[Bug binutils/24837] New: readelf: heap buffer overflow

rmirzazadeh at gmail dot com Mon, 22 Jul 2019 14:39:09 -0700

https://sourceware.org/bugzilla/show_bug.cgi?id=24837


            Bug ID: 24837
           Summary: readelf: heap buffer overflow
           Product: binutils
           Version: 2.32
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: rmirzazadeh at gmail dot com
  Target Milestone: ---

Created attachment 11917
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11917&action=edit
readelf-heapoverflow-poc

I encountered a heap buffer overflow in `readelf` during my fuzz testing. 

(GNU readelf (GNU Binutils) 2.32.51.20190722)
To reproduce ( I assumed the binary is compiled with ASan)

./readelf -A PoC

Here is the ASan output:

readelf: Warning: Section 1 has an out of range sh_link value of 12
readelf: Warning: Section 2 has an out of range sh_link value of 12
readelf: Warning: Section 3 has an out of range sh_link value of 23
readelf: Error: Section 1 has invalid sh_entsize of 0000000000000004
readelf: Error: (Using the expected size of 16 for the rest of this dump)
readelf: Error: Reading 116 bytes extends past end of file for symbols
readelf: Error: no .dynamic section in the dynamic segment
readelf: Warning: Virtual address 0x6f not located in any PT_LOAD segment.

Section '^�ELF<80> ^A' contains 1 entry:
=================================================================
==20157==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000000140 at pc 0x00000060b187 bp 0x7ffdbbacb4e0 sp 0x7ffdbbacb4d8
READ of size 1 at 0x602000000140 thread T0
    #0 0x60b186  (/tmp/binutils-gdb/binutils/readelf+0x60b186)
    #1 0x5a5e7c  (/tmp/binutils-gdb/binutils/readelf+0x5a5e7c)
    #2 0x54c877  (/tmp/binutils-gdb/binutils/readelf+0x54c877)
    #3 0x52c12e  (/tmp/binutils-gdb/binutils/readelf+0x52c12e)
    #4 0x51b0c7  (/tmp/binutils-gdb/binutils/readelf+0x51b0c7)
    #5 0x5198cf  (/tmp/binutils-gdb/binutils/readelf+0x5198cf)
    #6 0x7fadfc83782f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #7 0x41a828  (/tmp/binutils-gdb/binutils/readelf+0x41a828)

0x602000000140 is located 0 bytes to the right of 16-byte region
[0x602000000130,0x602000000140)
allocated by thread T0 here:
    #0 0x4dea58  (/tmp/binutils-gdb/binutils/readelf+0x4dea58)
    #1 0x65bc07  (/tmp/binutils-gdb/binutils/readelf+0x65bc07)
    #2 0x5b5299  (/tmp/binutils-gdb/binutils/readelf+0x5b5299)
    #3 0x5a5032  (/tmp/binutils-gdb/binutils/readelf+0x5a5032)
    #4 0x54c877  (/tmp/binutils-gdb/binutils/readelf+0x54c877)
    #5 0x52c12e  (/tmp/binutils-gdb/binutils/readelf+0x52c12e)
    #6 0x51b0c7  (/tmp/binutils-gdb/binutils/readelf+0x51b0c7)
    #7 0x5198cf  (/tmp/binutils-gdb/binutils/readelf+0x5198cf)
    #8 0x7fadfc83782f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/tmp/binutils-gdb/binutils/readelf+0x60b186) 
Shadow bytes around the buggy address:
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa fd fa fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x0c047fff8010: fa fa 00 01 fa fa fd fa fa fa fd fd fa fa 00 00
=>0x0c047fff8020: fa fa 00 01 fa fa 00 00[fa]fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==20157==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/24837] New: readelf: heap buffer overflow

Reply via email to