[Bug libelf/27076] heap-buffer-overflow when calling file_read_elf function in elf_begin.c in libelf

mark at klomp dot org sourceware-bugzilla@sourceware.org
Wed Dec 16 10:09:11 GMT 2020


https://sourceware.org/bugzilla/show_bug.cgi?id=27076

Mark Wielaard <mark at klomp dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
                 CC|                            |mark at klomp dot org
         Resolution|---                         |FIXED

--- Comment #1 from Mark Wielaard <mark at klomp dot org> ---
I couldn't reproduce a crash, but there is a small (1 byte) over-read detected
by valgrind:

==12591== Memcheck, a memory error detector
==12591== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==12591== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==12591== Command: src/stack --core ./POC -abdilmsv
==12591== 
==12591== Invalid read of size 2
==12591==    at 0x4E3A768: get_shnum (elf_begin.c:139)
==12591==    by 0x4E3A768: file_read_elf (elf_begin.c:289)
==12591==    by 0x4E3AE48: __libelf_read_mmaped_file (elf_begin.c:552)
==12591==    by 0x50A969A: dwfl_segment_report_module
(dwfl_segment_report_module.c:955)
==12591==    by 0x50AC773: dwfl_core_file_report@@ELFUTILS_0.158
(core-file.c:558)
==12591==    by 0x4025B6: parse_opt (stack.c:595)
==12591==    by 0x56FACE3: argp_parse (in /usr/lib64/libc-2.17.so)
==12591==    by 0x401C12: main (stack.c:695)
==12591==  Address 0x6c182a0 is 48 bytes inside a block of size 49 alloc'd
==12591==    at 0x4C2C089: calloc (vg_replace_malloc.c:762)
==12591==    by 0x50A961E: dwfl_segment_report_module
(dwfl_segment_report_module.c:907)
==12591==    by 0x50AC773: dwfl_core_file_report@@ELFUTILS_0.158
(core-file.c:558)
==12591==    by 0x4025B6: parse_opt (stack.c:595)
==12591==    by 0x56FACE3: argp_parse (in /usr/lib64/libc-2.17.so)
==12591==    by 0x401C12: main (stack.c:695)
==12591== 
src/stack: dwfl_core_file_attach: (null)
==12591== 
==12591== HEAP SUMMARY:
==12591==     in use at exit: 2,536 bytes in 11 blocks
==12591==   total heap usage: 43 allocs, 32 frees, 14,913 bytes allocated
==12591== 
==12591== LEAK SUMMARY:
==12591==    definitely lost: 0 bytes in 0 blocks
==12591==    indirectly lost: 0 bytes in 0 blocks
==12591==      possibly lost: 0 bytes in 0 blocks
==12591==    still reachable: 2,536 bytes in 11 blocks
==12591==         suppressed: 0 bytes in 0 blocks
==12591== Rerun with --leak-check=full to see details of leaked memory
==12591== 
==12591== For lists of detected and suppressed errors, rerun with: -s
==12591== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

Fixed by making sure we have at least a full Ehdr available (which is 52 or 64
bytes in size):
https://sourceware.org/pipermail/elfutils-devel/2020q4/003322.html

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the Elfutils-devel mailing list