[Bug binutils/24876] New: readelf: heap-buffer-overflow

[rmirzazadeh at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=24876

            Bug ID: 24876
           Summary: readelf: heap-buffer-overflow
           Product: binutils
           Version: 2.32
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: rmirzazadeh at gmail dot com
  Target Milestone: ---

Created attachment 11934
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11934&action=edit
readelf heapoverflow poc

A heap overflow discovered in readelf. The PoC file is attached. Here is the
report of AddressSanitizer:



==20361==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x612000000441 at pc 0x00000060be3d bp 0x7ffd33ef0440 sp 0x7ffd33ef0438
READ of size 1 at 0x612000000441 thread T0
    #0 0x60be3c in byte_get_little_endian
binutils-gdb/binutils/elfcomm.c:211:22
    #1 0x5882d4 in dump_ia64_unwind binutils-gdb/binutils/readelf.c:7586:15
    #2 0x57b1cb in ia64_process_unwind binutils-gdb/binutils/readelf.c:7902:6
    #3 0x540cc9 in process_unwind binutils-gdb/binutils/readelf.c:9431:14
    #4 0x52bda4 in process_object binutils-gdb/binutils/readelf.c:19795:9
    #5 0x51b057 in process_file binutils-gdb/binutils/readelf.c:20242:13
    #6 0x51985f in main binutils-gdb/binutils/readelf.c:20301:11
    #7 0x7f484eeed82f in __libc_start_main
/build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #8 0x41a7b8 in _start (binutils-gdb/binutils/readelf+0x41a7b8)

0x612000000441 is located 0 bytes to the right of 257-byte region
[0x612000000340,0x612000000441)
allocated by thread T0 here:
    #0 0x4de9e8 in __interceptor_malloc
(binutils-gdb/binutils/readelf+0x4de9e8)
    #1 0x516f34 in get_data binutils-gdb/binutils/readelf.c:435:9
    #2 0x57ae1c in ia64_process_unwind binutils-gdb/binutils/readelf.c:7884:33
    #3 0x540cc9 in process_unwind binutils-gdb/binutils/readelf.c:9431:14
    #4 0x52bda4 in process_object binutils-gdb/binutils/readelf.c:19795:9
    #5 0x51b057 in process_file binutils-gdb/binutils/readelf.c:20242:13
    #6 0x51985f in main binutils-gdb/binutils/readelf.c:20301:11
    #7 0x7f484eeed82f in __libc_start_main
/build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow
binutils-gdb/binutils/elfcomm.c:211:22 in byte_get_little_endian
Shadow bytes around the buggy address:
  0x0c247fff8030: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c247fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c247fff8050: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c247fff8060: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c247fff8080: 00 00 00 00 00 00 00 00[01]fa fa fa fa fa fa fa
  0x0c247fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==20361==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils