[Bug backends/24102] New: A Heap-buffer-overflow problem was discovered in the function read_srclines in dwarf_getsrclines.c in libdw
https://sourceware.org/bugzilla/show_bug.cgi?id=24102 Bug ID: 24102 Summary: A Heap-buffer-overflow problem was discovered in the function read_srclines in dwarf_getsrclines.c in libdw Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: backends Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Created attachment 11542 --> https://sourceware.org/bugzilla/attachment.cgi?id=11542&action=edit POC1 Hi, A Heap-buffer-overflow problem was discovered in the function read_srclines in dwarf_getsrclines.c in libdw, as distributed in ELFutils 0.175. A crafted ELF input can cause segment faults and I have confirmed them with address sanitizer too. Here are the POC files. Please use "./eu-nm -C $POC" to reproduce the error. $git log > commit e65d91d21cb09d83b001fef9435e576ba447db32 > Author: Mark Wielaard > Date: Wed Jan 16 12:25:57 2019 +0100 > > libelf: Correct overflow check in note_xlate. > > We want to make sure the note_len doesn't overflow and becomes shorter > than the note header. But the namesz and descsz checks got the note header > size wrong). Replace the wrong constant (8) with a sizeof cvt_Nhdr (12). > > https://sourceware.org/bugzilla/show_bug.cgi?id=24084 > > Signed-off-by: Mark Wielaard The ASAN dumps the stack trace as follows: > = > ==17493==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x610003fc at pc 0x7fa8ef1fc077 bp 0x7ffebd93 sp 0x7ffebd92fff0 > READ of size 1 at 0x610003fc thread T0 > #0 0x7fa8ef1fc076 in read_srclines /elfutils/libdw/dwarf_getsrclines.c:474 > #1 0x7fa8ef1fd149 in __libdw_getsrclines > /elfutils/libdw/dwarf_getsrclines.c:1118 > #2 0x7fa8ef1fdefc in dwarf_getsrclines > /elfutils/libdw/dwarf_getsrclines.c:1208 > #3 0x7fa8ef20a146 in dwarf_getsrcfiles > /elfutils/libdw/dwarf_getsrcfiles.c:92 > #4 0x407f71 in get_local_names /elfutils/src/nm.c:644 > #5 0x407f71 in show_symbols /elfutils/src/nm.c:1285 > #6 0x40ef63 in handle_elf /elfutils/src/nm.c:1578 > #7 0x403964 in process_file /elfutils/src/nm.c:374 > #8 0x403964 in main /elfutils/src/nm.c:249 > #9 0x7fa8ee5a282f in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) > #10 0x404608 in _start (/elfutils/build/bin/eu-nm+0x404608) > > 0x610003fc is located 0 bytes to the right of 188-byte region > [0x61000340,0x610003fc) > allocated by thread T0 here: > #0 0x7fa8ef682b90 in __interceptor_malloc > (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90) > #1 0x7fa8eef3a08f in convert_data /elfutils/libelf/elf_getdata.c:157 > #2 0x7fa8eef3a08f in __libelf_set_data_list_rdlock > /elfutils/libelf/elf_getdata.c:447 > > SUMMARY: AddressSanitizer: heap-buffer-overflow > /elfutils/libdw/dwarf_getsrclines.c:474 in read_srclines > Shadow bytes around the buggy address: > 0x0c207fff8020: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 > 0x0c207fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c207fff8040: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 > 0x0c207fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c207fff8060: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 > =>0x0c207fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[04] > 0x0c207fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c207fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c207fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c207fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c207fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user:f7 > Container overflow: fc > Array cookie:ac > Intra object redzone:bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone:cb > ==17493==ABORTING -- You are receiving this mail because: You are on the CC list for the bug.
[Bug backends/24102] A Heap-buffer-overflow problem was discovered in the function read_srclines in dwarf_getsrclines.c in libdw
https://sourceware.org/bugzilla/show_bug.cgi?id=24102 --- Comment #2 from wcventure --- Created attachment 11544 --> https://sourceware.org/bugzilla/attachment.cgi?id=11544&action=edit POC3 -- You are receiving this mail because: You are on the CC list for the bug.
[Bug backends/24102] A Heap-buffer-overflow problem was discovered in the function read_srclines in dwarf_getsrclines.c in libdw
https://sourceware.org/bugzilla/show_bug.cgi?id=24102 --- Comment #1 from wcventure --- Created attachment 11543 --> https://sourceware.org/bugzilla/attachment.cgi?id=11543&action=edit POC2 -- You are receiving this mail because: You are on the CC list for the bug.
[Bug libelf/24103] New: Invalid address Deference in elf64_xlatetom in elf32_xlatetom.c in libelf
https://sourceware.org/bugzilla/show_bug.cgi?id=24103 Bug ID: 24103 Summary: Invalid address Deference in elf64_xlatetom in elf32_xlatetom.c in libelf Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: libelf Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Created attachment 11545 --> https://sourceware.org/bugzilla/attachment.cgi?id=11545&action=edit POC1 Different from Bug 24081 and Bug 24089. This error occur in function elf64_xlatetom. Please use the "eu-stack --core=$POC"to reproduce the bug. $git log > commit e65d91d21cb09d83b001fef9435e576ba447db32 > Author: Mark Wielaard > Date: Wed Jan 16 12:25:57 2019 +0100 > > libelf: Correct overflow check in note_xlate. > > We want to make sure the note_len doesn't overflow and becomes shorter > than the note header. But the namesz and descsz checks got the note header > size wrong). Replace the wrong constant (8) with a sizeof cvt_Nhdr (12). > > https://sourceware.org/bugzilla/show_bug.cgi?id=24084 > > Signed-off-by: Mark Wielaard The ASAN dumps the stack trace as follows: > = > ==7964==ERROR: AddressSanitizer: unknown-crash on address 0x7f5eace16000 at > pc 0x7f5eabd97e2b bp 0x7ffc6b0f0680 sp 0x7ffc6b0efe28 > READ of size 983520 at 0x7f5eace16000 thread T0 > #0 0x7f5eabd97e2a in memmove > (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ae2a) > #1 0x7f5eaba8e510 in memmove > /usr/include/x86_64-linux-gnu/bits/string3.h:59 > #2 0x7f5eaba8e510 in elf64_xlatetom > /home/wencheng/Experiment/elfutils/libelf/elf32_xlatetom.c:100 > #3 0x7f5eab7d6e6b in dwfl_segment_report_module > /home/wencheng/Experiment/elfutils/libdwfl/dwfl_segment_report_module.c:807 > #4 0x7f5eab7ef0dd in dwfl_core_file_report > /home/wencheng/Experiment/elfutils/libdwfl/core-file.c:543 > #5 0x4033a3 in parse_opt > /home/wencheng/Experiment/elfutils/src/stack.c:590 > #6 0x7f5eab013847 in argp_parse (/lib/x86_64-linux-gnu/libc.so.6+0x114847) > #7 0x402860 in main /home/wencheng/Experiment/elfutils/src/stack.c:690 > #8 0x7f5eaaf1f82f in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) > #9 0x4030d8 in _start > (/home/wencheng/Experiment/elfutils/build/bin/eu-stack+0x4030d8) > > Address 0x7f5eace16000 is a wild pointer. > SUMMARY: AddressSanitizer: unknown-crash > (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ae2a) in memmove > Shadow bytes around the buggy address: > 0x0fec559babb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0fec559babc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0fec559babd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0fec559babe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0fec559babf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > =>0x0fec559bac00:[fe]fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0fec559bac10: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0fec559bac20: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0fec559bac30: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0fec559bac40: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0fec559bac50: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user:f7 > Container overflow: fc > Array cookie:ac > Intra object redzone:bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone:cb > ==7964==ABORTING -- You are receiving this mail because: You are on the CC list for the bug.
[Bug libelf/24103] Invalid address Deference in elf64_xlatetom in elf32_xlatetom.c in libelf
https://sourceware.org/bugzilla/show_bug.cgi?id=24103 --- Comment #1 from wcventure --- Created attachment 11546 --> https://sourceware.org/bugzilla/attachment.cgi?id=11546&action=edit POC2 -- You are receiving this mail because: You are on the CC list for the bug.
[PATCH] Use separate files for strip outputs
Let's see if this works: Apparently I cannot get a properly formatted
inline diff through. Therefore, please find the pull request, including
diff, as attachment.
regards,
Ulf
The following changes since commit e65d91d21cb09d83b001fef9435e576ba447db32:
libelf: Correct overflow check in note_xlate. (2019-01-16 12:25:57 +0100)
are available in the git repository at:
https://codereview.qt-project.org/qt-creator/elfutils changes/37/250337/3
for you to fetch changes up to ce0ea06597bbba665ad6c26cef50d20895d246de:
Use separate files for strip outputs (2019-01-18 13:53:52 +0100)
Ulf Hermann (1):
Use separate files for strip outputs
tests/ChangeLog | 6 +
tests/run-annobingroup.sh| 20 -
tests/run-strip-test-many.sh | 53 +---
3 files changed, 51 insertions(+), 28 deletions(-)
diff --git a/tests/ChangeLog b/tests/ChangeLog
index 8c9e7807..19879269 100644
--- a/tests/ChangeLog
+++ b/tests/ChangeLog
@@ -1,3 +1,9 @@
+2019-01-18 Ulf Hermann
+
+ * run-annobingroup.sh: Use different files for strip output.
+ * run-strip-test-many.sh: Use different files for strip output,
+ check results of strip, unstrip, elflint.
+
2019-01-09 Ulf Hermann
* run-readelf-compressed.sh: Skip if USE_BZIP2 not found.
diff --git a/tests/run-annobingroup.sh b/tests/run-annobingroup.sh
index fd36e4ac..16b031a1 100755
--- a/tests/run-annobingroup.sh
+++ b/tests/run-annobingroup.sh
@@ -25,7 +25,7 @@
# gcc -g -O2 -fplugin=annobin -c testfile-annobingroup.c
testfiles testfile-annobingroup.o
-tempfiles merged.elf stripped.elf debugfile.elf remerged.elf
+tempfiles merged.elf stripped.elf debugfile1.elf debugfile2.elf debugfile3.elf
remerged.elf
testrun_compare ${abs_top_builddir}/src/readelf -g testfile-annobingroup.o <<
EOF
@@ -35,7 +35,7 @@ Section group [ 1] '.group' with signature
'.text.unlikely.group' contains 3 ent
[ 9] .text.unlikely
EOF
-testrun ${abs_top_builddir}/src/strip -o stripped.elf -f debugfile.elf
testfile-annobingroup.o
+testrun ${abs_top_builddir}/src/strip -o stripped.elf -f debugfile1.elf
testfile-annobingroup.o
testrun_compare ${abs_top_builddir}/src/readelf -g stripped.elf << EOF
@@ -45,7 +45,7 @@ Section group [ 1] '.group' with signature
'.text.unlikely.group' contains 3 ent
[ 9] .text.unlikely
EOF
-testrun_compare ${abs_top_builddir}/src/readelf -g debugfile.elf << EOF
+testrun_compare ${abs_top_builddir}/src/readelf -g debugfile1.elf << EOF
Section group [ 1] '.group' with signature '.text.unlikely.group' contains 3
entries:
[ 7] .gnu.build.attributes..text.unlikely
@@ -53,7 +53,7 @@ Section group [ 1] '.group' with signature
'.text.unlikely.group' contains 3 ent
[ 9] .text.unlikely
EOF
-testrun ${abs_top_builddir}/src/unstrip -o remerged.elf stripped.elf
debugfile.elf
+testrun ${abs_top_builddir}/src/unstrip -o remerged.elf stripped.elf
debugfile1.elf
testrun_compare ${abs_top_builddir}/src/readelf -g remerged.elf << EOF
@@ -81,7 +81,7 @@ COMDAT section group [ 2] '.group' with signature
'__x86.get_pc_thunk.ax' contai
[13] .text.__x86.get_pc_thunk.ax
EOF
-testrun ${abs_top_builddir}/src/strip -o stripped.elf -f debugfile.elf
testfile-annobingroup-i386.o
+testrun ${abs_top_builddir}/src/strip -o stripped.elf -f debugfile2.elf
testfile-annobingroup-i386.o
testrun_compare ${abs_top_builddir}/src/readelf -g stripped.elf << EOF
@@ -94,7 +94,7 @@ COMDAT section group [ 2] '.group' with signature
'__x86.get_pc_thunk.ax' contai
[13] .text.__x86.get_pc_thunk.ax
EOF
-testrun_compare ${abs_top_builddir}/src/readelf -g debugfile.elf << EOF
+testrun_compare ${abs_top_builddir}/src/readelf -g debugfile2.elf << EOF
Section group [ 1] '.group' with signature '.text.unlikely.group' contains 3
entries:
[ 8] .gnu.build.attributes..text.unlikely
@@ -105,7 +105,7 @@ COMDAT section group [ 2] '.group' with signature
'__x86.get_pc_thunk.ax' contai
[13] .text.__x86.get_pc_thunk.ax
EOF
-testrun ${abs_top_builddir}/src/unstrip -o remerged.elf stripped.elf
debugfile.elf
+testrun ${abs_top_builddir}/src/unstrip -o remerged.elf stripped.elf
debugfile2.elf
testrun_compare ${abs_top_builddir}/src/readelf -g remerged.elf << EOF
@@ -143,13 +143,13 @@ Section group [ 4] '.group' with signature
'.text.unlikely..group' contains 1 en
[27] .text.unlikely
EOF
-testrun ${abs_top_builddir}/src/strip -o stripped.elf -f debugfile.elf
testfile-annobingroup-x86_64.o
+testrun ${abs_top_builddir}/src/strip -o stripped.elf -f debugfile3.elf
testfile-annobingroup-x86_64.o
# This would/should work, except for the unknown NOTEs.
# testrun ${abs_top_builddir}/src/elflint --gnu stripped.elf
-# testrun ${abs_top_builddir}/src/elflint --gnu --debug debugfile.elf
+# testrun ${abs_top_builddir}/src/elflint --gnu --debug debugfile3.elf
-testrun ${abs_top_builddir}/src/unstr
[PATCH] configure: Add new --enable-install-elfh option.
We explicitly test (with system-elf-libelf) that our include headers
work with the system elf.h header. But it might be helpful to install
the elf.h file for a private install. Our elf.h header really is just
a copy of the latest glibc elf.h. But it might be newer and include
more constants than the system installed elf.h.
Add a new configure option --enable-install-elfh to install elf.h.
But warn when it is enabled for the default /usr or /usr/local prefix
because it might clash with the glibc/system elf.h header in that case.
Signed-off-by: Mark Wielaard
---
ChangeLog | 4
configure.ac | 12
libelf/ChangeLog | 5 +
libelf/Makefile.am | 13 ++---
4 files changed, 31 insertions(+), 3 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 45418a0..148ce77 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2019-01-18 Mark Wielaard
+
+ * configure.ac: Add new --enable-install-elfh.
+
2018-07-04 Ross Burton
* configure.ac: Check for gawk.
diff --git a/configure.ac b/configure.ac
index b89b867..7d4e69d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -323,6 +323,11 @@ if test "$use_valgrind" = yes; then
fi
AM_CONDITIONAL(USE_VALGRIND, test "$use_valgrind" = yes)
+AC_ARG_ENABLE([install-elfh],
+AS_HELP_STRING([--enable-install-elfh],[install elf.h in include dir]),
+ [install_elfh=$enableval], [install_elfh=no])
+AM_CONDITIONAL(INSTALL_ELFH, test "$install_elfh" = yes)
+
AM_CONDITIONAL(BUILD_STATIC, [dnl
test "$use_gprof" = yes -o "$use_gcov" = yes])
@@ -658,6 +663,7 @@ AC_MSG_NOTICE([
NOT RECOMMENDED FEATURES (should all be no)
Experimental thread safety : ${use_locks}
+install elf.h : ${install_elfh}
OTHER FEATURES
Deterministic archives by default : ${default_ar_deterministic}
@@ -673,3 +679,9 @@ AC_MSG_NOTICE([
use rpath in tests : ${tests_use_rpath}
test biarch: ${utrace_cv_cc_biarch}
])
+
+if test "$install_elfh" = yes; then
+ if test "${prefix}" = "/usr/local" -o "${prefix}" = "/usr"; then
+AC_MSG_WARN([installing elf.h in ${includedir} might conflict with
glibc/system elf.h])
+ fi
+fi
diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index 5783f0c..b89e93f 100644
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,3 +1,8 @@
+2019-01-18 Mark Wielaard
+
+ * Makefile.am (INSTALL_ELFH): Add elf.h to include_HEADERS when
+ defined, otherwise (the default) add elf.h to noinst_HEADERS.
+
2019-01-16 Mark Wielaard
* note_xlate.h (elf_cvt_note): Check n_namesz and n_descsz don't
diff --git a/libelf/Makefile.am b/libelf/Makefile.am
index ddaeaa2..d5d63f7 100644
--- a/libelf/Makefile.am
+++ b/libelf/Makefile.am
@@ -39,6 +39,16 @@ noinst_LIBRARIES = libelf_pic.a
noinst_PROGRAMS = $(noinst_LIBRARIES:_pic.a=.so)
include_HEADERS = libelf.h gelf.h nlist.h
+noinst_HEADERS = abstract.h common.h exttypes.h gelf_xlate.h libelfP.h \
+version_xlate.h gnuhash_xlate.h note_xlate.h dl-hash.h \
+chdr_xlate.h
+
+if INSTALL_ELFH
+include_HEADERS += elf.h
+else
+noinst_HEADERS += elf.h
+endif
+
pkginclude_HEADERS = elf-knowledge.h
libelf_a_SOURCES = elf_version.c elf_hash.c elf_error.c elf_fill.c \
@@ -123,9 +133,6 @@ uninstall: uninstall-am
rm -f $(DESTDIR)$(libdir)/libelf.so.$(VERSION)
rm -f $(DESTDIR)$(libdir)/libelf.so
-noinst_HEADERS = elf.h abstract.h common.h exttypes.h gelf_xlate.h libelfP.h \
-version_xlate.h gnuhash_xlate.h note_xlate.h dl-hash.h \
-chdr_xlate.h
EXTRA_DIST = libelf.map
CLEANFILES += $(am_libelf_pic_a_OBJECTS) libelf.so.$(VERSION)
--
1.8.3.1
Re: [PATCH] configure: Add new --enable-install-elfh option.
I think you should also adapt tests/Makefile.am to use our own elf.h in this case. See https://codereview.qt-project.org/#/c/187812/25 for my solution to this.
Re: [PATCH] RISC-V: Add initial return value location support.
On Thu, Jan 10, 2019 at 4:26 AM Mark Wielaard wrote: > https://github.com/riscv/riscv-elf-psabi-doc/blob/master/riscv-elf.md#procedure-calling-convention > But I couldn't find an official DWARF register mapping. > If you have references I like to add them to the code. This document now has a chapter for DWARF info, with just one table to specify the DWARF register mapping. https://github.com/riscv/riscv-elf-psabi-doc/blob/master/riscv-elf.md#dwarf-register-numbers Jim
[Bug tools/24089] NT_PLATFORM core file note should be a zero terminated string
https://sourceware.org/bugzilla/show_bug.cgi?id=24089 Mark Wielaard changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED --- Comment #3 from Mark Wielaard --- commit de01cc6f9446187d69b9748bb3636361c79e77a4 Author: Mark Wielaard Date: Wed Jan 16 15:41:31 2019 +0100 libebl: Check NT_PLATFORM core notes contain a zero terminated string. Most strings in core notes are fixed size. But NT_PLATFORM contains just a variable length string. Check that it is actually zero terminated before passing to readelf to print. https://sourceware.org/bugzilla/show_bug.cgi?id=24089 Signed-off-by: Mark Wielaard Pushed to master. -- You are receiving this mail because: You are on the CC list for the bug.
