date:20190126

[Bug backends/24075] Program Crash due to buffer over-read in ebl_object_note function in eblobjnote.c in libebl.

2019-01-26 Thread wcventure at 126 dot com

https://sourceware.org/bugzilla/show_bug.cgi?id=24075

wcventure  changed:

   What|Removed |Added

 Status|RESOLVED|UNCONFIRMED
 Resolution|FIXED   |---

--- Comment #4 from wcventure  ---
Regression Testing:

I have done regression testing.
This problem can be broken again!

Here is the POC file.


The Commit ID I used:

> commit a17c2c0917901ffa542ac4d3e327d46742219e04
> Author: Mark Wielaard 
> Date:   Tue Jan 22 15:55:18 2019 +0100
> 
> readelf: Don't go past end of line data reading unknown opcode parameters.
> 
> https://sourceware.org/bugzilla/show_bug.cgi?id=24116
> 
> Signed-off-by: Mark Wielaard 


ASAN trace:

> ==22829==ERROR: AddressSanitizer: unknown-crash on address 0x7f07d1c81000 at 
> pc 0x004c0857 bp 0x7ffc6580df50 sp 0x7ffc6580df40
READ of size 1 at 0x7f07d1c81000 thread T0
> #0 0x4c0856 in ebl_object_note 
> /home/wencheng/Experiment/elfutils/libebl/eblobjnote.c:495
> #1 0x452e0f in handle_notes_data 
> /home/wencheng/Experiment/elfutils/src/readelf.c:12256
> #2 0x465ec3 in handle_notes 
> /home/wencheng/Experiment/elfutils/src/readelf.c:12320
> #3 0x465ec3 in process_elf_file 
> /home/wencheng/Experiment/elfutils/src/readelf.c:1000
> #4 0x465ec3 in process_dwflmod 
> /home/wencheng/Experiment/elfutils/src/readelf.c:760
> #5 0x7f07d0893961 in dwfl_getmodules 
> /home/wencheng/Experiment/elfutils/libdwfl/dwfl_getmodules.c:86
> #6 0x40d035 in process_file 
> /home/wencheng/Experiment/elfutils/src/readelf.c:868
> #7 0x40579e in main /home/wencheng/Experiment/elfutils/src/readelf.c:350
> #8 0x7f07cff1882f in __libc_start_main 
> (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
> #9 0x406428 in _start 
> (/home/wencheng/Experiment/elfutils/build/bin/eu-readelf+0x406428)
> 
> Address 0x7f07d1c81000 is a wild pointer.
> SUMMARY: AddressSanitizer: unknown-crash 
> /home/wencheng/Experiment/elfutils/libebl/eblobjnote.c:495 in ebl_object_note
> Shadow bytes around the buggy address:
>   0x0fe17a3881b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0fe17a3881c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0fe17a3881d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0fe17a3881e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0fe17a3881f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0fe17a388200:[fe]fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>   0x0fe17a388210: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>   0x0fe17a388220: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>   0x0fe17a388230: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>   0x0fe17a388240: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>   0x0fe17a388250: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:   00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:   fa
>   Freed heap region:   fd
>   Stack left redzone:  f1
>   Stack mid redzone:   f2
>   Stack right redzone: f3
>   Stack after return:  f5
>   Stack use after scope:   f8
>   Global redzone:  f9
>   Global init order:   f6
>   Poisoned by user:f7
>   Container overflow:  fc
>   Array cookie:ac
>   Intra object redzone:bb
>   ASan internal:   fe
>   Left alloca redzone: ca
>   Right alloca redzone:cb
> ==22829==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug backends/24075] Program Crash due to buffer over-read in ebl_object_note function in eblobjnote.c in libebl.

2019-01-26 Thread wcventure at 126 dot com

https://sourceware.org/bugzilla/show_bug.cgi?id=24075

--- Comment #5 from wcventure  ---
Created attachment 11573
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11573&action=edit
Regressiong_POC

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug backends/24075] Program Crash due to buffer over-read in ebl_object_note function in eblobjnote.c in libebl.

2019-01-26 Thread wcventure at 126 dot com

https://sourceware.org/bugzilla/show_bug.cgi?id=24075

wcventure  changed:

   What|Removed |Added

   Priority|P2  |P1
   Severity|normal  |critical

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libdw/24140] New: A Heap-buffer-overflow problem was discovered in the function __libdw_next_unit in dwarf_nextcu.c in libdw

2019-01-26 Thread wcventure at 126 dot com

https://sourceware.org/bugzilla/show_bug.cgi?id=24140

Bug ID: 24140
   Summary: A Heap-buffer-overflow problem was discovered in the
function __libdw_next_unit in dwarf_nextcu.c in libdw
   Product: elfutils
   Version: unspecified
Status: UNCONFIRMED
  Severity: critical
  Priority: P2
 Component: libdw
  Assignee: unassigned at sourceware dot org
  Reporter: wcventure at 126 dot com
CC: elfutils-devel at sourceware dot org
  Target Milestone: ---

Created attachment 11574
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11574&action=edit
POC

Hi, 

A Heap-buffer-overflow problem was discovered in the function __libdw_next_unit
in dwarf_nextcu.c in libdw, as distributed in Elfutils 0.175. A crafted ELF
input can cause segment faults and I have confirmed them with address sanitizer
too.

Here are the POC files. Please use "./eu-nm -C $POC" to reproduce the error.

$git log

> commit a17c2c0917901ffa542ac4d3e327d46742219e04
> Author: Mark Wielaard 
> Date:   Tue Jan 22 15:55:18 2019 +0100
> 
> readelf: Don't go past end of line data reading unknown opcode parameters.
> 
> https://sourceware.org/bugzilla/show_bug.cgi?id=24116
> 
> Signed-off-by: Mark Wielaard 

The ASAN dumps the stack trace as follows:

> =
> ==12766==ERROR: AddressSanitizer: heap-buffer-overflow on address 
> 0x60300032 at pc 0x7f1605a83c52 bp 0x7ffeba226910 sp 0x7ffeba226900
> READ of size 2 at 0x60300032 thread T0
> #0 0x7f1605a83c51 in __libdw_next_unit 
> /home/wencheng/Experiment/elfutils/libdw/dwarf_nextcu.c:249
> #1 0x7f1605a83f3c in dwarf_next_unit 
> /home/wencheng/Experiment/elfutils/libdw/dwarf_nextcu.c:46
> #2 0x7f1605a83f3c in dwarf_nextcu 
> /home/wencheng/Experiment/elfutils/libdw/dwarf_nextcu.c:294
> #3 0x408273 in get_local_names 
> /home/wencheng/Experiment/elfutils/src/nm.c:627
> #4 0x408273 in show_symbols 
> /home/wencheng/Experiment/elfutils/src/nm.c:1285
> #5 0x40e5bd in handle_elf /home/wencheng/Experiment/elfutils/src/nm.c:1578
> #6 0x40387c in process_file 
> /home/wencheng/Experiment/elfutils/src/nm.c:374
> #7 0x40387c in main /home/wencheng/Experiment/elfutils/src/nm.c:249
> #8 0x7f1604e6782f in __libc_start_main 
> (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
> #9 0x404568 in _start 
> (/home/wencheng/Experiment/elfutils/build/bin/eu-nm+0x404568)
> 
> 0x60300032 is located 2 bytes to the right of 32-byte region 
> [0x60300010,0x60300030)
> allocated by thread T0 here:
> #0 0x7f1605f4ab90 in __interceptor_malloc 
> (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90)
> #1 0x7f16057feec3 in convert_data 
> /home/wencheng/Experiment/elfutils/libelf/elf_getdata.c:157
> #2 0x7f16057feec3 in __libelf_set_data_list_rdlock 
> /home/wencheng/Experiment/elfutils/libelf/elf_getdata.c:447
> 
> SUMMARY: AddressSanitizer: heap-buffer-overflow 
> /home/wencheng/Experiment/elfutils/libdw/dwarf_nextcu.c:249 in 
> __libdw_next_unit
> Shadow bytes around the buggy address:
>   0x0c067fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0c067fff8000: fa fa 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa
>   0x0c067fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:   00
>   Partially addressable: 01 02 03 04 05 06 07 
>   Heap left redzone:   fa
>   Freed heap region:   fd
>   Stack left redzone:  f1
>   Stack mid redzone:   f2
>   Stack right redzone: f3
>   Stack after return:  f5
>   Stack use after scope:   f8
>   Global redzone:  f9
>   Global init order:   f6
>   Poisoned by user:f7
>   Container overflow:  fc
>   Array cookie:ac
>   Intra object redzone:bb
>   ASan internal:   fe
>   Left alloca redzone: ca
>   Right alloca redzone:cb
> ==12766==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug backends/24075] Program Crash due to buffer over-read in ebl_object_note function in eblobjnote.c in libebl.

[Bug backends/24075] Program Crash due to buffer over-read in ebl_object_note function in eblobjnote.c in libebl.

[Bug backends/24075] Program Crash due to buffer over-read in ebl_object_note function in eblobjnote.c in libebl.

[Bug libdw/24140] New: A Heap-buffer-overflow problem was discovered in the function __libdw_next_unit in dwarf_nextcu.c in libdw

4 matches

Site Navigation

Mail list logo

Footer information