[Bug libasm/25068] New: Several crashes inside libasm

2019-10-06 Thread leftcopy.chx at gmail dot com 
https://sourceware.org/bugzilla/show_bug.cgi?id=25068

Bug ID: 25068
   Summary: Several crashes inside libasm
   Product: elfutils
   Version: unspecified
Status: UNCONFIRMED
  Severity: normal
  Priority: P2
 Component: libasm
  Assignee: unassigned at sourceware dot org
  Reporter: leftcopy.chx at gmail dot com
CC: elfutils-devel at sourceware dot org
  Target Milestone: ---

Created attachment 12023
  --> https://sourceware.org/bugzilla/attachment.cgi?id=12023&action=edit
POCs and error messages

By applying our fuzzer, we detected several crashes/vulnerabilities on git
47780c9e (HEAD).
The pocs are attached and can be triggered by running `./eu-objdump -d $FILE`
when ASAN is enabled.


$ ldd ./eu-objdump
linux-vdso.so.1 (0x7ffdbe7d8000)
libasan.so.4 => /usr/lib/x86_64-linux-gnu/libasan.so.4
(0x7f71d83ee000)
libasm.so.1 =>
/home/hongxu/FOT/Targets/elfutils/eu-asan/install/lib/libasm.so.1
(0x7f71d81d7000)
libdw.so.1 =>
/home/hongxu/FOT/Targets/elfutils/eu-asan/install/lib/libdw.so.1
(0x7f71d7d9a000)
libelf.so.1 =>
/home/hongxu/FOT/Targets/elfutils/eu-asan/install/lib/libelf.so.1
(0x7f71d7b3f000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x7f71d774e000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x7f71d754a000)
librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x7f71d7342000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x7f71d7123000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x7f71d6d85000)
libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1
(0x7f71d6b6d000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x7f71d695)
liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x7f71d672a000)
libbz2.so.1.0 => /lib/x86_64-linux-gnu/libbz2.so.1.0
(0x7f71d651a000)
/lib64/ld-linux-x86-64.so.2 (0x7f71d96cd000)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libelf/25069] New: AddressSanitizer: heap-buffer-overflow at libdwelf/dwelf_strtab.c:284

2019-10-06 Thread leftcopy.chx at gmail dot com 
https://sourceware.org/bugzilla/show_bug.cgi?id=25069

Bug ID: 25069
   Summary: AddressSanitizer: heap-buffer-overflow at
libdwelf/dwelf_strtab.c:284
   Product: elfutils
   Version: unspecified
Status: UNCONFIRMED
  Severity: normal
  Priority: P2
 Component: libelf
  Assignee: unassigned at sourceware dot org
  Reporter: leftcopy.chx at gmail dot com
CC: elfutils-devel at sourceware dot org
  Target Milestone: ---

Created attachment 12024
  --> https://sourceware.org/bugzilla/attachment.cgi?id=12024&action=edit
pocs

When running `eu-unstrip hbo_libelf/hbo__dwelf_strtab.c:284_1
hbo_libelf/stripped -o /dev/null` (compiled with ASAN), it may report the error
message, which results from a heap-buffer-overflow inside libelf (relevant file
attached):



=
==18249==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x62001f75 at pc 0x76e6b66e bp 0x7fff48b0 sp 0x7fff4058
READ of size 20 at 0x62001f75 thread T0
#0 0x76e6b66d  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5166d)
#1 0x768b080a in dwelf_strtab_add
/home/hongxu/FOT/Targets/elfutils/eu-asan/libdwelf/dwelf_strtab.c:284
#2 0x55569394 in copy_elided_sections
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:1845
#3 0x5556bea1 in handle_file
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2162
#4 0x5556c760 in handle_explicit_files
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2227
#5 0x5556f1f6 in main
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2562
#6 0x763b2b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#7 0x9a89 in _start
(/home/hongxu/FOT/Targets/elfutils/eu-asan/install/bin/eu-unstrip+0x5a89)

0x62001f75 is located 0 bytes to the right of 3829-byte region
[0x62001080,0x62001f75)
allocated by thread T0 here:
#0 0x76ef8b50 in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
#1 0x76be8287 in __libelf_set_rawdata_wrlock
/home/hongxu/FOT/Targets/elfutils/eu-asan/libelf/elf_getdata.c:332
#2 0x76be8f06 in __elf_getdata_rdlock
/home/hongxu/FOT/Targets/elfutils/eu-asan/libelf/elf_getdata.c:535
#3 0x76be8fb6 in elf_getdata
/home/hongxu/FOT/Targets/elfutils/eu-asan/libelf/elf_getdata.c:562
#4 0xf7d0 in collect_symbols
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:838
#5 0x55568b94 in copy_elided_sections
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:1783
#6 0x5556bea1 in handle_file
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2162
#7 0x5556c760 in handle_explicit_files
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2227
#8 0x5556f1f6 in main
/home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2562
#9 0x763b2b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5166d) 
Shadow bytes around the buggy address:
  0x0c407fff8390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c407fff83a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c407fff83b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c407fff83c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c407fff83d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c407fff83e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[05]fa
  0x0c407fff83f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff8400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff8410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff8420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff8430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:   00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:   fa
  Freed heap region:   fd
  Stack left redzone:  f1
  Stack mid redzone:   f2
  Stack right redzone: f3
  Stack after return:  f5
  Stack use after scope:   f8
  Global redzone:  f9
  Global init order:   f6
  Poisoned by user:f7
  Container overflow:  fc
  Array cookie:ac
  Intra object redzone:bb
  ASan internal:   fe
  Left alloca redzone: ca
  Right alloca redzone:cb
==18249==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.