21205==    by 0x486C460: dwfl_getmodules (dwfl_getmodules.c:86)
==21205==    by 0x1143BF: process_file (readelf.c:868)
==21205==    by 0x111C13: main (readelf.c:350)
==21205==  Address 0x5115416 is 0 bytes after a block of size 54 alloc'd
==21205==    at 0x48357BF: malloc (vg_replace_malloc.c:299)
==21205==    by 0x489E287: convert_data (elf_getdata.c:164)
==21205==    by 0x489E287: __libelf_set_data_list_rdlock (elf_getdata.c:431)
==21205==    by 0x489E387: __elf_getdata_rdlock (elf_getdata.c:538)
==21205==    by 0x484DF80: check_section (dwarf_begin_elf.c:167)
==21205==    by 0x484E4E2: global_read (dwarf_begin_elf.c:310)
==21205==    by 0x484E4E2: dwarf_begin_elf (dwarf_begin_elf.c:434)
==21205==    by 0x486E767: load_dw (dwfl_module_getdwarf.c:1340)
==21205==    by 0x486E98B: find_dw (dwfl_module_getdwarf.c:1390)
==21205==    by 0x486E98B: dwfl_module_getdwarf (dwfl_module_getdwarf.c:1445)
==21205==    by 0x11DB1A: print_debug (readelf.c:10874)
==21205==    by 0x11FEA9: process_elf_file (readelf.c:996)
==21205==    by 0x11FEA9: process_dwflmod (readelf.c:760)
==21205==    by 0x486C460: dwfl_getmodules (dwfl_getmodules.c:86)
==21205==    by 0x1143BF: process_file (readelf.c:868)
==21205==    by 0x111C13: main (readelf.c:350)

The issue is that __libdw_getabbrev (used by dwarf_getabbrev, dwarf_offabbrev)
uses a different "end of attributes" condition than dwarf_getabbrevattr[_data]:

  while (attrname != 0 && attrform != 0);

vs

      /* If both values are zero the index is out of range.  */
      if (name == 0 && form == 0)

Since the spec says: "The series of attribute specifications ends with an entry
containing 0 for the name and 0 for the form." the second form is correct. And
the check in __libdw_getabbrev should be:

while (attrname != 0 || attrform != 0);

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the Elfutils-devel mailing list