[Bug backends/24075] Program Crash due to Wild pointer Deference in ebl_object_note function in eblobjnote.c in libebl.
wcventure at 126 dot com
sourceware-bugzilla@sourceware.org
Wed Jan 9 11:34:00 GMT 2019
https://sourceware.org/bugzilla/show_bug.cgi?id=24075
--- Comment #1 from wcventure <wcventure at 126 dot com> ---
Created attachment 11524
--> https://sourceware.org/bugzilla/attachment.cgi?id=11524&action=edit
POC2
The ASAN dumps the stack trace as follows:
> =================================================================
> ==20499==ERROR: AddressSanitizer: unknown-crash on address 0x7f908068e000 at pc 0x000000577730 bp 0x7ffd5103ba10 sp 0x7ffd5103ba00
> READ of size 1 at 0x7f908068e000 thread T0
> #0 0x57772f in ebl_object_note /elfutils/libebl/eblobjnote.c:488
> #1 0x4a06f3 in handle_notes_data /elfutils/src/readelf.c:12251
> #2 0x4c5b47 in handle_notes /elfutils/src/readelf.c:12315
> #3 0x4c5b47 in process_elf_file /elfutils/src/readelf.c:1000
> #4 0x4c5b47 in process_dwflmod /elfutils/src/readelf.c:760
> #5 0x7f907f1e9e9c in dwfl_getmodules /elfutils/libdwfl/dwfl_getmodules.c:86
> #6 0x41399c in process_file /elfutils/src/readelf.c:868
> #7 0x405df6 in main /elfutils/src/readelf.c:350
> #8 0x7f907e6ff82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
> #9 0x406ef8 in _start (/elfutils/build/bin/eu-readelf+0x406ef8)
>
> Address 0x7f908068e000 is a wild pointer.
> SUMMARY: AddressSanitizer: unknown-crash /elfutils/libebl/eblobjnote.c:488 in ebl_object_note
> Shadow bytes around the buggy address:
> 0x0ff2900c9bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0ff2900c9bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0ff2900c9bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0ff2900c9be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0ff2900c9bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0ff2900c9c00:[fe]fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> 0x0ff2900c9c10: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> 0x0ff2900c9c20: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> 0x0ff2900c9c30: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> 0x0ff2900c9c40: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> 0x0ff2900c9c50: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
> ==20499==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the Elfutils-devel
mailing list