[Bug backends/24075] Program Crash due to buffer over-read in ebl_object_note function in eblobjnote.c in libebl.

wcventure at 126 dot com sourceware-bugzilla@sourceware.org
Sat Jan 26 08:04:00 GMT 2019


https://sourceware.org/bugzilla/show_bug.cgi?id=24075

wcventure <wcventure at 126 dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |UNCONFIRMED
         Resolution|FIXED                       |---

--- Comment #4 from wcventure <wcventure at 126 dot com> ---
Regression Testing:

I have done regression testing.
This problem can be broken again!

Here is the POC file.


The Commit ID I used:

> commit a17c2c0917901ffa542ac4d3e327d46742219e04
> Author: Mark Wielaard <mark@klomp.org>
> Date:   Tue Jan 22 15:55:18 2019 +0100
> 
>     readelf: Don't go past end of line data reading unknown opcode parameters.
> 
>     https://sourceware.org/bugzilla/show_bug.cgi?id=24116
> 
>     Signed-off-by: Mark Wielaard <mark@klomp.org>


ASAN trace:

> ==22829==ERROR: AddressSanitizer: unknown-crash on address 0x7f07d1c81000 at pc 0x0000004c0857 bp 0x7ffc6580df50 sp 0x7ffc6580df40
READ of size 1 at 0x7f07d1c81000 thread T0
>     #0 0x4c0856 in ebl_object_note /home/wencheng/Experiment/elfutils/libebl/eblobjnote.c:495
>     #1 0x452e0f in handle_notes_data /home/wencheng/Experiment/elfutils/src/readelf.c:12256
>     #2 0x465ec3 in handle_notes /home/wencheng/Experiment/elfutils/src/readelf.c:12320
>     #3 0x465ec3 in process_elf_file /home/wencheng/Experiment/elfutils/src/readelf.c:1000
>     #4 0x465ec3 in process_dwflmod /home/wencheng/Experiment/elfutils/src/readelf.c:760
>     #5 0x7f07d0893961 in dwfl_getmodules /home/wencheng/Experiment/elfutils/libdwfl/dwfl_getmodules.c:86
>     #6 0x40d035 in process_file /home/wencheng/Experiment/elfutils/src/readelf.c:868
>     #7 0x40579e in main /home/wencheng/Experiment/elfutils/src/readelf.c:350
>     #8 0x7f07cff1882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
>     #9 0x406428 in _start (/home/wencheng/Experiment/elfutils/build/bin/eu-readelf+0x406428)
> 
> Address 0x7f07d1c81000 is a wild pointer.
> SUMMARY: AddressSanitizer: unknown-crash /home/wencheng/Experiment/elfutils/libebl/eblobjnote.c:495 in ebl_object_note
> Shadow bytes around the buggy address:
>   0x0fe17a3881b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0fe17a3881c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0fe17a3881d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0fe17a3881e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0fe17a3881f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0fe17a388200:[fe]fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>   0x0fe17a388210: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>   0x0fe17a388220: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>   0x0fe17a388230: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>   0x0fe17a388240: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>   0x0fe17a388250: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
>   Left alloca redzone:     ca
>   Right alloca redzone:    cb
> ==22829==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the Elfutils-devel mailing list