[Bug backends/24075] New: Program Crash due to Wild pointer Deference in ebl_object_note function in eblobjnote.c in libebl.
https://sourceware.org/bugzilla/show_bug.cgi?id=24075
Bug ID: 24075
Summary: Program Crash due to Wild pointer Deference in
ebl_object_note function in eblobjnote.c in libebl.
Product: elfutils
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: backends
Assignee: unassigned at sourceware dot org
Reporter: wcventure at 126 dot com
CC: elfutils-devel at sourceware dot org
Target Milestone: ---
Created attachment 11523
--> https://sourceware.org/bugzilla/attachment.cgi?id=11523&action=edit
POC1
Hi there,
Our fuzzer caught Pointer Deference problem in eu-readelf of the latest
elfutils-0.174 code base, this inputs will cause the segment faults and I have
confirmed them with address sanitizer too. Please use the "./eu-readelf -a
$POC"to reproduce the bug. If you have any questions, please let me know.
This problem is in the code as fllow, it seem like a use-after-fee problem.
> size_t i;
> for (i = 0; i < prop.pr_datasz - 1; i++)
> printf ("%02" PRIx8 " ", (uint8_t) desc[i]);
git log
> commit 1dabad36ee28aa76b8cf14b6426b379cabee6def
> Author: Jim Wilson
> Date: Thu Dec 27 15:25:49 2018 -0800
>
> RISC-V: Improve riscv64 core file support.
>
> This fixes two problems. The offset for x1 is changed from 1 to 8 because
> this is a byte offset not a register skip count. Support for reading the
> PC value is added. This requires changing the testsuite to match the new
> readelf output for coredumps.
>
> Signed-off-by: Jim Wilson
--
You are receiving this mail because:
You are on the CC list for the bug.
[Bug backends/24075] Program Crash due to Wild pointer Deference in ebl_object_note function in eblobjnote.c in libebl.
https://sourceware.org/bugzilla/show_bug.cgi?id=24075 --- Comment #1 from wcventure --- Created attachment 11524 --> https://sourceware.org/bugzilla/attachment.cgi?id=11524&action=edit POC2 The ASAN dumps the stack trace as follows: > = > ==20499==ERROR: AddressSanitizer: unknown-crash on address 0x7f908068e000 at > pc 0x00577730 bp 0x7ffd5103ba10 sp 0x7ffd5103ba00 > READ of size 1 at 0x7f908068e000 thread T0 > #0 0x57772f in ebl_object_note /elfutils/libebl/eblobjnote.c:488 > #1 0x4a06f3 in handle_notes_data /elfutils/src/readelf.c:12251 > #2 0x4c5b47 in handle_notes /elfutils/src/readelf.c:12315 > #3 0x4c5b47 in process_elf_file /elfutils/src/readelf.c:1000 > #4 0x4c5b47 in process_dwflmod /elfutils/src/readelf.c:760 > #5 0x7f907f1e9e9c in dwfl_getmodules > /elfutils/libdwfl/dwfl_getmodules.c:86 > #6 0x41399c in process_file /elfutils/src/readelf.c:868 > #7 0x405df6 in main /elfutils/src/readelf.c:350 > #8 0x7f907e6ff82f in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) > #9 0x406ef8 in _start (/elfutils/build/bin/eu-readelf+0x406ef8) > > Address 0x7f908068e000 is a wild pointer. > SUMMARY: AddressSanitizer: unknown-crash /elfutils/libebl/eblobjnote.c:488 in > ebl_object_note > Shadow bytes around the buggy address: > 0x0ff2900c9bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0ff2900c9bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0ff2900c9bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0ff2900c9be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0ff2900c9bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > =>0x0ff2900c9c00:[fe]fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0ff2900c9c10: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0ff2900c9c20: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0ff2900c9c30: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0ff2900c9c40: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0ff2900c9c50: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user:f7 > Container overflow: fc > Array cookie:ac > Intra object redzone:bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone:cb > ==20499==ABORTING -- You are receiving this mail because: You are on the CC list for the bug.
[PATCH] Skip run-readelf-compressed.sh test if built without bzip2
Obviously, we cannot read the compressed ELF file if no bzip2 support is
present.
Signed-off-by: Ulf Hermann
---
tests/run-readelf-compressed.sh | 5 +
1 file changed, 5 insertions(+)
diff --git a/tests/run-readelf-compressed.sh
b/tests/run-readelf-compressed.sh
index a2a04a2a..861553fe 100755
--- a/tests/run-readelf-compressed.sh
+++ b/tests/run-readelf-compressed.sh
@@ -17,6 +17,11 @@
. $srcdir/test-subr.sh
+if ! grep -q -F '#define USE_BZLIB' ${abs_top_builddir}/config.h; then
+ echo "elfutils built without bzip2 support"
+ exit 77
+fi
+
# See run-strip-reloc.sh
testfiles hello_i386.ko
--
2.11.0
