https://sourceware.org/bugzilla/show_bug.cgi?id=34382

            Bug ID: 34382
           Summary: OOB read in dwarf_getmacros.c .debug_macro parsing
           Product: elfutils
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: libdw
          Assignee: unassigned at sourceware dot org
          Reporter: karankurani3k at gmail dot com
                CC: elfutils-devel at sourceware dot org
  Target Milestone: ---

Created attachment 16830
  --> https://sourceware.org/bugzilla/attachment.cgi?id=16830&action=edit
ASan trace and standalone reproducer for dwarf_getmacros.c OOB read

OOB read in dwarf_getmacros.c (HEAD commit d250dd5e)

The .debug_macro parsing in get_table_for_offset reads the optional
line_offset field at line 195 without first verifying that the field
fits inside the section.

The initial bounds check only ensures that the 3-byte .debug_macro
header is present:

  version: 2 bytes
  flags:   1 byte

If flags has the line_offset bit set and 64-bit offset size is selected,
readp is advanced to the end of the section after reading version+flags.
The code then performs an unchecked 8-byte read:

  line_offset = read_addr_unaligned_inc (is_64bit ? 8 : 4, dbg, readp);

The later check is too late because it runs after the read.

Minimal trigger:

  .debug_macro bytes: 04 00 03

This encodes version=4 and flags=0x03, causing the parser to expect an
8-byte line_offset even though the section ends immediately after the
flags byte.

ASan confirms the OOB read:

  ERROR: AddressSanitizer: heap-buffer-overflow
  READ of size 8
      #0 get_table_for_offset libdw/dwarf_getmacros.c:195
      #1 cache_op_table libdw/dwarf_getmacros.c:335
      #2 read_macros libdw/dwarf_getmacros.c:379
      #3 gnu_macros_getmacros_off libdw/dwarf_getmacros.c:556
      #4 dwarf_getmacros_off libdw/dwarf_getmacros.c:586

The crafted ELF is 363 bytes, with .debug_macro placed at EOF:

  .debug_macro offset = 360
  .debug_macro size   = 3
  EOF                 = 363

ASan reports the read starts exactly after the allocation:

  0x5130000001ab is located 0 bytes after 363-byte region
  [0x513000000040,0x5130000001ab)

CWE-125 (Out-of-bounds Read)
Impact: crash/DoS from crafted .debug_macro section

Suggested fix: check that readp + (is_64bit ? 8 : 4) <= endp before
calling read_addr_unaligned_inc().

Discoverer: Karan Kurani

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Reply via email to