Re: [PATCH] libelf/elf_end.c: check data_list.data.d.d_buf before free it
Hi, On Thu, Aug 16, 2018 at 10:34:23AM +0800, Robert Yang wrote: > The one which actually saves the data is data_list.data.d.d_buf, so check it > before free rawdata_base. > > This can fix a segmentation fault when prelink libqb_1.0.3: > prelink: /usr/lib/libqb.so.0.18.2: Symbol section index outside of section > numbers > > The segmentation fault happens when prelink call elf_end(). Could you run your reproducer under valgrind and show what it says before your patch? And/Or post the file (libqb) to replicate the reproducer somewhere to see exactly what goes wrong? I don't fully understand what is going wrong. Is the section data pointing to the file data or something created by elf_newdata? Thanks, Mark
Re: [PATCH] libelf/elf_end.c: check data_list.data.d.d_buf before free it
On 16/08/18 21:25 +0200, Mark Wielaard wrote:
> On Thu, Aug 16, 2018 at 10:34:23AM +0800, Robert Yang wrote:
>> The one which actually saves the data is data_list.data.d.d_buf, so check it
>> before free rawdata_base.
>>
>> This can fix a segmentation fault when prelink libqb_1.0.3:
>> prelink: /usr/lib/libqb.so.0.18.2: Symbol section index outside of section
>> numbers
>>
>> The segmentation fault happens when prelink call elf_end().
>
> Could you run your reproducer under valgrind and show what it
> says before your patch? And/Or post the file (libqb) to replicate
> the reproducer somewhere to see exactly what goes wrong?
As an author of the commit (wider topical patchset) allegedly causing
that problem (see https://github.com/ClusterLabs/libqb/issues/314
for the story behind the problem raised here, specifically,
cross-compiling seems to be involved), I am also curious
about what's going on here.
> I don't fully understand what is going wrong. Is the section data
> pointing to the file data or something created by elf_newdata?
Out of curiousity, tried this on my Fedora machine without any
success to reproduce:
# dnf install -y libqb
https://kojipkgs.fedoraproject.org//packages/prelink/0.5.0/1.fc19/x86_64/prelink-0.5.0-1.fc19.x86_64.rpm
# chmod -x /etc/cron.daily/prelink
# cp /usr/lib64/libqb.so.0.19.0{,.bck}
# /usr/lib64/libqb.so.0.19.0{,.bck} >/dev/null && echo same || echo not
> not
# dnf downgrade -y
https://kojipkgs.fedoraproject.org//packages/libqb/1.0.2/1.fc26/x86_64/libqb-1.0.2-1.fc26.x86_64.rpm
# cp /usr/lib64/libqb.so.0.18.2{,.bck}
# /usr/lib64/libqb.so.0.19.0{,.bck} >/dev/null && echo same || echo not
> not
--
Nazdar,
Poki
pgpSkrR26JSAT.pgp
Description: PGP signature
[Bug libdw/23541] New: heap-buffer-overflow in /elfutils/libdw/dwarf_getaranges.c:156
https://sourceware.org/bugzilla/show_bug.cgi?id=23541 Bug ID: 23541 Summary: heap-buffer-overflow in /elfutils/libdw/dwarf_getaranges.c:156 Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: libdw Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Created attachment 11189 --> https://sourceware.org/bugzilla/attachment.cgi?id=11189&action=edit addr2line -e @@ -- 500 50 10 -1000 When executing "./eu-addr2line -e @@ -- 500 50 10 -1000", AddressSanitizer catch a heap-buffer-overflow crash. 117833==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020edbb at pc 0x7fde94ff95ed bp 0x7fff4f475910 sp 0x7fff4f475900 READ of size 1 at 0x6020edbb thread T0 #0 0x7fde94ff95ec in dwarf_getaranges /home/wcventure/Documents/Cproject/elfutils/libdw/dwarf_getaranges.c:156 #1 0x7fde95091c6f in addrarange /home/wcventure/Documents/Cproject/elfutils/libdwfl/cu.c:54 #2 0x7fde95091c6f in __libdwfl_addrcu /home/wcventure/Documents/Cproject/elfutils/libdwfl/cu.c:313 #3 0x7fde95098b5e in dwfl_module_getsrc /home/wcventure/Documents/Cproject/elfutils/libdwfl/dwfl_module_getsrc.c:44 #4 0x40461c in handle_address /home/wcventure/Documents/Cproject/elfutils/src/addr2line.c:680 #5 0x40263b in main /home/wcventure/Documents/Cproject/elfutils/src/addr2line.c:197 #6 0x7fde9459282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #7 0x402c08 in _start (/home/wcventure/Documents/Cproject/elfutils/build/bin/eu-addr2line+0x402c08) 0x6020edbb is located 0 bytes to the right of 11-byte region [0x6020edb0,0x6020edbb) allocated by thread T0 here: #0 0x7fde953cc602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x7fde94d10ce8 in convert_data /home/wcventure/Documents/Cproject/elfutils/libelf/elf_getdata.c:164 #2 0x7fde94d10ce8 in __libelf_set_data_list_rdlock /home/wcventure/Documents/Cproject/elfutils/libelf/elf_getdata.c:431 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/wcventure/Documents/Cproject/elfutils/libdw/dwarf_getaranges.c:156 dwarf_getaranges Shadow bytes around the buggy address: 0x0c047fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c047fff9db0: fa fa fa fa fa fa 00[03]fa fa 01 fa fa fa 00 01 0x0c047fff9dc0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04 0x0c047fff9dd0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa fd fa 0x0c047fff9de0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04 0x0c047fff9df0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa fd fa 0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe ==117833==ABORTING -- You are receiving this mail because: You are on the CC list for the bug.
[Bug general/23542] New: heap-buffer-overflow in /elfutils/src/elflint.c:2055 check_sysv_hash
https://sourceware.org/bugzilla/show_bug.cgi?id=23542 Bug ID: 23542 Summary: heap-buffer-overflow in /elfutils/src/elflint.c:2055 check_sysv_hash Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: general Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Created attachment 11190 --> https://sourceware.org/bugzilla/attachment.cgi?id=11190&action=edit ./eu-elflint --strict @@ ==123497==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6130dfd4 at pc 0x00432311 bp 0x7ffc0e4d29c0 sp 0x7ffc0e4d29b0 READ of size 4 at 0x6130dfd4 thread T0 #0 0x432310 in check_sysv_hash /home/wcventure/Documents/Cproject/elfutils/src/elflint.c:2055 #1 0x432310 in check_hash /home/wcventure/Documents/Cproject/elfutils/src/elflint.c:2355 #2 0x439613 in check_sections /home/wcventure/Documents/Cproject/elfutils/src/elflint.c:4161 #3 0x440395 in process_elf_file /home/wcventure/Documents/Cproject/elfutils/src/elflint.c:4739 #4 0x440395 in process_file /home/wcventure/Documents/Cproject/elfutils/src/elflint.c:242 #5 0x402e55 in main /home/wcventure/Documents/Cproject/elfutils/src/elflint.c:175 #6 0x7f81b5bba82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #7 0x403b08 in _start (/home/wcventure/Documents/Cproject/elfutils/build/bin/eu-elflint+0x403b08) 0x6130dfd5 is located 0 bytes to the right of 341-byte region [0x6130de80,0x6130dfd5) allocated by thread T0 here: #0 0x7f81b64a4602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x7f81b61babff in convert_data /home/wcventure/Documents/Cproject/elfutils/libelf/elf_getdata.c:164 #2 0x7f81b61babff in __libelf_set_data_list_rdlock /home/wcventure/Documents/Cproject/elfutils/libelf/elf_getdata.c:431 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/wcventure/Documents/Cproject/elfutils/src/elflint.c:2055 check_sysv_hash Shadow bytes around the buggy address: 0x0c267fff9ba0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c267fff9bb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c267fff9bc0: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c267fff9bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c267fff9be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c267fff9bf0: 00 00 00 00 00 00 00 00 00 00[05]fa fa fa fa fa 0x0c267fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c267fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c267fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c267fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c267fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe ==123497==ABORTING -- You are receiving this mail because: You are on the CC list for the bug.
