https://sourceware.org/bugzilla/show_bug.cgi?id=33014
Bug ID: 33014
Summary: Unknown Crash in elfedit's byte_get_little_endian Due
to Wild Pointer Dereference
Product: binutils
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: xdcao.cs at gmail dot com
Target Milestone: ---
Summary
Unknown Crash in elfedit's byte_get_little_endian Due to Wild Pointer
Dereference
Environment
elfutils version: 0.192
OS: Ubuntu 22.04.5 LTS
Steps to reproduce
# export CFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address"
# export CXXFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address"
# ./configure --enable-maintainer-mode --disable-debuginfod
# make -j64 & make install
root@46b925a575de:# ./elfedit --enable-x86-feature ibt POC
=================================================================
==1663329==ERROR: AddressSanitizer: unknown-crash on address 0x7f0fdddb9000 at
pc 0x0000004d315b bp 0x7fff57e13d90 sp 0x7fff57e13d88
READ of size 1 at 0x7f0fdddb9000 thread T0
#0 0x4d315a in byte_get_little_endian
/root/this-program/binutils-gdb/build/binutils/../../binutils/elfcomm.c:162:26
#1 0x4cf87d in update_gnu_property
/root/this-program/binutils-gdb/build/binutils/../../binutils/elfedit.c:142:23
#2 0x4cd426 in process_file
/root/this-program/binutils-gdb/build/binutils/../../binutils/elfedit.c:803:8
#3 0x4cbd58 in main
/root/this-program/binutils-gdb/build/binutils/../../binutils/elfedit.c:1102:15
#4 0x7f0fe0a7fd8f in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#5 0x7f0fe0a7fe3f in __libc_start_main csu/../csu/libc-start.c:392:3
#6 0x41f424 in _start
(/workspace/new-test/fuzzdir/fz-binutils/fz-elfedit/elfedit+0x41f424)
Address 0x7f0fdddb9000 is a wild pointer.
SUMMARY: AddressSanitizer: unknown-crash
/root/this-program/binutils-gdb/build/binutils/../../binutils/elfcomm.c:162:26
in byte_get_little_endian
Shadow bytes around the buggy address:
0x0fe27bbaf1b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe27bbaf1c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe27bbaf1d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe27bbaf1e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe27bbaf1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe27bbaf200:[fe]fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0fe27bbaf210: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0fe27bbaf220: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0fe27bbaf230: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0fe27bbaf240: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0fe27bbaf250: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1663329==ABORTING
POC
https://drive.google.com/file/d/1lcQ3pR4GSGJAeS-y3bCWaE3mlkA4EDQE/view?usp=sharing
Credit
Xiaoguo Li (CUPL)
Xudong Cao (UCAS)
--
You are receiving this mail because:
You are on the CC list for the bug.
