crash accessing address 0 in readelf (binutils-2.2.7a)

Wed, 25 Jul 2018 01:00:25 -0700 

Hi

I've come across an issue in readelf (binutils-2.2.7a), as follows:


Problem:
-------
"readelf -a input" crashes trying to access uninitialized memory (0) if given 
the right input.

Reproduce:
---------
$ CFLAGS="-g -fsanitize=address" CC=clang ../configure --disable-shared 
--disable-nls --disable-werror --disable-gdb --disable-libdecnumber 
--disable-readline --disable-sim
$ ASAN_SYMBOLIZER_PATH=`which llvm-symbolizer` ./build/binutils/readelf -a input

==30209==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 
0x00000055c484 sp 0x7ffc692c6520 bp 0x7ffc692c6c50 T0)
    #0 0x55c483 in dump_hppa_unwind 
/path/binutils-2.2.7a.asan/build/binutils/../../binutils/readelf.c:7849
    #1 0x553415 in hppa_process_unwind 
/path/binutils-2.2.7a.asan/build/binutils/../../binutils/readelf.c:8129
    #2 0x4b29f7 in process_unwind 
/path/binutils-2.2.7a.asan/build/binutils/../../binutils/readelf.c:9262
    #3 0x48c2d8 in process_object 
/path/binutils-2.2.7a.asan/build/binutils/../../binutils/readelf.c:18751
    #4 0x487870 in process_file 
/path/binutils-2.2.7a.asan/build/binutils/../../binutils/readelf.c:19188
    #5 0x485916 in main 
/path/binutils-2.2.7a.asan/build/binutils/../../binutils/readelf.c:19247
    #6 0x7f95f0d03f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #7 0x47e01c in _start 
(/path/binutils-2.2.7a.asan/build/binutils/readelf+0x47e01c)


Details:
-------
in file readelf.c, function hppa_process_unwind():

if (! slurp_hppa_unwind_table (filedata, &aux, sec))
    res = FALSE;
  if (aux.table_len > 0)
    {
      if (! dump_hppa_unwind (filedata, &aux))
res = FALSE;
    }
    [...]


Even if the function slurp_hppa_unwind_table() fails, the function 
dump_hppa_unwind()
is executed. In dump_hppa_unwind():

for (tp = aux->table; tp < aux->table + aux->table_len; ++tp)
    {
      bfd_vma offset;
      const char * procname;
      find_symbol_for_address (filedata, aux->funtab, aux->nfuns, aux->strtab,
       aux->strtab_size, tp->start, &procname,
       &offset);
  [...]

Because slurp_hppa_unwind_table() failed, aux->table_len may be non-zero but 
aux->table
is still 0. So tp is NULL and the program tries to access address 0x0.

I don't think this is exploitable because 0 is not controllable by user input: 
it's the value
set in function hppa_process_unwind() thru:

memset (& aux, 0, sizeof (aux));

Fix:
----
Change:

if ( aux.table_len > 0)

to:

if ( res && aux.table_len > 0)



I can give you the input to trigger the bug if you'd like. I tried to attach it 
to this email but could not as your server thinks there is malware in it...

Laurent


_______________________________________________
bug-binutils mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/bug-binutils

Reply via email to