[Bug tools/24116] A Heap-buffer-overflow problem was discovered in the function print_debug_line_section in readelf.c

mark at klomp dot org sourceware-bugzilla@sourceware.org
Fri Feb 1 08:12:00 GMT 2019 

https://sourceware.org/bugzilla/show_bug.cgi?id=24116

--- Comment #6 from Mark Wielaard <mark at klomp dot org> ---
(In reply to wcventure from comment #5)
> Created attachment 11581 [details]
> Regression

Running with:
 valgrind -q src/readelf --debug-dump=line ./RegressionPOC
will produce:

==57142== Invalid read of size 2
==57142==    at 0x12F431: print_debug_line_section (readelf.c:8807)
==57142==    by 0x11E2C0: print_debug (readelf.c:11212)
==57142==    by 0x1201C0: process_elf_file (readelf.c:998)
==57142==    by 0x1201C0: process_dwflmod (readelf.c:760)
==57142==    by 0x486D6A0: dwfl_getmodules (dwfl_getmodules.c:86)
==57142==    by 0x11414F: process_file (readelf.c:868)
==57142==    by 0x111C33: main (readelf.c:350)
==57142==  Address 0x4f20a83 is 0 bytes after a block of size 339 alloc'd
==57142==    at 0x483577F: malloc (vg_replace_malloc.c:299)
==57142==    by 0x48A0358: convert_data (elf_getdata.c:157)
==57142==    by 0x48A0358: __libelf_set_data_list_rdlock (elf_getdata.c:447)
==57142==    by 0x48A0547: __elf_getdata_rdlock (elf_getdata.c:554)
==57142==    by 0x484EFB0: check_section (dwarf_begin_elf.c:167)
==57142==    by 0x484F522: global_read (dwarf_begin_elf.c:310)
==57142==    by 0x484F522: dwarf_begin_elf (dwarf_begin_elf.c:445)
==57142==    by 0x486F9A7: load_dw (dwfl_module_getdwarf.c:1342)
==57142==    by 0x486FBCB: find_dw (dwfl_module_getdwarf.c:1392)
==57142==    by 0x486FBCB: dwfl_module_getdwarf (dwfl_module_getdwarf.c:1447)
==57142==    by 0x11DD4A: print_debug (readelf.c:10943)
==57142==    by 0x1201C0: process_elf_file (readelf.c:998)
==57142==    by 0x1201C0: process_dwflmod (readelf.c:760)
==57142==    by 0x486D6A0: dwfl_getmodules (dwfl_getmodules.c:86)
==57142==    by 0x11414F: process_file (readelf.c:868)
==57142==    by 0x111C33: main (readelf.c:350)
==57142== 

Fixed by:

commit cad9595592730fd8c9d0d9236d38f62ec8cfbcef
Author: Mark Wielaard <mark@klomp.org>
Date:   Fri Feb 1 09:08:14 2019 +0100

    readelf: Check there is enough data to read DWARF line opcodes arguments.

    When reading the debug_line opcode arguments we have to make sure there
    is enough data to read the arguments (if there are any(.

    The similar code in dwarf_getsrclines already had these checks.

    https://sourceware.org/bugzilla/show_bug.cgi?id=24116

    Signed-off-by: Mark Wielaard <mark@klomp.org>

-- 
You are receiving this mail because:
You are on the CC list for the bug.

More information about the Elfutils-devel mailing list