[Bug libdw/23541] New: heap-buffer-overflow in /elfutils/libdw/dwarf_getaranges.c:156

wcventure at 126 dot com sourceware-bugzilla@sourceware.org
Fri Aug 17 04:06:00 GMT 2018


https://sourceware.org/bugzilla/show_bug.cgi?id=23541

            Bug ID: 23541
           Summary: heap-buffer-overflow in
                    /elfutils/libdw/dwarf_getaranges.c:156
           Product: elfutils
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: libdw
          Assignee: unassigned at sourceware dot org
          Reporter: wcventure at 126 dot com
                CC: elfutils-devel at sourceware dot org
  Target Milestone: ---

Created attachment 11189
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11189&action=edit
addr2line -e @@ -- 500 50 10 -1000

When executing "./eu-addr2line -e @@ -- 500 50 10 -1000", AddressSanitizer
catch a heap-buffer-overflow crash.


117833==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000edbb
at pc 0x7fde94ff95ed bp 0x7fff4f475910 sp 0x7fff4f475900
READ of size 1 at 0x60200000edbb thread T0
    #0 0x7fde94ff95ec in dwarf_getaranges
/home/wcventure/Documents/Cproject/elfutils/libdw/dwarf_getaranges.c:156
    #1 0x7fde95091c6f in addrarange
/home/wcventure/Documents/Cproject/elfutils/libdwfl/cu.c:54
    #2 0x7fde95091c6f in __libdwfl_addrcu
/home/wcventure/Documents/Cproject/elfutils/libdwfl/cu.c:313
    #3 0x7fde95098b5e in dwfl_module_getsrc
/home/wcventure/Documents/Cproject/elfutils/libdwfl/dwfl_module_getsrc.c:44
    #4 0x40461c in handle_address
/home/wcventure/Documents/Cproject/elfutils/src/addr2line.c:680
    #5 0x40263b in main
/home/wcventure/Documents/Cproject/elfutils/src/addr2line.c:197
    #6 0x7fde9459282f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #7 0x402c08 in _start
(/home/wcventure/Documents/Cproject/elfutils/build/bin/eu-addr2line+0x402c08)

0x60200000edbb is located 0 bytes to the right of 11-byte region
[0x60200000edb0,0x60200000edbb)
allocated by thread T0 here:
    #0 0x7fde953cc602 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x7fde94d10ce8 in convert_data
/home/wcventure/Documents/Cproject/elfutils/libelf/elf_getdata.c:164
    #2 0x7fde94d10ce8 in __libelf_set_data_list_rdlock
/home/wcventure/Documents/Cproject/elfutils/libelf/elf_getdata.c:431

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/wcventure/Documents/Cproject/elfutils/libdw/dwarf_getaranges.c:156
dwarf_getaranges
Shadow bytes around the buggy address:
  0x0c047fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9db0: fa fa fa fa fa fa 00[03]fa fa 01 fa fa fa 00 01
  0x0c047fff9dc0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x0c047fff9dd0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa fd fa
  0x0c047fff9de0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x0c047fff9df0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa fd fa
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==117833==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the Elfutils-devel mailing list