[Bug tools/24116] A Heap-buffer-overflow problem was discovered in the function print_debug_line_section in readelf.c
mark at klomp dot org
sourceware-bugzilla@sourceware.org
Fri Feb 1 08:12:00 GMT 2019
https://sourceware.org/bugzilla/show_bug.cgi?id=24116
--- Comment #6 from Mark Wielaard <mark at klomp dot org> ---
(In reply to wcventure from comment #5)
> Created attachment 11581 [details]
> Regression
Running with:
valgrind -q src/readelf --debug-dump=line ./RegressionPOC
will produce:
==57142== Invalid read of size 2
==57142== at 0x12F431: print_debug_line_section (readelf.c:8807)
==57142== by 0x11E2C0: print_debug (readelf.c:11212)
==57142== by 0x1201C0: process_elf_file (readelf.c:998)
==57142== by 0x1201C0: process_dwflmod (readelf.c:760)
==57142== by 0x486D6A0: dwfl_getmodules (dwfl_getmodules.c:86)
==57142== by 0x11414F: process_file (readelf.c:868)
==57142== by 0x111C33: main (readelf.c:350)
==57142== Address 0x4f20a83 is 0 bytes after a block of size 339 alloc'd
==57142== at 0x483577F: malloc (vg_replace_malloc.c:299)
==57142== by 0x48A0358: convert_data (elf_getdata.c:157)
==57142== by 0x48A0358: __libelf_set_data_list_rdlock (elf_getdata.c:447)
==57142== by 0x48A0547: __elf_getdata_rdlock (elf_getdata.c:554)
==57142== by 0x484EFB0: check_section (dwarf_begin_elf.c:167)
==57142== by 0x484F522: global_read (dwarf_begin_elf.c:310)
==57142== by 0x484F522: dwarf_begin_elf (dwarf_begin_elf.c:445)
==57142== by 0x486F9A7: load_dw (dwfl_module_getdwarf.c:1342)
==57142== by 0x486FBCB: find_dw (dwfl_module_getdwarf.c:1392)
==57142== by 0x486FBCB: dwfl_module_getdwarf (dwfl_module_getdwarf.c:1447)
==57142== by 0x11DD4A: print_debug (readelf.c:10943)
==57142== by 0x1201C0: process_elf_file (readelf.c:998)
==57142== by 0x1201C0: process_dwflmod (readelf.c:760)
==57142== by 0x486D6A0: dwfl_getmodules (dwfl_getmodules.c:86)
==57142== by 0x11414F: process_file (readelf.c:868)
==57142== by 0x111C33: main (readelf.c:350)
==57142==
Fixed by:
commit cad9595592730fd8c9d0d9236d38f62ec8cfbcef
Author: Mark Wielaard <mark@klomp.org>
Date: Fri Feb 1 09:08:14 2019 +0100
readelf: Check there is enough data to read DWARF line opcodes arguments.
When reading the debug_line opcode arguments we have to make sure there
is enough data to read the arguments (if there are any(.
The similar code in dwarf_getsrclines already had these checks.
https://sourceware.org/bugzilla/show_bug.cgi?id=24116
Signed-off-by: Mark Wielaard <mark@klomp.org>
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the Elfutils-devel
mailing list