date:20221030

Re: A heap buffer overflow bug in binutils-2.39

2022-10-30 Thread Alan Modra

On Sat, Oct 29, 2022 at 04:39:46PM +0800, bjchan9an wrote:
> The bug is triggered in find_section_in_set() at binutils/readelf.c:970 when 
> parsing the debug sections of a malformed ELF file.

Fixed for 2.40 with commit 28750e3b967d.
https://sourceware.org/pipermail/binutils/2022-October/124013.html

-- 
Alan Modra
Australia Development Lab, IBM

[Bug binutils/29732] New: A heap buffer overflow was fould in find_section_in_set() of binutils-2.39 (commit 49c843e6)

2022-10-30 Thread 15664243668 at 163 dot com

https://sourceware.org/bugzilla/show_bug.cgi?id=29732

Bug ID: 29732
   Summary: A heap buffer overflow was fould in
find_section_in_set() of binutils-2.39 (commit
49c843e6)
   Product: binutils
   Version: 2.39
Status: UNCONFIRMED
  Severity: normal
  Priority: P2
 Component: binutils
  Assignee: unassigned at sourceware dot org
  Reporter: 15664243668 at 163 dot com
  Target Milestone: ---

Created attachment 14421
  --> https://sourceware.org/bugzilla/attachment.cgi?id=14421&action=edit
readelf poc file

Hi

There is a heap buffer overflow bug in binutils-2.39 (commit 49c843e6). 

The bug is triggered in find_section_in_set() at binutils/readelf.c:970 when
parsing the debug sections of a malformed ELF file.

The bug is caused in the code stashing pool section entries.  With random
nonsensical values in the index entries (rather than each index pointing to its
own set distinct from other sets), it's possible to overflow the space
allocated, losing the NULL terminator.  Without a terminator,
find_section_in_set can run off the end of the shndx_pool buffer.

To reproduce this bug, use:

1. compile binutils-2.39 with clang-6.0 and address sanitizer:
```sh
./configure --disable-shared --disable-gdb --disable-werror
make
```

2. use readelf to process the PoC file (see attachment):
```sh
readelf -w ./PoC
```

The address sanitizer reports are as follows.
```
readelf: Error: Internal error: out of space in the shndx pool.
readelf: Error: Internal error: out of space in the shndx pool.
readelf: Error: Internal error: out of space in the shndx pool.
readelf: Error: Internal error: out of space in the shndx pool.
readelf: Error: Internal error: out of space in the shndx pool.
readelf: Error: Internal error: out of space in the shndx pool.
Contents of the .debug_names section:

readelf: Warning: Debug info is corrupted, .debug_names header at 0 has length
0x4c457f
Contents of the .debug_names section:

=
==29074==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61a00bd8 at pc 0x005143de bp 0x7fffd6c0 sp 0x7fffd6b8
READ of size 4 at 0x61a00bd8 thread T0
#0 0x5143dd in find_section_in_set
/binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:970:19
#1 0x5130b6 in load_debug_section
/binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:16160:9
#2 0x612472 in load_debug_section_with_follow
/binutils-gdb/obj-asan/binutils/../../binutils/dwarf.c:3453:7
#3 0x606ce0 in display_debug_names
/binutils-gdb/obj-asan/binutils/../../binutils/dwarf.c:10002:3
#4 0x558c9b in display_debug_section
/binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:16258:18
#5 0x558c9b in process_section_contents
/binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:16354
#6 0x52ae91 in process_object
/binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:22372:9
#7 0x517f9e in process_file
/binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:22795:13
#8 0x517f9e in main
/binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:22866
#9 0x76e22c86 in __libc_start_main
/build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#10 0x41a909 in _start (/binutils-gdb/obj-asan/binutils/readelf+0x41a909)

0x61a00bd8 is located 0 bytes to the right of 1368-byte region
[0x61a00680,0x61a00bd8)
allocated by thread T0 here:
#0 0x4dac40 in realloc (/binutils-gdb/obj-asan/binutils/readelf+0x4dac40)
#1 0x74eeed in xrealloc
/binutils-gdb/obj-asan/libiberty/../../libiberty/xmalloc.c:181:14

SUMMARY: AddressSanitizer: heap-buffer-overflow
/binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:970:19 in
find_section_in_set
Shadow bytes around the buggy address:
  0x0c347fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c347fff8170: 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa
  0x0c347fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:   00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:   fa
  Freed heap region:   fd
  Stack left redzone:  f1
  Stack mid redzone:   f2
  Stack right redzone: f3
  Stack after return:  f5
  Stack use after scope:   f8
  Global redzone:  f9
  Global ini

[Bug binutils/29732] A heap buffer overflow was fould in find_section_in_set() of binutils-2.39 (commit 49c843e6)

2022-10-30 Thread 15664243668 at 163 dot com

https://sourceware.org/bugzilla/show_bug.cgi?id=29732

15664243668 at 163 dot com changed:

   What|Removed |Added

 Status|UNCONFIRMED |RESOLVED
 Resolution|--- |FIXED

--- Comment #1 from 15664243668 at 163 dot com ---
Fixed for 2.40 with commit 28750e3b967d.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug binutils/29732] A heap buffer overflow was found in find_section_in_set() of binutils-2.39 (commit 49c843e6)

2022-10-30 Thread sch...@linux-m68k.org

https://sourceware.org/bugzilla/show_bug.cgi?id=29732

Andreas Schwab  changed:

   What|Removed |Added

Summary|A heap buffer overflow was  |A heap buffer overflow was
   |fould in|found in
   |find_section_in_set() of|find_section_in_set() of
   |binutils-2.39 (commit   |binutils-2.39 (commit
   |49c843e6)   |49c843e6)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Re: A heap buffer overflow bug in binutils-2.39

[Bug binutils/29732] New: A heap buffer overflow was fould in find_section_in_set() of binutils-2.39 (commit 49c843e6)

[Bug binutils/29732] A heap buffer overflow was fould in find_section_in_set() of binutils-2.39 (commit 49c843e6)

[Bug binutils/29732] A heap buffer overflow was found in find_section_in_set() of binutils-2.39 (commit 49c843e6)

4 matches

Site Navigation

Mail list logo

Footer information