[Bug general/22976] New: global-buffer-overflow in ebl_dynamic_tag_name (libebl/ebldynamictagname.c)
https://sourceware.org/bugzilla/show_bug.cgi?id=22976 Bug ID: 22976 Summary: global-buffer-overflow in ebl_dynamic_tag_name (libebl/ebldynamictagname.c) Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: general Assignee: unassigned at sourceware dot org Reporter: probefuzzer at gmail dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Created attachment 10899 --> https://sourceware.org/bugzilla/attachment.cgi?id=10899&action=edit poc On latest version (elfutils-0.170) and master branch of elfutils: there is a global-buffer-overflow in ebl_dynamic_tag_name function of (libebl/ebldynamictagname.c), which can be triggered by the POC below. To reproduce the issue, compile elfutils with asan and run: ./bin/eu-readelf -a $POC ==13884==ERROR: AddressSanitizer: global-buffer-overflow on address 0x006c18d0 at pc 0x0048e6b4 bp 0x7fffc5c0 sp 0x7fffc5b8 READ of size 8 at 0x006c18d0 thread T0 #0 0x48e6b3 in ebl_dynamic_tag_name /u/xw48/GreedyFuzzing/product/elfutils/master-test/src/libebl/ebldynamictagname.c:59 #1 0x47602b in handle_dynamic /u/xw48/GreedyFuzzing/product/elfutils/master-test/src/src/readelf.c:1708 #2 0x47602b in print_dynamic /u/xw48/GreedyFuzzing/product/elfutils/master-test/src/src/readelf.c:1813 #3 0x47602b in process_elf_file /u/xw48/GreedyFuzzing/product/elfutils/master-test/src/src/readelf.c:911 #4 0x479fde in process_dwflmod /u/xw48/GreedyFuzzing/product/elfutils/master-test/src/src/readelf.c:707 #5 0x7fe8230dc22c in dwfl_getmodules /u/xw48/GreedyFuzzing/product/elfutils/master-test/src/libdwfl/dwfl_getmodules.c:86 #6 0x412568 in process_file /u/xw48/GreedyFuzzing/product/elfutils/master-test/src/src/readelf.c:806 #7 0x4059f3 in main /u/xw48/GreedyFuzzing/product/elfutils/master-test/src/src/readelf.c:322 #8 0x7fe8229b5c04 in __libc_start_main (/lib64/libc.so.6+0x21c04) #9 0x406493 (/home/xw48/GreedyFuzzing/product/elfutils/master-test/exe_asan/bin/eu-readelf+0x406493) -- You are receiving this mail because: You are on the CC list for the bug.
[PATCH] libebl: Handle SYMTAB_SHNDX in ebl_dynamic_tag_name.
SYMTAB_SHNDX was introduced when elf.h was imported, but not yet handled in ebl_dynamic_tag_name. Handle it and add an eu_static_assert to make sure stdtags always contains DT_NUM entries. https://sourceware.org/bugzilla/show_bug.cgi?id=22976 Signed-off-by: Mark Wielaard --- libebl/ChangeLog | 6 ++ libebl/ebldynamictagname.c | 4 +++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/libebl/ChangeLog b/libebl/ChangeLog index de325ab..b4e9049 100644 --- a/libebl/ChangeLog +++ b/libebl/ChangeLog @@ -1,3 +1,9 @@ +2018-03-16 Mark Wielaard + + * ebldynamictagname.c (ebl_dynamic_tag_name): Add SYMTAB_SHNDX to + stdtags. Add a eu_static_assert to make sure stdtags contains all + DT_NUM entries. + 2018-02-21 Mark Wielaard * eblcheckreloctargettype.c (ebl_check_reloc_target_type): Accept diff --git a/libebl/ebldynamictagname.c b/libebl/ebldynamictagname.c index 3aaccd0..5622fc3 100644 --- a/libebl/ebldynamictagname.c +++ b/libebl/ebldynamictagname.c @@ -34,6 +34,7 @@ #include #include #include +#include "system.h" const char * @@ -53,8 +54,9 @@ ebl_dynamic_tag_name (Ebl *ebl, int64_t tag, char *buf, size_t len) "RELENT", "PLTREL", "DEBUG", "TEXTREL", "JMPREL", "BIND_NOW", "INIT_ARRAY", "FINI_ARRAY", "INIT_ARRAYSZ", "FINI_ARRAYSZ", "RUNPATH", "FLAGS", "ENCODING", "PREINIT_ARRAY", - "PREINIT_ARRAYSZ" + "PREINIT_ARRAYSZ", "SYMTAB_SHNDX" }; + eu_static_assert (sizeof (stdtags) / sizeof (const char *) == DT_NUM); res = stdtags[tag]; } -- 1.8.3.1
[Bug general/22976] global-buffer-overflow in ebl_dynamic_tag_name (libebl/ebldynamictagname.c)
https://sourceware.org/bugzilla/show_bug.cgi?id=22976 Mark Wielaard changed: What|Removed |Added Status|UNCONFIRMED |ASSIGNED Last reconfirmed||2018-03-16 CC||mark at klomp dot org Ever confirmed|0 |1 --- Comment #1 from Mark Wielaard --- Thanks. The issue is that there is a new standard SYMTAB_SHNDX which we got through the new elf.h, but didn't handle in ebldynamictagname.c. To fix this, and to prevent this from happening in the future I proposed the following patch: commit 92581d7eb483cb039e60112b0a03a04c2ffa4df4 Author: Mark Wielaard Date: Fri Mar 16 19:42:17 2018 +0100 libebl: Handle SYMTAB_SHNDX in ebl_dynamic_tag_name. SYMTAB_SHNDX was introduced when elf.h was imported, but not yet handled in ebl_dynamic_tag_name. Handle it and add an eu_static_assert to make sure stdtags always contains DT_NUM entries. https://sourceware.org/bugzilla/show_bug.cgi?id=22976 Signed-off-by: Mark Wielaard https://sourceware.org/ml/elfutils-devel/2018-q1/msg00078.html -- You are receiving this mail because: You are on the CC list for the bug.
