https://sourceware.org/bugzilla/show_bug.cgi?id=27845
Bug ID: 27845
Summary: readelf crashes: heap-buffer-overflow
Product: binutils
Version: 2.37 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: shaohua.li at inf dot ethz.ch
Target Milestone: ---
Created attachment 13434
--> https://sourceware.org/bugzilla/attachment.cgi?id=13434&action=edit
poc for `readelf -w`
Hi there,
I crashed readelf (with the flag -w) with a crafted input generated by a
fuzzer.
Reproduce: run with `readelf -w poc`.
The AddressSanitizer outputs are as follows:
==109177==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61800000047f at pc 0x00000054607c bp 0x7ffe20b9a510 sp 0x7ffe20b9a508
READ of size 1 at 0x61800000047f thread T0
#0 0x54607b in read_leb128 /data/clean/binutils-gdb/binutils/dwarf.c:353:28
#1 0x54607b in process_abbrev_set
/data/clean/binutils-gdb/binutils/dwarf.c:1073:7
#2 0x526563 in process_debug_info
/data/clean/binutils-gdb/binutils/dwarf.c:3682:11
#3 0x535662 in display_debug_info
/data/clean/binutils-gdb/binutils/dwarf.c:7264:10
#4 0x4ee444 in display_debug_section
/data/clean/binutils-gdb/binutils/readelf.c:15549:18
#5 0x4ee444 in process_section_contents
/data/clean/binutils-gdb/binutils/readelf.c:15644:10
#6 0x4d4a4a in process_object
/data/clean/binutils-gdb/binutils/readelf.c:21378:9
#7 0x4cb537 in process_file
/data/clean/binutils-gdb/binutils/readelf.c:21800:13
#8 0x4cb537 in main /data/clean/binutils-gdb/binutils/readelf.c:21871:11
#9 0x7fd369f3c0b2 in __libc_start_main
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#10 0x41c46d in _start (/data/clean/binutils-gdb/binutils/readelf+0x41c46d)
0x61800000047f is located 1 bytes to the left of 815-byte region
[0x618000000480,0x6180000007af)
allocated by thread T0 here:
#0 0x4976cd in malloc (/data/clean/binutils-gdb/binutils/readelf+0x4976cd)
#1 0x4c9482 in get_data /data/clean/binutils-gdb/binutils/readelf.c:481:14
#2 0x4c98ff in load_specific_debug_section
/data/clean/binutils-gdb/binutils/readelf.c:15181:38
#3 0x5247b8 in load_separate_debug_files
/data/clean/binutils-gdb/binutils/dwarf.c:11473:10
#4 0x4cb537 in process_file
/data/clean/binutils-gdb/binutils/readelf.c:21800:13
#5 0x4cb537 in main /data/clean/binutils-gdb/binutils/readelf.c:21871:11
#6 0x7fd369f3c0b2 in __libc_start_main
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow
/data/clean/binutils-gdb/binutils/dwarf.c:353:28 in read_leb128
Shadow bytes around the buggy address:
0x0c307fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c307fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c307fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c307fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c307fff8070: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa
=>0x0c307fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x0c307fff8090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c307fff80a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c307fff80b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c307fff80c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c307fff80d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==109177==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
