https://sourceware.org/bugzilla/show_bug.cgi?id=34386
Bug ID: 34386
Summary: OOB read in __libdw_cu_locs_base() with truncated
.debug_loclists
Product: elfutils
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: libdw
Assignee: unassigned at sourceware dot org
Reporter: karankurani3k at gmail dot com
CC: elfutils-devel at sourceware dot org
Target Milestone: ---
Created attachment 16833
--> https://sourceware.org/bugzilla/attachment.cgi?id=16833&action=edit
ASan trace and standalone reproducer for __libdw_cu_locs_base OOB read
OOB read in libdwP.h __libdw_cu_locs_base() (HEAD commit
6f8f78ce4a1b56f96f2db531cc2c9eddb5be1fc3)
The .debug_loclists fallback parsing in __libdw_cu_locs_base() reads the
4-byte unit_length field before checking that the section contains at least
4 bytes.
The issue is reachable when a DWARF5 CU uses DW_FORM_loclistx, omits
DW_AT_loclists_base, and a .debug_loclists section is present but truncated.
Relevant read:
uint64_t unit_length = read_4ubyte_unaligned_inc (dbg, readp);
The first later guard checks the buffer only after this read:
if (readp > dataend - 8
So a .debug_loclists section shorter than 4 bytes can trigger an OOB read.
Minimal trigger:
.debug_loclists size = 1 byte
DWARF5 CU with DW_AT_location encoded as DW_FORM_loclistx
no DW_AT_loclists_base
The attached reproducer creates a minimal ELF64 object with .debug_abbrev,
.debug_info, .shstrtab, and a final 1-byte .debug_loclists section. The
harness loads the ELF through elf_memory() using an exact malloc-backed buffer,
finds the CU DIE, fetches DW_AT_location, and calls dwarf_getlocation_addr().
ASan confirms the OOB read:
ERROR: AddressSanitizer: heap-buffer-overflow
READ of size 4
#0 __libdw_cu_locs_base libdw/libdwP.h:1459
#1 initial_offset libdw/dwarf_getlocation.c:788
#2 dwarf_getlocation_addr libdw/dwarf_getlocation.c:956
#3 main loclists_harness.c:59
ASan reports the read reaches past the malloc-backed ELF buffer:
0x5150000004cc is located 0 bytes after 460-byte region
[0x515000000300,0x5150000004cc)
CWE-125 (Out-of-bounds Read)
Impact: crash/DoS from crafted DWARF5 .debug_loclists data
Suggested fix: check that .debug_loclists has at least 4 bytes before
calling read_4ubyte_unaligned_inc() in __libdw_cu_locs_base().
Discoverer: Karan Kurani
--
You are receiving this mail because:
You are on the CC list for the bug.