[Bug binutils/24876] New: readelf: heap-buffer-overflow
https://sourceware.org/bugzilla/show_bug.cgi?id=24876 Bug ID: 24876 Summary: readelf: heap-buffer-overflow Product: binutils Version: 2.32 Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: rmirzazadeh at gmail dot com Target Milestone: --- Created attachment 11934 --> https://sourceware.org/bugzilla/attachment.cgi?id=11934&action=edit readelf heapoverflow poc A heap overflow discovered in readelf. The PoC file is attached. Here is the report of AddressSanitizer: ==20361==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61200441 at pc 0x0060be3d bp 0x7ffd33ef0440 sp 0x7ffd33ef0438 READ of size 1 at 0x61200441 thread T0 #0 0x60be3c in byte_get_little_endian binutils-gdb/binutils/elfcomm.c:211:22 #1 0x5882d4 in dump_ia64_unwind binutils-gdb/binutils/readelf.c:7586:15 #2 0x57b1cb in ia64_process_unwind binutils-gdb/binutils/readelf.c:7902:6 #3 0x540cc9 in process_unwind binutils-gdb/binutils/readelf.c:9431:14 #4 0x52bda4 in process_object binutils-gdb/binutils/readelf.c:19795:9 #5 0x51b057 in process_file binutils-gdb/binutils/readelf.c:20242:13 #6 0x51985f in main binutils-gdb/binutils/readelf.c:20301:11 #7 0x7f484eeed82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291 #8 0x41a7b8 in _start (binutils-gdb/binutils/readelf+0x41a7b8) 0x61200441 is located 0 bytes to the right of 257-byte region [0x61200340,0x61200441) allocated by thread T0 here: #0 0x4de9e8 in __interceptor_malloc (binutils-gdb/binutils/readelf+0x4de9e8) #1 0x516f34 in get_data binutils-gdb/binutils/readelf.c:435:9 #2 0x57ae1c in ia64_process_unwind binutils-gdb/binutils/readelf.c:7884:33 #3 0x540cc9 in process_unwind binutils-gdb/binutils/readelf.c:9431:14 #4 0x52bda4 in process_object binutils-gdb/binutils/readelf.c:19795:9 #5 0x51b057 in process_file binutils-gdb/binutils/readelf.c:20242:13 #6 0x51985f in main binutils-gdb/binutils/readelf.c:20301:11 #7 0x7f484eeed82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291 SUMMARY: AddressSanitizer: heap-buffer-overflow binutils-gdb/binutils/elfcomm.c:211:22 in byte_get_little_endian Shadow bytes around the buggy address: 0x0c247fff8030: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c247fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c247fff8050: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa 0x0c247fff8060: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c247fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c247fff8080: 00 00 00 00 00 00 00 00[01]fa fa fa fa fa fa fa 0x0c247fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c247fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c247fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c247fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c247fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb ==20361==ABORTING -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/24876] readelf: heap-buffer-overflow
https://sourceware.org/bugzilla/show_bug.cgi?id=24876 --- Comment #1 from Reza Mirzazade farkhani --- How to reproduce: readelf -a PoC -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug ld/24873] gcc -flto objects result in --start-group … --end-group failure to include --as-needed libraries
https://sourceware.org/bugzilla/show_bug.cgi?id=24873 --- Comment #5 from Alan Modra --- I tried to recreate the problem locally on my x86_64 Ubuntu 18.04.2 box using current libinput git source, but meson --prefix=/usr -Ddocumentation=false builddir/ results in a failure: Running test binary command: /home/alan/src/libinput/builddir/meson-private/sanitycheckcpp.exe Native C++ compiler: c++ (gcc 7.4.0 "c++ (Ubuntu 7.4.0-1ubuntu1~18.04.1) 7.4.0") Determining dependency 'check' with pkg-config executable '/usr/bin/pkg-config' meson.build:682:1: ERROR: Native dependency 'check' not found Obviously, building with -Dtests=false isn't an option since the linker problem occurred building one of the tests. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug ld/24873] gcc -flto objects result in --start-group … --end-group failure to include --as-needed libraries
https://sourceware.org/bugzilla/show_bug.cgi?id=24873 --- Comment #6 from Alan Modra --- OK, so I fixed the build dependency but when I build locally using CFLAGS="-O2 -g -flto" CXXFLAGS="-O2 -g -flto" and gcc (Ubuntu 7.4.0-1ubuntu1~18.04.1) 7.4.0 I don't reproduce the problem. Oh yes, lots more -lm on the link command line for test-utils in my case (and -ludev -levdev), so I took them all out except for the ones inside --start-group/--end-group and still it links OK. Linking with mapfile output shows libm is pulled in due to reference to floor in lib_check_pic.a: libm.so.6 /usr/lib/x86_64-linux-gnu/libcheck_pic.a(check.o) (floor@@GLIBC_2.2.5) Huh, given that lib_check_pic.a was outside --start-group/--end-group I should have left in -lm after that archive.. Only not a problem due to -flto objects causing ld to scan over libraries again. Also, the mapfile shows the recompiled LTO objects (ltrans.o) being inserted somewhere reasonably sensible. LOAD /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/Scrt1.o LOAD /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o LOAD /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o LOAD test-utils.ltrans0.ltrans.o START GROUP LOAD libinput.so.10.13.0 LOAD liblibinput-util.a LOAD libquirks.a LOAD /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/libmtdev.so LOAD /lib/x86_64-linux-gnu/libudev.so LOAD /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/libevdev.so LOAD /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/libm.so START GROUP LOAD /lib/x86_64-linux-gnu/libm.so.6 LOAD /usr/lib/x86_64-linux-gnu/libmvec_nonshared.a LOAD /lib/x86_64-linux-gnu/libmvec.so.1 END GROUP LOAD /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/librt.so LOAD /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/libwacom.so END GROUP LOAD /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/libcheck_pic.a LOAD /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/libsubunit.so LOAD /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/libdl.so LOAD /usr/lib/gcc/x86_64-linux-gnu/7/libgcc.a LOAD /usr/lib/gcc/x86_64-linux-gnu/7/libgcc_s.so START GROUP LOAD /usr/lib/gcc/x86_64-linux-gnu/7/libgcc_s.so.1 LOAD /usr/lib/gcc/x86_64-linux-gnu/7/libgcc.a END GROUP LOAD /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/libpthread.so START GROUP LOAD /lib/x86_64-linux-gnu/libpthread.so.0 LOAD /usr/lib/x86_64-linux-gnu/libpthread_nonshared.a END GROUP LOAD /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/libc.so START GROUP LOAD /lib/x86_64-linux-gnu/libc.so.6 LOAD /usr/lib/x86_64-linux-gnu/libc_nonshared.a LOAD /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 END GROUP LOAD /usr/lib/gcc/x86_64-linux-gnu/7/libgcc.a LOAD /usr/lib/gcc/x86_64-linux-gnu/7/libgcc_s.so START GROUP LOAD /usr/lib/gcc/x86_64-linux-gnu/7/libgcc_s.so.1 LOAD /usr/lib/gcc/x86_64-linux-gnu/7/libgcc.a END GROUP LOAD /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o LOAD /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
