[Bug libelf/23528] New: When executing ./eu-nm or ./eu-readelf -aAdehIlnrsSVcp -w, AddressSanitizer chatch a double-free crashes.
https://sourceware.org/bugzilla/show_bug.cgi?id=23528 Bug ID: 23528 Summary: When executing ./eu-nm or ./eu-readelf -aAdehIlnrsSVcp -w, AddressSanitizer chatch a double-free crashes. Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: libelf Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Created attachment 11185 --> https://sourceware.org/bugzilla/attachment.cgi?id=11185&action=edit When executing ./eu-nm or ./eu-readelf -aAdehIlnrsSVcp -w, AddressSanitizer chatch a double-free crashes. When executing ./eu-nm @@ or ./eu-readelf -aAdehIlnrsSVcp -w @@, AddressSanitizer chatch a double-free crashes. The AddressSanitizer's output shows as follow: ==30316==ERROR: AddressSanitizer: attempting double-free on 0x6040de50 in thread T0: #0 0x7e5282ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca) #1 0x7de26c83 in elf_end /mnt/d/Project/elfutils/libelf/elf_end.c:171 #2 0x7e1b23f6 in free_file /mnt/d/Project/elfutils/libdwfl/dwfl_module.c:57 #3 0x7e1b23f6 in __libdwfl_module_free /mnt/d/Project/elfutils/libdwfl/dwfl_module.c:113 #4 0x7e1b06bc in dwfl_end /mnt/d/Project/elfutils/libdwfl/dwfl_end.c:54 #5 0x409883 in show_symbols /mnt/d/Project/elfutils/src/nm.c:1494 #6 0x40cf4c in handle_elf /mnt/d/Project/elfutils/src/nm.c:1578 #7 0x4035dc in process_file /mnt/d/Project/elfutils/src/nm.c:374 #8 0x4035dc in main /mnt/d/Project/elfutils/src/nm.c:249 #9 0x7d4c082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #10 0x4043c8 in _start (/mnt/d/Project/elfutils/build/bin/eu-nm+0x4043c8) 0x6040de50 is located 0 bytes inside of 36-byte region [0x6040de50,0x6040de74) freed by thread T0 here: #0 0x7e5282ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca) #1 0x7dea3dcf in __libelf_reset_rawdata /mnt/d/Project/elfutils/libelf/elf_compress.c:325 previously allocated by thread T0 here: #0 0x7e528602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x7dea31dd in __libelf_decompress /mnt/d/Project/elfutils/libelf/elf_compress.c:223 #2 0x7deaa490 (/mnt/d/Project/elfutils/build/lib/libelf.so.1+0x9a490) SUMMARY: AddressSanitizer: double-free ??:0 __interceptor_free ==30316==ABORTING [Inferior 1 (process 30316) exited with code 01] -- You are receiving this mail because: You are on the CC list for the bug.
[Bug libelf/23528] When executing ./eu-nm or ./eu-readelf -aAdehIlnrsSVcp -w, AddressSanitizer catch a double-free crashe.
https://sourceware.org/bugzilla/show_bug.cgi?id=23528 wcventure changed: What|Removed |Added Summary|When executing ./eu-nm or |When executing ./eu-nm or |./eu-readelf|./eu-readelf |-aAdehIlnrsSVcp -w, |-aAdehIlnrsSVcp -w, |AddressSanitizer chatch a |AddressSanitizer catch a |double-free crashes.|double-free crashe. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug libelf/23528] When executing ./eu-nm or ./eu-readelf -aAdehIlnrsSVcp -w, AddressSanitizer catch a double-free crash.
https://sourceware.org/bugzilla/show_bug.cgi?id=23528 wcventure changed: What|Removed |Added Summary|When executing ./eu-nm or |When executing ./eu-nm or |./eu-readelf|./eu-readelf |-aAdehIlnrsSVcp -w, |-aAdehIlnrsSVcp -w, |AddressSanitizer catch a|AddressSanitizer catch a |double-free crashe. |double-free crash. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug backends/23529] New: heap-buffer-overflow in eu-readelf
https://sourceware.org/bugzilla/show_bug.cgi?id=23529 Bug ID: 23529 Summary: heap-buffer-overflow in eu-readelf Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: backends Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Created attachment 11186 --> https://sourceware.org/bugzilla/attachment.cgi?id=11186&action=edit crash-seed-buffer-over-flow when executing "./eu-readelf -aAdehIlnrsSVcp -w @@", AddressSanitizer catch a heap-buffer-overflow carsh. ==29317==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060c536 at pc 0x7f5bdaf2bfb0 bp 0x7669ef70 sp 0x7669ef60 READ of size 1 at 0x6060c536 thread T0 #0 0x7f5bdaf2bfaf in __libdw_get_uleb128_unchecked /mnt/d/Project/elfutils/libdw/memory-access.h:97 #1 0x7f5bdaf2bfaf in dwarf_getabbrevattr_data /mnt/d/Project/elfutils/libdw/dwarf_getabbrevattr.c:60 #2 0x42f8c2 in print_debug_abbrev_section /mnt/d/Project/elfutils/src/readelf.c:5045 #3 0x45313f in print_debug /mnt/d/Project/elfutils/src/readelf.c:11143 #4 0x45b07b in process_elf_file /mnt/d/Project/elfutils/src/readelf.c:996 #5 0x462344 in process_dwflmod /mnt/d/Project/elfutils/src/readelf.c:760 #6 0x7f5bdafcc410 in dwfl_getmodules /mnt/d/Project/elfutils/libdwfl/dwfl_getmodules.c:86 #7 0x40f013 in process_file /mnt/d/Project/elfutils/src/readelf.c:868 #8 0x405614 in main /mnt/d/Project/elfutils/src/readelf.c:350 #9 0x7f5bda65082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #10 0x406118 in _start (/mnt/d/Project/elfutils/build/bin/eu-readelf+0x406118) 0x6060c536 is located 0 bytes to the right of 54-byte region [0x6060c500,0x6060c536) allocated by thread T0 here: #0 0x7f5bdb328602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x7f5bdac62680 in convert_data /mnt/d/Project/elfutils/libelf/elf_getdata.c:164 #2 0x7f5bdac62680 in __libelf_set_data_list_rdlock /mnt/d/Project/elfutils/libelf/elf_getdata.c:431 SUMMARY: AddressSanitizer: heap-buffer-overflow /mnt/d/Project/elfutils/libdw/memory-access.h:97 __libdw_get_uleb128_unchecked Shadow bytes around the buggy address: 0x0c0c7fff9850: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa 0x0c0c7fff9860: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa 0x0c0c7fff9870: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd 0x0c0c7fff9880: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa 0x0c0c7fff9890: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa =>0x0c0c7fff98a0: 00 00 00 00 00 00[06]fa fa fa fa fa fd fd fd fd 0x0c0c7fff98b0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa 0x0c0c7fff98c0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa 0x0c0c7fff98d0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd 0x0c0c7fff98e0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa 0x0c0c7fff98f0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe ==29317==ABORTING -- You are receiving this mail because: You are on the CC list for the bug.
[Bug libdw/23541] New: heap-buffer-overflow in /elfutils/libdw/dwarf_getaranges.c:156
https://sourceware.org/bugzilla/show_bug.cgi?id=23541 Bug ID: 23541 Summary: heap-buffer-overflow in /elfutils/libdw/dwarf_getaranges.c:156 Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: libdw Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Created attachment 11189 --> https://sourceware.org/bugzilla/attachment.cgi?id=11189&action=edit addr2line -e @@ -- 500 50 10 -1000 When executing "./eu-addr2line -e @@ -- 500 50 10 -1000", AddressSanitizer catch a heap-buffer-overflow crash. 117833==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020edbb at pc 0x7fde94ff95ed bp 0x7fff4f475910 sp 0x7fff4f475900 READ of size 1 at 0x6020edbb thread T0 #0 0x7fde94ff95ec in dwarf_getaranges /home/wcventure/Documents/Cproject/elfutils/libdw/dwarf_getaranges.c:156 #1 0x7fde95091c6f in addrarange /home/wcventure/Documents/Cproject/elfutils/libdwfl/cu.c:54 #2 0x7fde95091c6f in __libdwfl_addrcu /home/wcventure/Documents/Cproject/elfutils/libdwfl/cu.c:313 #3 0x7fde95098b5e in dwfl_module_getsrc /home/wcventure/Documents/Cproject/elfutils/libdwfl/dwfl_module_getsrc.c:44 #4 0x40461c in handle_address /home/wcventure/Documents/Cproject/elfutils/src/addr2line.c:680 #5 0x40263b in main /home/wcventure/Documents/Cproject/elfutils/src/addr2line.c:197 #6 0x7fde9459282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #7 0x402c08 in _start (/home/wcventure/Documents/Cproject/elfutils/build/bin/eu-addr2line+0x402c08) 0x6020edbb is located 0 bytes to the right of 11-byte region [0x6020edb0,0x6020edbb) allocated by thread T0 here: #0 0x7fde953cc602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x7fde94d10ce8 in convert_data /home/wcventure/Documents/Cproject/elfutils/libelf/elf_getdata.c:164 #2 0x7fde94d10ce8 in __libelf_set_data_list_rdlock /home/wcventure/Documents/Cproject/elfutils/libelf/elf_getdata.c:431 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/wcventure/Documents/Cproject/elfutils/libdw/dwarf_getaranges.c:156 dwarf_getaranges Shadow bytes around the buggy address: 0x0c047fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c047fff9db0: fa fa fa fa fa fa 00[03]fa fa 01 fa fa fa 00 01 0x0c047fff9dc0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04 0x0c047fff9dd0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa fd fa 0x0c047fff9de0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04 0x0c047fff9df0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa fd fa 0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe ==117833==ABORTING -- You are receiving this mail because: You are on the CC list for the bug.
[Bug general/23542] New: heap-buffer-overflow in /elfutils/src/elflint.c:2055 check_sysv_hash
https://sourceware.org/bugzilla/show_bug.cgi?id=23542 Bug ID: 23542 Summary: heap-buffer-overflow in /elfutils/src/elflint.c:2055 check_sysv_hash Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: general Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Created attachment 11190 --> https://sourceware.org/bugzilla/attachment.cgi?id=11190&action=edit ./eu-elflint --strict @@ ==123497==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6130dfd4 at pc 0x00432311 bp 0x7ffc0e4d29c0 sp 0x7ffc0e4d29b0 READ of size 4 at 0x6130dfd4 thread T0 #0 0x432310 in check_sysv_hash /home/wcventure/Documents/Cproject/elfutils/src/elflint.c:2055 #1 0x432310 in check_hash /home/wcventure/Documents/Cproject/elfutils/src/elflint.c:2355 #2 0x439613 in check_sections /home/wcventure/Documents/Cproject/elfutils/src/elflint.c:4161 #3 0x440395 in process_elf_file /home/wcventure/Documents/Cproject/elfutils/src/elflint.c:4739 #4 0x440395 in process_file /home/wcventure/Documents/Cproject/elfutils/src/elflint.c:242 #5 0x402e55 in main /home/wcventure/Documents/Cproject/elfutils/src/elflint.c:175 #6 0x7f81b5bba82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #7 0x403b08 in _start (/home/wcventure/Documents/Cproject/elfutils/build/bin/eu-elflint+0x403b08) 0x6130dfd5 is located 0 bytes to the right of 341-byte region [0x6130de80,0x6130dfd5) allocated by thread T0 here: #0 0x7f81b64a4602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x7f81b61babff in convert_data /home/wcventure/Documents/Cproject/elfutils/libelf/elf_getdata.c:164 #2 0x7f81b61babff in __libelf_set_data_list_rdlock /home/wcventure/Documents/Cproject/elfutils/libelf/elf_getdata.c:431 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/wcventure/Documents/Cproject/elfutils/src/elflint.c:2055 check_sysv_hash Shadow bytes around the buggy address: 0x0c267fff9ba0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c267fff9bb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c267fff9bc0: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c267fff9bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c267fff9be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c267fff9bf0: 00 00 00 00 00 00 00 00 00 00[05]fa fa fa fa fa 0x0c267fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c267fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c267fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c267fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c267fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe ==123497==ABORTING -- You are receiving this mail because: You are on the CC list for the bug.
[Bug libdw/23752] New: Invalid Address Read problem in dwfl_segment_report_module.c when executing ./eu-stack --core=$POC
https://sourceware.org/bugzilla/show_bug.cgi?id=23752 Bug ID: 23752 Summary: Invalid Address Read problem in dwfl_segment_report_module.c when executing ./eu-stack --core=$POC Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: libdw Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Created attachment 11306 --> https://sourceware.org/bugzilla/attachment.cgi?id=11306&action=edit POC-stack Hi there, Our fuzzer caught Invalid Address Read problem in eu-stack of the latest elfutils-0.174 code base, this inputs will cause the segment faults and I have confirmed them with address sanitizer too. Please use the "./eu-stack --core=$POC" or "./eu-stack --core=$POC -abdilmsv" to reproduce the bug. If you have any questions, please let me know. The ASAN dumps the stack trace as follows: ASAN:DEADLYSIGNAL = ==9753==ERROR: AddressSanitizer: SEGV on unknown address 0x7f6afb9ac114 (pc 0x7f6afa17a7dc bp 0x7fffc8bb1900 sp 0x7fffc8bb17f0 T0) ==9753==The signal is caused by a READ memory access. #0 0x7f6afa17a7db in consider_notes /elfutils-0.174/libdwfl/dwfl_segment_report_module.c:486 #1 0x7f6afa17accc in consider_phdr /elfutils-0.174/libdwfl/dwfl_segment_report_module.c:529 #2 0x7f6afa176fa2 in dwfl_segment_report_module /elfutils-0.174/libdwfl/dwfl_segment_report_module.c:590 #3 0x7f6afa185ce0 in dwfl_core_file_report /elfutils-0.174/libdwfl/core-file.c:541 #4 0x405106 in parse_opt /elfutils-0.174/src/stack.c:590 #5 0x7f6af9a64847 in argp_parse (/lib/x86_64-linux-gnu/libc.so.6+0x114847) #6 0x4056a7 in main /elfutils-0.174/src/stack.c:690 #7 0x7f6af997082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #8 0x402308 in _start (/elfutils-0.174/build/bin/eu-stack+0x402308) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /elfutils-0.174/libdwfl/dwfl_segment_report_module.c:486 in consider_notes ==9753==ABORTING -- You are receiving this mail because: You are on the CC list for the bug.
[Bug libdw/23753] New: Invalid Address Read problem in dwfl_segment_report_module.c when executing ./eu-stack --core=$POC
https://sourceware.org/bugzilla/show_bug.cgi?id=23753 Bug ID: 23753 Summary: Invalid Address Read problem in dwfl_segment_report_module.c when executing ./eu-stack --core=$POC Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: libdw Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Hi there, Our fuzzer caught Invalid Address Read problem in eu-stack of the latest elfutils-0.174 code base, this inputs will cause the segment faults and I have confirmed them with address sanitizer too. Please use the "./eu-stack --core=$POC" or "./eu-stack --core=$POC -abdilmsv" to reproduce the bug. If you have any questions, please let me know. The ASAN dumps the stack trace as follows: ASAN:DEADLYSIGNAL = ==9753==ERROR: AddressSanitizer: SEGV on unknown address 0x7f6afb9ac114 (pc 0x7f6afa17a7dc bp 0x7fffc8bb1900 sp 0x7fffc8bb17f0 T0) ==9753==The signal is caused by a READ memory access. #0 0x7f6afa17a7db in consider_notes /elfutils-0.174/libdwfl/dwfl_segment_report_module.c:486 #1 0x7f6afa17accc in consider_phdr /elfutils-0.174/libdwfl/dwfl_segment_report_module.c:529 #2 0x7f6afa176fa2 in dwfl_segment_report_module /elfutils-0.174/libdwfl/dwfl_segment_report_module.c:590 #3 0x7f6afa185ce0 in dwfl_core_file_report /elfutils-0.174/libdwfl/core-file.c:541 #4 0x405106 in parse_opt /elfutils-0.174/src/stack.c:590 #5 0x7f6af9a64847 in argp_parse (/lib/x86_64-linux-gnu/libc.so.6+0x114847) #6 0x4056a7 in main /elfutils-0.174/src/stack.c:690 #7 0x7f6af997082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #8 0x402308 in _start (/elfutils-0.174/build/bin/eu-stack+0x402308) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /elfutils-0.174/libdwfl/dwfl_segment_report_module.c:486 in consider_notes ==9753==ABORTING -- You are receiving this mail because: You are on the CC list for the bug.
[Bug libdw/23753] Invalid Address Read problem in dwfl_segment_report_module.c when executing ./eu-stack --core=$POC
https://sourceware.org/bugzilla/show_bug.cgi?id=23753 --- Comment #1 from wcventure --- Created attachment 11307 --> https://sourceware.org/bugzilla/attachment.cgi?id=11307&action=edit POC-stack ./eu-stack --core=$POC -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/23754] New: NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries
https://sourceware.org/bugzilla/show_bug.cgi?id=23754 Bug ID: 23754 Summary: NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: tools Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Hi, Our fuzzer caught NULL-Pointer dereference problems in eu-ar.c in the latest elfutils(v0.174) code base, those inputs will cause the signal SIGSEGV, Segmentation fault. I have confirmed them with address sanitizer. Please use the “ ./eu-ar -tv $POC ” to reproduce the bug. If you have any questions, please let me know. Thank you. The ASAN dumps the stack trace as follows: ASAN:DEADLYSIGNAL = ==24906==ERROR: AddressSanitizer: SEGV on unknown address 0x0030 (pc 0x7fb225ed3071 bp 0x7fffdbcb2a50 sp 0x7fffdbcb2370 T0) ==24906==The signal is caused by a READ memory access. ==24906==Hint: address points to the zero page. #0 0x7fb225ed3070 (/lib/x86_64-linux-gnu/libc.so.6+0xc3070) #1 0x7fb225ed50a5 in __strftime_l (/lib/x86_64-linux-gnu/libc.so.6+0xc50a5) #2 0x404574 in do_oper_extract /mnt/c/wcventure/Fuzzing_Object/elfutils-0.174/src/ar.c:542 #3 0x403203 in main /mnt/c/wcventure/Fuzzing_Object/elfutils-0.174/src/ar.c:252 #4 0x7fb225e3082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #5 0x402428 in _start (/mnt/c/wcventure/Fuzzing_Object/elfutils-0.174/build/bin/eu-ar+0x402428) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0xc3070) ==24906==ABORTING -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/23754] NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries
https://sourceware.org/bugzilla/show_bug.cgi?id=23754 --- Comment #1 from wcventure --- Created attachment 11309 --> https://sourceware.org/bugzilla/attachment.cgi?id=11309&action=edit POC1-ar -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/23754] NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries
https://sourceware.org/bugzilla/show_bug.cgi?id=23754 --- Comment #2 from wcventure --- Created attachment 11310 --> https://sourceware.org/bugzilla/attachment.cgi?id=11310&action=edit POC2-ar Please use the "./eu-ar -tv $POC" to reproduce the bug. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/23755] New: Multiple floating point exception in findtextrel.c in eu-findtextrel biniary of elfutils-v.0174.
https://sourceware.org/bugzilla/show_bug.cgi?id=23755
Bug ID: 23755
Summary: Multiple floating point exception in findtextrel.c in
eu-findtextrel biniary of elfutils-v.0174.
Product: elfutils
Version: unspecified
Status: UNCONFIRMED
Severity: critical
Priority: P2
Component: tools
Assignee: unassigned at sourceware dot org
Reporter: wcventure at 126 dot com
CC: elfutils-devel at sourceware dot org
Target Milestone: ---
Created attachment 11311
--> https://sourceware.org/bugzilla/attachment.cgi?id=11311&action=edit
POC
Hi,
I found some floating point exception in findtextrel.c in eu-findtextrel of the
latest elfutils-0.174 code base. I have confirmed them with GDB and address
sanitizer.
Here are the POC files. I'll also show you the debugging process. It seems that
this is caused by the divide-by-zero problem.
> gdb --args ./eu-findtextrel POC3-findtextrel
> GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
> ...
> Reading symbols from ./eu-findtextrel...done.
> (gdb) b 418
> Breakpoint 1 at 0x40379c: file findtextrel.c, line 418.
> (gdb) start
> Temporary breakpoint 2, main (argc=2, argv=0x7ffedfc8) at
> findtextrel.c:107
> 107 {
> (gdb) c
> Continuing.
> Breakpoint 1, process_file (fname=0x7ffee247 "POC3-findtextrel",
> more_than_one=false) at findtextrel.c:418
> 418(size_t) cnt < shdr->sh_size / shdr->sh_entsize;
> (gdb) p shdr->sh_entsize
> $2 = 0
> (gdb) n
>
> Program received signal SIGFPE, Arithmetic exception.
> 0x00403810 in process_file (fname=0x7ffee247 "POC3-findtextrel",
> more_than_one=false) at findtextrel.c:418
> 418(size_t) cnt < shdr->sh_size / shdr->sh_entsize;
--
You are receiving this mail because:
You are on the CC list for the bug.
[Bug tools/23755] Multiple floating point exception in findtextrel.c in eu-findtextrel biniary of elfutils-v.0174.
https://sourceware.org/bugzilla/show_bug.cgi?id=23755 --- Comment #1 from wcventure --- Created attachment 11312 --> https://sourceware.org/bugzilla/attachment.cgi?id=11312&action=edit POC2 Here is the POC2. Please use " ./eu-findtextrel $POC " to reproduce this bug. If you have any questions, please let me know. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/23755] Multiple floating point exception in findtextrel.c in eu-findtextrel biniary of elfutils-v.0174.
https://sourceware.org/bugzilla/show_bug.cgi?id=23755 --- Comment #2 from wcventure --- Created attachment 11313 --> https://sourceware.org/bugzilla/attachment.cgi?id=11313&action=edit POC3 Here is the POC3. Please use " ./eu-findtextrel $POC " to reproduce this bug. If you have any questions, please let me know. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/23755] Multiple floating point exception in findtextrel.c in eu-findtextrel biniary of elfutils-v.0174.
https://sourceware.org/bugzilla/show_bug.cgi?id=23755 --- Comment #3 from wcventure --- I have also confirmed them with address sanitizer. For example, The ASAN dumps the stack trace as follows: ASAN:DEADLYSIGNAL = ==8794==ERROR: AddressSanitizer: FPE on unknown address 0x00403810 (pc 0x00403810 bp 0x7fffca34e600 sp 0x7fffca34e050 T0) #0 0x40380f in process_file /elfutils-0.174/src/findtextrel.c:418 #1 0x401c24 in main /elfutils-0.174/src/findtextrel.c:147 #2 0x7f74edb0082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #3 0x401958 in _start (/elfutils-0.174/build/bin/eu-findtextrel+0x401958) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: FPE /mnt/c/wcventure/Fuzzing_Object/elfutils-0.174/src/findtextrel.c:418 in process_file ==8794==ABORTING -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/23755] Multiple floating point exception in findtextrel.c in eu-findtextrel biniary of elfutils-v.0174.
https://sourceware.org/bugzilla/show_bug.cgi?id=23755 --- Comment #5 from wcventure --- Thanks for paying attention to this problem and proposing to fix it in time. This bug was discovered by NTU Cyber-Security-Lab, for fuzzing research work. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug libdw/23753] Invalid Address Read problem in dwfl_segment_report_module.c when executing ./eu-stack --core=$POC
https://sourceware.org/bugzilla/show_bug.cgi?id=23753 --- Comment #3 from wcventure --- Thanks for paying attention to this problem and proposing to fix it in time. This bug was discovered by NTU Cyber-Security-Lab, for fuzzing research work. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/23754] NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries
https://sourceware.org/bugzilla/show_bug.cgi?id=23754 --- Comment #4 from wcventure --- Thanks for paying attention to this problem and proposing to fix it in time. This bug was discovered by NTU Cyber-Security-Lab, for fuzzing research work. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug libdw/23752] Invalid Address Read problem in dwfl_segment_report_module.c when executing ./eu-stack --core=$POC
https://sourceware.org/bugzilla/show_bug.cgi?id=23752 --- Comment #4 from wcventure --- Thanks for paying attention to this problem and proposing to fix it in time. This bug was discovered by NTU Cyber-Security-Lab, for fuzzing research work. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug libdw/23782] New: Negative-size-param problem in dwfl_getmodules.c in libdw, please use the POC to reproduce this bug.
https://sourceware.org/bugzilla/show_bug.cgi?id=23782 Bug ID: 23782 Summary: Negative-size-param problem in dwfl_getmodules.c in libdw, please use the POC to reproduce this bug. Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: libdw Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Created attachment 11331 --> https://sourceware.org/bugzilla/attachment.cgi?id=11331&action=edit POC1 Hi, We are doing research on fuzz testing and our fuzzer caught a Negative-size-param problem in the latest elfutils(v0.174) code base. The funciton dwfl_getmodules in dwfl_getmodules.c library does not ensure a non-negative size. Those inputs will cause the Negative-size-param Problem, Segmentation fault. I have confirmed them with address sanitizer. Please use the “ ./eu-readelf $POC -w ” to reproduce the bug. If you have any questions, please let me know. Thank you. The ASAN dumps the stack trace as follows: ==31028==ERROR: AddressSanitizer: negative-size-param: (size=-4) #0 0x7ff2abbf4866 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x41866) #1 0x4973ad in print_debug_frame_section /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/readelf.c:6626 #2 0x4598f3 in print_debug /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/readelf.c:11160 #3 0x45e00a in process_elf_file /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/readelf.c:996 #4 0x45e00a in process_dwflmod /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/readelf.c:760 #5 0x7ff2ab8be2f4 in dwfl_getmodules /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/libdwfl/dwfl_getmodules.c:86 #6 0x40d055 in process_file /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/readelf.c:868 #7 0x4058f1 in main /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/readelf.c:350 #8 0x7ff2aaf4682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #9 0x4064d8 in _start (/media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/build/bin/eu-readelf+0x4064d8) Address 0x7ff2acca407d is a wild pointer. SUMMARY: AddressSanitizer: negative-size-param (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x41866) ==31028==ABORTING Aborted -- You are receiving this mail because: You are on the CC list for the bug.
[Bug libdw/23782] Negative-size-param problem in dwfl_getmodules.c in libdw, please use the POC to reproduce this bug.
https://sourceware.org/bugzilla/show_bug.cgi?id=23782 --- Comment #1 from wcventure --- Created attachment 11332 --> https://sourceware.org/bugzilla/attachment.cgi?id=11332&action=edit POC2 -- You are receiving this mail because: You are on the CC list for the bug.
[Bug libdw/23782] Negative-size-param problem in dwfl_getmodules.c in libdw, please use the POC to reproduce this bug.
https://sourceware.org/bugzilla/show_bug.cgi?id=23782 --- Comment #2 from wcventure --- Created attachment 11333 --> https://sourceware.org/bugzilla/attachment.cgi?id=11333&action=edit POC3 -- You are receiving this mail because: You are on the CC list for the bug.
[Bug general/23786] Divide-by-zero Problem in function arlib_add_symbols() in arlib.c in elfutils-0.174
https://sourceware.org/bugzilla/show_bug.cgi?id=23786 --- Comment #2 from wcventure --- Created attachment 11337 --> https://sourceware.org/bugzilla/attachment.cgi?id=11337&action=edit POC2 Please use " ./eu-ranlib $POC " to reproduce this bug. This bug was discovered by NTU Cyber-Security-Lab, for fuzzing research work. If you have any questions, please let me know. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug general/23786] New: Divide-by-zero Problem in function arlib_add_symbols() in arlib.c in elfutils-0.174
https://sourceware.org/bugzilla/show_bug.cgi?id=23786 Bug ID: 23786 Summary: Divide-by-zero Problem in function arlib_add_symbols() in arlib.c in elfutils-0.174 Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: critical Priority: P2 Component: general Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Hi, I found some floating point exception in function arlib_add_symbols() in arlib.c of the latest elfutils-0.174 code base. I have confirmed them with GDB and Address Sanitizer. Here are the POC files. Please use " ./eu-ranlib $POC " to reproduce this bug. I'll also show you the debugging process. It seems that this is caused by the divide-by-zero. In arlib.c:255, there exist a division calculation: > int nsyms = shdr->sh_size / shdr->sh_entsize; I can provide you some testcases to make shdr->sh_entsize = 0. And you can use the testcases to reproduce the bug. Divide by zero is bad. We need to make a check before doing division calculation. --- Comment #1 from wcventure --- Created attachment 11336 --> https://sourceware.org/bugzilla/attachment.cgi?id=11336&action=edit POC1 I have also confirmed them with Address Sanitizer. The ASAN dumps the stack trace as follows: ASAN:DEADLYSIGNAL = ==2496==ERROR: AddressSanitizer: FPE on unknown address 0x004065d8 (pc 0x004065d8 bp 0x7ffd4c109620 sp 0x7ffd4c109550 T0) #0 0x4065d7 in arlib_add_symbols /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/arlib.c:255 #1 0x4029c5 in handle_file /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/ranlib.c:193 #2 0x4029c5 in main /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/ranlib.c:110 #3 0x7fc97b51982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #4 0x403d28 in _start (/media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/build/bin/eu-ranlib+0x403d28) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: FPE /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/arlib.c:255 in arlib_add_symbols ==2496==ABORTING Aborted -- You are receiving this mail because: You are on the CC list for the bug.
[Bug libelf/23787] New: Invalid Address Deference problem in function elf_end in libelf the latest elfutils-0.174
https://sourceware.org/bugzilla/show_bug.cgi?id=23787 Bug ID: 23787 Summary: Invalid Address Deference problem in function elf_end in libelf the latest elfutils-0.174 Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: libelf Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Created attachment 11338 --> https://sourceware.org/bugzilla/attachment.cgi?id=11338&action=edit POC1 Hi, Our fuzzer found an Invalid Address Deference problem in function elf_end in libelf the latest elfutils-0.174 code base. I have confirmed them with Address Sanitizer, too. The function elf_end is called by size.c. Here are the POC files. Please use " ./eu-size $POC " to reproduce this bug. The ASAN dumps the stack trace as follows: ASAN:DEADLYSIGNAL = ==21938==ERROR: AddressSanitizer: SEGV on unknown address 0x0010 (pc 0x7f1a0efb3cd6 bp 0x7ffd04b5dc40 sp 0x7ffd04b5db50 T0) ==21938==The signal is caused by a READ memory access. ==21938==Hint: address points to the zero page. #0 0x7f1a0efb3cd5 in elf_end (/usr/lib/x86_64-linux-gnu/libelf.so.1+0x4cd5) #1 0x405aa2 in handle_ar /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/size.c:373 #2 0x401c7a in process_file /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/size.c:294 #3 0x401c7a in main /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/size.c:186 #4 0x7f1a0ec0582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #5 0x4029f8 in _start (/media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/build/bin/eu-size+0x4029f8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libelf.so.1+0x4cd5) in elf_end ==21938==ABORTING Aborted -- You are receiving this mail because: You are on the CC list for the bug.
[Bug libelf/23787] Invalid Address Deference problem in function elf_end in libelf the latest elfutils-0.174
https://sourceware.org/bugzilla/show_bug.cgi?id=23787 --- Comment #1 from wcventure --- Created attachment 11339 --> https://sourceware.org/bugzilla/attachment.cgi?id=11339&action=edit POC2 Please use " ./eu-size $POC " to reproduce this bug. This bug was discovered by NTU Cyber-Security-Lab, for fuzzing research work. If you have any questions, please let me know. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug backends/24075] New: Program Crash due to Wild pointer Deference in ebl_object_note function in eblobjnote.c in libebl.
https://sourceware.org/bugzilla/show_bug.cgi?id=24075
Bug ID: 24075
Summary: Program Crash due to Wild pointer Deference in
ebl_object_note function in eblobjnote.c in libebl.
Product: elfutils
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: backends
Assignee: unassigned at sourceware dot org
Reporter: wcventure at 126 dot com
CC: elfutils-devel at sourceware dot org
Target Milestone: ---
Created attachment 11523
--> https://sourceware.org/bugzilla/attachment.cgi?id=11523&action=edit
POC1
Hi there,
Our fuzzer caught Pointer Deference problem in eu-readelf of the latest
elfutils-0.174 code base, this inputs will cause the segment faults and I have
confirmed them with address sanitizer too. Please use the "./eu-readelf -a
$POC"to reproduce the bug. If you have any questions, please let me know.
This problem is in the code as fllow, it seem like a use-after-fee problem.
> size_t i;
> for (i = 0; i < prop.pr_datasz - 1; i++)
> printf ("%02" PRIx8 " ", (uint8_t) desc[i]);
git log
> commit 1dabad36ee28aa76b8cf14b6426b379cabee6def
> Author: Jim Wilson
> Date: Thu Dec 27 15:25:49 2018 -0800
>
> RISC-V: Improve riscv64 core file support.
>
> This fixes two problems. The offset for x1 is changed from 1 to 8 because
> this is a byte offset not a register skip count. Support for reading the
> PC value is added. This requires changing the testsuite to match the new
> readelf output for coredumps.
>
> Signed-off-by: Jim Wilson
--
You are receiving this mail because:
You are on the CC list for the bug.
[Bug backends/24075] Program Crash due to Wild pointer Deference in ebl_object_note function in eblobjnote.c in libebl.
https://sourceware.org/bugzilla/show_bug.cgi?id=24075 --- Comment #1 from wcventure --- Created attachment 11524 --> https://sourceware.org/bugzilla/attachment.cgi?id=11524&action=edit POC2 The ASAN dumps the stack trace as follows: > = > ==20499==ERROR: AddressSanitizer: unknown-crash on address 0x7f908068e000 at > pc 0x00577730 bp 0x7ffd5103ba10 sp 0x7ffd5103ba00 > READ of size 1 at 0x7f908068e000 thread T0 > #0 0x57772f in ebl_object_note /elfutils/libebl/eblobjnote.c:488 > #1 0x4a06f3 in handle_notes_data /elfutils/src/readelf.c:12251 > #2 0x4c5b47 in handle_notes /elfutils/src/readelf.c:12315 > #3 0x4c5b47 in process_elf_file /elfutils/src/readelf.c:1000 > #4 0x4c5b47 in process_dwflmod /elfutils/src/readelf.c:760 > #5 0x7f907f1e9e9c in dwfl_getmodules > /elfutils/libdwfl/dwfl_getmodules.c:86 > #6 0x41399c in process_file /elfutils/src/readelf.c:868 > #7 0x405df6 in main /elfutils/src/readelf.c:350 > #8 0x7f907e6ff82f in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) > #9 0x406ef8 in _start (/elfutils/build/bin/eu-readelf+0x406ef8) > > Address 0x7f908068e000 is a wild pointer. > SUMMARY: AddressSanitizer: unknown-crash /elfutils/libebl/eblobjnote.c:488 in > ebl_object_note > Shadow bytes around the buggy address: > 0x0ff2900c9bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0ff2900c9bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0ff2900c9bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0ff2900c9be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0ff2900c9bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > =>0x0ff2900c9c00:[fe]fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0ff2900c9c10: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0ff2900c9c20: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0ff2900c9c30: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0ff2900c9c40: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0ff2900c9c50: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user:f7 > Container overflow: fc > Array cookie:ac > Intra object redzone:bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone:cb > ==20499==ABORTING -- You are receiving this mail because: You are on the CC list for the bug.
[Bug libelf/24081] New: Use-After-free Problem in elf32_xlatetom function in libelf
https://sourceware.org/bugzilla/show_bug.cgi?id=24081 Bug ID: 24081 Summary: Use-After-free Problem in elf32_xlatetom function in libelf Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: libelf Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Created attachment 11527 --> https://sourceware.org/bugzilla/attachment.cgi?id=11527&action=edit POC1 Hi there, Our fuzzer caught Use-after-free problem in eu-readelf of the latest elfutils-0.174 code base when calling memmove in elf32_xlatetom function in libelf, this inputs will cause the segment faults and I have confirmed them with address sanitizer too. Please use the "./eu-readelf -a $POC"to reproduce the bug. If you have any questions, please let me know. git log > commit 1dabad36ee28aa76b8cf14b6426b379cabee6def > Author: Jim Wilson > Date: Thu Dec 27 15:25:49 2018 -0800 > > RISC-V: Improve riscv64 core file support. > > This fixes two problems. The offset for x1 is changed from 1 to 8 because > this is a byte offset not a register skip count. Support for reading the > PC value is added. This requires changing the testsuite to match the new > readelf output for coredumps. > > Signed-off-by: Jim Wilson The ASAN dumps the stack trace as follows: > ==7822==ERROR: AddressSanitizer: unknown-crash on address 0x7f773670a000 at > pc 0x7f7735694e2b bp 0x7ffcba3c16a0 sp 0x7ffcba3c0e48 > READ of size 8 at 0x7f773670a000 thread T0 > #0 0x7f7735694e2a in memmove > (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ae2a) > #1 0x7f7734d5a9bb in memmove > /usr/include/x86_64-linux-gnu/bits/string3.h:59 > #2 0x7f7734d5a9bb in elf32_xlatetom /elfutils/libelf/elf32_xlatetom.c:100 > #3 0x56d6b8 in ebl_object_note /elfutils/libebl/eblobjnote.c:342 > #4 0x4a06f3 in handle_notes_data /elfutils/src/readelf.c:12251 > #5 0x4c5b47 in handle_notes /elfutils/src/readelf.c:12315 > #6 0x4c5b47 in process_elf_file /elfutils/src/readelf.c:1000 > #7 0x4c5b47 in process_dwflmod /elfutils/src/readelf.c:760 > #8 0x7f7735265e9c in dwfl_getmodules > /elfutils/libdwfl/dwfl_getmodules.c:86 > #9 0x41399c in process_file /elfutils/src/readelf.c:868 > #10 0x405df6 in main /elfutils/src/readelf.c:350 > #11 0x7f773477b82f in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) > #12 0x406ef8 in _start (/elfutils/build/bin/eu-readelf+0x406ef8) > > Address 0x7f773670a000 is a wild pointer. > SUMMARY: AddressSanitizer: unknown-crash > (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ae2a) in memmove > Shadow bytes around the buggy address: > 0x0fef66cd93b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0fef66cd93c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0fef66cd93d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0fef66cd93e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0fef66cd93f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > =>0x0fef66cd9400:[fe]fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0fef66cd9410: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0fef66cd9420: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0fef66cd9430: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0fef66cd9440: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0fef66cd9450: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user:f7 > Container overflow: fc > Array cookie:ac > Intra object redzone:bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone:cb > ==7822==ABORTING -- You are receiving this mail because: You are on the CC list for the bug.
[Bug libelf/24081] Use-After-free Problem in elf32_xlatetom function in libelf
https://sourceware.org/bugzilla/show_bug.cgi?id=24081 --- Comment #1 from wcventure --- Created attachment 11528 --> https://sourceware.org/bugzilla/attachment.cgi?id=11528&action=edit POC2 -- You are receiving this mail because: You are on the CC list for the bug.
[Bug backends/24084] New: Negative-size-param when when calling memcpy function in elf_cvt_note function in libelf the latest elfutils-0.174 code base, this inputs will cause the segment faults and I
https://sourceware.org/bugzilla/show_bug.cgi?id=24084 Bug ID: 24084 Summary: Negative-size-param when when calling memcpy function in elf_cvt_note function in libelf the latest elfutils-0.174 code base, this inputs will cause the segment faults and I have confirmed them with address sanitizer too. Please use the ".//eu-elflint - Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: backends Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Created attachment 11530 --> https://sourceware.org/bugzilla/attachment.cgi?id=11530&action=edit POC Hi there, Negative-size-param when calling memcpy function in elf_cvt_note function in libelf the latest elfutils-0.174 code base, this inputs will cause the segment faults and I have confirmed them with address sanitizer too. Please use the ".//eu-elflint -d $POC"to reproduce the bug. If you have any questions, please let me know. git log > commit 1dabad36ee28aa76b8cf14b6426b379cabee6def > Author: Jim Wilson > Date: Thu Dec 27 15:25:49 2018 -0800 > > RISC-V: Improve riscv64 core file support. > > This fixes two problems. The offset for x1 is changed from 1 to 8 because > this is a byte offset not a register skip count. Support for reading the > PC value is added. This requires changing the testsuite to match the new > readelf output for coredumps. > > Signed-off-by: Jim Wilson The ASAN dumps the stack trace as follows: > = > ==24780==ERROR: AddressSanitizer: negative-size-param: (size=-4) > #0 0x7f23f4234853 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79853) > #1 0x7f23f3edaa2c in memcpy > /usr/include/x86_64-linux-gnu/bits/string3.h:53 > #2 0x7f23f3edaa2c in elf_cvt_note /elfutils/libelf/note_xlate.h:63 > #3 0x7f23f3edaa2c in elf_cvt_note4 /elfutils/libelf/note_xlate.h:79 > #4 0x7f23f3f2ed30 in convert_data /elfutils/libelf/elf_getdata.c:204 > #5 0x7f23f3f2ed30 in __libelf_set_data_list_rdlock > /elfutils/libelf/elf_getdata.c:447 > #6 0x7f23f3f301bf in __elf_getdata_rdlock > /elfutils/libelf/elf_getdata.c:554 > #7 0x469a22 in check_note_section /elfutils/src/elflint.c:4428 > #8 0x469a22 in check_sections /elfutils/src/elflint.c:4182 > #9 0x47a222 in process_elf_file /elfutils/src/elflint.c:4774 > #10 0x47a222 in process_file /elfutils/src/elflint.c:242 > #11 0x4030d5 in main /elfutils/src/elflint.c:175 > #12 0x7f23f38d182f in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) > #13 0x404718 in _start (/elfutils/build/bin/eu-elflint+0x404718) > > Address 0x7f23f52b3b30 is a wild pointer. > SUMMARY: AddressSanitizer: negative-size-param > (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79853) > ==24780==ABORTING -- You are receiving this mail because: You are on the CC list for the bug.
[Bug backends/24084] Negative-size-param when when calling memcpy function in elf_cvt_note function in libelf
https://sourceware.org/bugzilla/show_bug.cgi?id=24084 wcventure changed: What|Removed |Added Summary|Negative-size-param when|Negative-size-param when |when calling memcpy |when calling memcpy |function in elf_cvt_note|function in elf_cvt_note |function in libelf the |function in libelf |latest elfutils-0.174 code | |base, this inputs will | |cause the segment faults| |and I have confirmed them | |with address sanitizer too. | | Please use the| |".//eu-elflint -| -- You are receiving this mail because: You are on the CC list for the bug.
[Bug libelf/24085] New: An Out of Memory problem was discovered in function in read_long_names in elf_begin.c in libelf
https://sourceware.org/bugzilla/show_bug.cgi?id=24085 Bug ID: 24085 Summary: An Out of Memory problem was discovered in function in read_long_names in elf_begin.c in libelf Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: libelf Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Created attachment 11531 --> https://sourceware.org/bugzilla/attachment.cgi?id=11531&action=edit POC Hi, there. We test the program at the master branch. An Out of Memory problem was discovered in function in read_long_names in elf_begin.c in libelf. The program tries to allocate with a large number size(44454912 bytes) of memory. $git log > commit 1dabad36ee28aa76b8cf14b6426b379cabee6def > Author: Jim Wilson > Date: Thu Dec 27 15:25:49 2018 -0800 > > RISC-V: Improve riscv64 core file support. > > This fixes two problems. The offset for x1 is changed from 1 to 8 because > this is a byte offset not a register skip count. Support for reading the > PC value is added. This requires changing the testsuite to match the new > readelf output for coredumps. > > Signed-off-by: Jim Wilson The ASAN dumps the stack trace as follows: > ==10165==ERROR: AddressSanitizer failed to allocate 0x677af43000 > (44454912) bytes of LargeMmapAllocator (error code: 12) > ==10165==Process memory map follows: > 0x0040-0x0043 > /home/wencheng/Experiment/elfutils/build/bin/eu-ar > 0x0062f000-0x0063 > /home/wencheng/Experiment/elfutils/build/bin/eu-ar > 0x0063-0x00633000 > /home/wencheng/Experiment/elfutils/build/bin/eu-ar > 0x7fff7000-0x8fff7000 > 0x8fff7000-0x02008fff7000 > 0x02008fff7000-0x10007fff8000 > 0x6000-0x6020 > 0x6020-0x6021 > 0x6021-0x602e > 0x602e-0x602e0001 > 0x602e0001-0x6040 > 0x6040-0x6041 > 0x6041-0x604e > 0x604e-0x604e0001 > 0x604e0001-0x6060 > 0x6060-0x6061 > 0x6061-0x606e > 0x606e-0x606e0001 > 0x606e0001-0x6070 > 0x6070-0x6071 > 0x6071-0x607e > 0x607e-0x607e0001 > 0x607e0001-0x6080 > 0x6080-0x6081 > 0x6081-0x608e > 0x608e-0x608e0001 > 0x608e0001-0x60b0 > 0x60b0-0x60b1 > 0x60b1-0x60be > 0x60be-0x60be0001 > 0x60be0001-0x60c0 > 0x60c0-0x60c1 > 0x60c1-0x60ce > 0x60ce-0x60ce0001 > 0x60ce0001-0x60f0 > 0x60f0-0x60f1 > 0x60f1-0x60fe > 0x60fe-0x60fe0001 > 0x60fe0001-0x6100 > 0x6100-0x6101 > 0x6101-0x610e > 0x610e-0x610e0001 > 0x610e0001-0x6110 > 0x6110-0x6111 > 0x6111-0x611e > 0x611e-0x611e0001 > 0x611e0001-0x6120 > 0x6120-0x6121 > 0x6121-0x612e > 0x612e-0x612e0001 > 0x612e0001-0x6140 > 0x6140-0x6141 > 0x6141-0x614e > 0x614e-0x614e0001 > 0x614e0001-0x6180 > 0x6180-0x6181 > 0x6181-0x618e > 0x618e-0x618e0001 > 0x618e0001-0x6190 > 0x6190-0x6191 > 0x6191-0x619e > 0x619e-0x619e0001 > 0x619e0001-0x61a0 > 0x61a0-0x61a1 > 0x61a1-0x61ae > 0x61ae-0x61ae0001 > 0x61ae0001-0x6240 > 0x6240-0x6241 > 0x6241-0x624e > 0x624e-0x624e0001 > 0x624e0001-0x6400 > 0x6400-0x6400300
[Bug libelf/24085] An Out of Memory problem was discovered in function in read_long_names in elf_begin.c in libelf
https://sourceware.org/bugzilla/show_bug.cgi?id=24085 --- Comment #1 from wcventure --- Please use the "./eu-ar -tv $POC" to reproduce the bug. If you have any questions, please let me know. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug general/24086] New: Multiple memory leak issues were discovered in in libelf and libdwelf
https://sourceware.org/bugzilla/show_bug.cgi?id=24086 Bug ID: 24086 Summary: Multiple memory leak issues were discovered in in libelf and libdwelf Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: general Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Created attachment 11532 --> https://sourceware.org/bugzilla/attachment.cgi?id=11532&action=edit POC Hi there, We have discover lots of memory leak in libelf and libdwelf. Multiple memory leak issues were discovered in libelf and libdwelf, as distributed in Elfutils 0.174. There are many heap allocations. But these heap allocations didn't deallocate in the end. Please use the "./eu-strip $POC" to reproduce the bug. The ASAN dumps the stack trace as follows: > = > ==22066==ERROR: LeakSanitizer: detected memory leaks > > Direct leak of 6712 byte(s) in 1 object(s) allocated from: > #0 0x7f3aeabb6d78 in __interceptor_calloc > (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded78) > #1 0x7f3aea8b5a38 in allocate_elf > /home/wencheng/Experiment/elfutils/libelf/common.h:74 > #2 0x7f3aea8b5a38 in elf_clone > /home/wencheng/Experiment/elfutils/libelf/elf_clone.c:56 > > Direct leak of 96 byte(s) in 1 object(s) allocated from: > #0 0x7f3aeabb6d78 in __interceptor_calloc > (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded78) > #1 0x7f3aea39b1b2 in dwelf_strtab_init > /home/wencheng/Experiment/elfutils/libdwelf/dwelf_strtab.c:94 > #2 0x44406d in process_file > /home/wencheng/Experiment/elfutils/src/strip.c:769 > > Indirect leak of 4080 byte(s) in 1 object(s) allocated from: > #0 0x7f3aeabb6b90 in __interceptor_malloc > (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90) > #1 0x7f3aea39a787 in morememory > /home/wencheng/Experiment/elfutils/libdwelf/dwelf_strtab.c:120 > #2 0x7f3aea39a787 in newstring > /home/wencheng/Experiment/elfutils/libdwelf/dwelf_strtab.c:161 > #3 0x7f3aea39a787 in strtab_add > /home/wencheng/Experiment/elfutils/libdwelf/dwelf_strtab.c:221 > > Indirect leak of 1120 byte(s) in 28 object(s) allocated from: > #0 0x7f3aeabb6d78 in __interceptor_calloc > (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded78) > #1 0x7f3aea82ab3e in elf_newscn > /home/wencheng/Experiment/elfutils/libelf/elf_newscn.c:125 > > Indirect leak of 288 byte(s) in 1 object(s) allocated from: > #0 0x7f3aeabb6f80 in realloc > (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef80) > #1 0x7f3aea812223 in elf32_newphdr > /home/wencheng/Experiment/elfutils/libelf/elf32_newphdr.c:134 > > Indirect leak of 240 byte(s) in 1 object(s) allocated from: > #0 0x7f3aeabb6b90 in __interceptor_malloc > (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90) > #1 0x7f3aea39bd0c in dwelf_strtab_finalize > /home/wencheng/Experiment/elfutils/libdwelf/dwelf_strtab.c:322 > #2 0x7f3aea56c2bf > (/home/wencheng/Experiment/elfutils/build/lib/libdw.so.1+0x3852bf) > > SUMMARY: AddressSanitizer: 12536 byte(s) leaked in 33 allocation(s). -- You are receiving this mail because: You are on the CC list for the bug.
[Bug libelf/24089] New: A Heap-buffer-overflow problem was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf
https://sourceware.org/bugzilla/show_bug.cgi?id=24089 Bug ID: 24089 Summary: A Heap-buffer-overflow problem was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: libelf Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Created attachment 11534 --> https://sourceware.org/bugzilla/attachment.cgi?id=11534&action=edit POC1 Hi, A Heap-buffer-overflow problem was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf, as distributed in ELFutils 0.147. A crafted ELF input can cause segment faults and I have confirmed them with address sanitizer too. Here are the POC files. Please use "./eu-readelf -a $POC" to reproduce the error. $ git log > commit 1dabad36ee28aa76b8cf14b6426b379cabee6def > Author: Jim Wilson > Date: Thu Dec 27 15:25:49 2018 -0800 > > RISC-V: Improve riscv64 core file support. > > This fixes two problems. The offset for x1 is changed from 1 to 8 because > this is a byte offset not a register skip count. Support for reading the > PC value is added. This requires changing the testsuite to match the new > readelf output for coredumps. > > Signed-off-by: Jim Wilson The ASAN dumps the stack trace as follows: > = > ==26819==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x603000b4 at pc 0x7f07b3e4ee2b bp 0x7ffe3ddce530 sp 0x7ffe3ddcdcd8 > READ of size 1 at 0x603000b4 thread T0 > #0 0x7f07b3e4ee2a in memmove > (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ae2a) > #1 0x7f07b351469c in elf32_xlatetom > /home/wencheng/Experiment/elfutils/libelf/elf32_xlatetom.c:116 > #2 0x410e3c in convert > /home/wencheng/Experiment/elfutils/src/readelf.c:11305 > #3 0x436e64 in handle_core_item > /home/wencheng/Experiment/elfutils/src/readelf.c:11359 > #4 0x4447d4 in handle_core_items > /home/wencheng/Experiment/elfutils/src/readelf.c:11641 > #5 0x4447d4 in handle_core_note > /home/wencheng/Experiment/elfutils/src/readelf.c:12164 > #6 0x4a006c in handle_notes_data > /home/wencheng/Experiment/elfutils/src/readelf.c:12248 > #7 0x4c5b47 in handle_notes > /home/wencheng/Experiment/elfutils/src/readelf.c:12315 > #8 0x4c5b47 in process_elf_file > /home/wencheng/Experiment/elfutils/src/readelf.c:1000 > #9 0x4c5b47 in process_dwflmod > /home/wencheng/Experiment/elfutils/src/readelf.c:760 > #10 0x7f07b3a1fe9c in dwfl_getmodules > /home/wencheng/Experiment/elfutils/libdwfl/dwfl_getmodules.c:86 > #11 0x41399c in process_file > /home/wencheng/Experiment/elfutils/src/readelf.c:868 > #12 0x405df6 in main /home/wencheng/Experiment/elfutils/src/readelf.c:350 > #13 0x7f07b2f3582f in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) > #14 0x406ef8 in _start > (/home/wencheng/Experiment/elfutils/build/bin/eu-readelf+0x406ef8) > > 0x603000b4 is located 0 bytes to the right of 20-byte region > [0x603000a0,0x603000b4) > allocated by thread T0 here: > #0 0x7f07b3eb2b90 in __interceptor_malloc > (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90) > #1 0x7f07b3597080 in elf_getdata_rawchunk > /home/wencheng/Experiment/elfutils/libelf/elf_getdata_rawchunk.c:88 > > SUMMARY: AddressSanitizer: heap-buffer-overflow > (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ae2a) in memmove > Shadow bytes around the buggy address: > 0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c067fff8000: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 > =>0x0c067fff8010: 00 fa fa fa 00 00[04]fa fa fa fa fa fa fa fa fa > 0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzon
[Bug libelf/24089] A Heap-buffer-overflow problem was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf
https://sourceware.org/bugzilla/show_bug.cgi?id=24089 --- Comment #1 from wcventure --- Created attachment 11535 --> https://sourceware.org/bugzilla/attachment.cgi?id=11535&action=edit POC2 -- You are receiving this mail because: You are on the CC list for the bug.
[Bug backends/24102] New: A Heap-buffer-overflow problem was discovered in the function read_srclines in dwarf_getsrclines.c in libdw
https://sourceware.org/bugzilla/show_bug.cgi?id=24102 Bug ID: 24102 Summary: A Heap-buffer-overflow problem was discovered in the function read_srclines in dwarf_getsrclines.c in libdw Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: backends Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Created attachment 11542 --> https://sourceware.org/bugzilla/attachment.cgi?id=11542&action=edit POC1 Hi, A Heap-buffer-overflow problem was discovered in the function read_srclines in dwarf_getsrclines.c in libdw, as distributed in ELFutils 0.175. A crafted ELF input can cause segment faults and I have confirmed them with address sanitizer too. Here are the POC files. Please use "./eu-nm -C $POC" to reproduce the error. $git log > commit e65d91d21cb09d83b001fef9435e576ba447db32 > Author: Mark Wielaard > Date: Wed Jan 16 12:25:57 2019 +0100 > > libelf: Correct overflow check in note_xlate. > > We want to make sure the note_len doesn't overflow and becomes shorter > than the note header. But the namesz and descsz checks got the note header > size wrong). Replace the wrong constant (8) with a sizeof cvt_Nhdr (12). > > https://sourceware.org/bugzilla/show_bug.cgi?id=24084 > > Signed-off-by: Mark Wielaard The ASAN dumps the stack trace as follows: > = > ==17493==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x610003fc at pc 0x7fa8ef1fc077 bp 0x7ffebd93 sp 0x7ffebd92fff0 > READ of size 1 at 0x610003fc thread T0 > #0 0x7fa8ef1fc076 in read_srclines /elfutils/libdw/dwarf_getsrclines.c:474 > #1 0x7fa8ef1fd149 in __libdw_getsrclines > /elfutils/libdw/dwarf_getsrclines.c:1118 > #2 0x7fa8ef1fdefc in dwarf_getsrclines > /elfutils/libdw/dwarf_getsrclines.c:1208 > #3 0x7fa8ef20a146 in dwarf_getsrcfiles > /elfutils/libdw/dwarf_getsrcfiles.c:92 > #4 0x407f71 in get_local_names /elfutils/src/nm.c:644 > #5 0x407f71 in show_symbols /elfutils/src/nm.c:1285 > #6 0x40ef63 in handle_elf /elfutils/src/nm.c:1578 > #7 0x403964 in process_file /elfutils/src/nm.c:374 > #8 0x403964 in main /elfutils/src/nm.c:249 > #9 0x7fa8ee5a282f in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) > #10 0x404608 in _start (/elfutils/build/bin/eu-nm+0x404608) > > 0x610003fc is located 0 bytes to the right of 188-byte region > [0x61000340,0x610003fc) > allocated by thread T0 here: > #0 0x7fa8ef682b90 in __interceptor_malloc > (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90) > #1 0x7fa8eef3a08f in convert_data /elfutils/libelf/elf_getdata.c:157 > #2 0x7fa8eef3a08f in __libelf_set_data_list_rdlock > /elfutils/libelf/elf_getdata.c:447 > > SUMMARY: AddressSanitizer: heap-buffer-overflow > /elfutils/libdw/dwarf_getsrclines.c:474 in read_srclines > Shadow bytes around the buggy address: > 0x0c207fff8020: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 > 0x0c207fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c207fff8040: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 > 0x0c207fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c207fff8060: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 > =>0x0c207fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[04] > 0x0c207fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c207fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c207fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c207fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c207fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user:f7 > Container overflow: fc > Array cookie:ac > Intra object redzone:bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone:cb > ==17493==ABORTING -- You are receiving this mail because: You are on the CC list for the bug.
[Bug backends/24102] A Heap-buffer-overflow problem was discovered in the function read_srclines in dwarf_getsrclines.c in libdw
https://sourceware.org/bugzilla/show_bug.cgi?id=24102 --- Comment #2 from wcventure --- Created attachment 11544 --> https://sourceware.org/bugzilla/attachment.cgi?id=11544&action=edit POC3 -- You are receiving this mail because: You are on the CC list for the bug.
[Bug backends/24102] A Heap-buffer-overflow problem was discovered in the function read_srclines in dwarf_getsrclines.c in libdw
https://sourceware.org/bugzilla/show_bug.cgi?id=24102 --- Comment #1 from wcventure --- Created attachment 11543 --> https://sourceware.org/bugzilla/attachment.cgi?id=11543&action=edit POC2 -- You are receiving this mail because: You are on the CC list for the bug.
[Bug libelf/24103] New: Invalid address Deference in elf64_xlatetom in elf32_xlatetom.c in libelf
https://sourceware.org/bugzilla/show_bug.cgi?id=24103 Bug ID: 24103 Summary: Invalid address Deference in elf64_xlatetom in elf32_xlatetom.c in libelf Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: libelf Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Created attachment 11545 --> https://sourceware.org/bugzilla/attachment.cgi?id=11545&action=edit POC1 Different from Bug 24081 and Bug 24089. This error occur in function elf64_xlatetom. Please use the "eu-stack --core=$POC"to reproduce the bug. $git log > commit e65d91d21cb09d83b001fef9435e576ba447db32 > Author: Mark Wielaard > Date: Wed Jan 16 12:25:57 2019 +0100 > > libelf: Correct overflow check in note_xlate. > > We want to make sure the note_len doesn't overflow and becomes shorter > than the note header. But the namesz and descsz checks got the note header > size wrong). Replace the wrong constant (8) with a sizeof cvt_Nhdr (12). > > https://sourceware.org/bugzilla/show_bug.cgi?id=24084 > > Signed-off-by: Mark Wielaard The ASAN dumps the stack trace as follows: > = > ==7964==ERROR: AddressSanitizer: unknown-crash on address 0x7f5eace16000 at > pc 0x7f5eabd97e2b bp 0x7ffc6b0f0680 sp 0x7ffc6b0efe28 > READ of size 983520 at 0x7f5eace16000 thread T0 > #0 0x7f5eabd97e2a in memmove > (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ae2a) > #1 0x7f5eaba8e510 in memmove > /usr/include/x86_64-linux-gnu/bits/string3.h:59 > #2 0x7f5eaba8e510 in elf64_xlatetom > /home/wencheng/Experiment/elfutils/libelf/elf32_xlatetom.c:100 > #3 0x7f5eab7d6e6b in dwfl_segment_report_module > /home/wencheng/Experiment/elfutils/libdwfl/dwfl_segment_report_module.c:807 > #4 0x7f5eab7ef0dd in dwfl_core_file_report > /home/wencheng/Experiment/elfutils/libdwfl/core-file.c:543 > #5 0x4033a3 in parse_opt > /home/wencheng/Experiment/elfutils/src/stack.c:590 > #6 0x7f5eab013847 in argp_parse (/lib/x86_64-linux-gnu/libc.so.6+0x114847) > #7 0x402860 in main /home/wencheng/Experiment/elfutils/src/stack.c:690 > #8 0x7f5eaaf1f82f in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) > #9 0x4030d8 in _start > (/home/wencheng/Experiment/elfutils/build/bin/eu-stack+0x4030d8) > > Address 0x7f5eace16000 is a wild pointer. > SUMMARY: AddressSanitizer: unknown-crash > (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ae2a) in memmove > Shadow bytes around the buggy address: > 0x0fec559babb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0fec559babc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0fec559babd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0fec559babe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0fec559babf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > =>0x0fec559bac00:[fe]fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0fec559bac10: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0fec559bac20: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0fec559bac30: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0fec559bac40: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0fec559bac50: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user:f7 > Container overflow: fc > Array cookie:ac > Intra object redzone:bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone:cb > ==7964==ABORTING -- You are receiving this mail because: You are on the CC list for the bug.
[Bug libelf/24103] Invalid address Deference in elf64_xlatetom in elf32_xlatetom.c in libelf
https://sourceware.org/bugzilla/show_bug.cgi?id=24103 --- Comment #1 from wcventure --- Created attachment 11546 --> https://sourceware.org/bugzilla/attachment.cgi?id=11546&action=edit POC2 -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/24116] New: A Heap-buffer-overflow problem was discovered in the function print_debug_line_section in readelf.c
https://sourceware.org/bugzilla/show_bug.cgi?id=24116 Bug ID: 24116 Summary: A Heap-buffer-overflow problem was discovered in the function print_debug_line_section in readelf.c Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: tools Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Created attachment 11559 --> https://sourceware.org/bugzilla/attachment.cgi?id=11559&action=edit POC1 Hi, A Heap-buffer-overflow problem was discovered in the function print_debug_line_section in readelf.c, as distributed in ELFutils 0.175. A crafted ELF input can cause segment faults and I have confirmed them with address sanitizer too. Here are the POC files. Please use "./eu-readelf -w $POC" to reproduce the error. $git log > commit de01cc6f9446187d69b9748bb3636361c79e77a4 > Author: Mark Wielaard > Date: Wed Jan 16 15:41:31 2019 +0100 > > libebl: Check NT_PLATFORM core notes contain a zero terminated string. > > Most strings in core notes are fixed size. But NT_PLATFORM contains just > a variable length string. Check that it is actually zero terminated > before passing to readelf to print. > > https://sourceware.org/bugzilla/show_bug.cgi?id=24089 > > Signed-off-by: Mark Wielaard The ASAN dumps the stack trace as follows: > = > ==23533==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x610002fc at pc 0x0040507c bp 0x7ffd4aa3fa10 sp 0x7ffd4aa3fa00 > READ of size 1 at 0x610002fc thread T0 > #0 0x40507b in __libdw_get_uleb128 ../libdw/memory-access.h:80 > #1 0x496de9 in print_debug_line_section /elfutils/src/readelf.c:8846 > #2 0x45be8c in print_debug /elfutils/src/readelf.c:11207 > #3 0x46080a in process_elf_file /elfutils/src/readelf.c:998 > #4 0x46080a in process_dwflmod /elfutils/src/readelf.c:760 > #5 0x7f38d437171c in dwfl_getmodules > /elfutils/libdwfl/dwfl_getmodules.c:86 > #6 0x40cb1d in process_file /elfutils/src/readelf.c:868 > #7 0x4059a6 in main /elfutils/src/readelf.c:350 > #8 0x7f38d39f782f in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) > #9 0x4064d8 in _start (/elfutils/build/bin/eu-readelf+0x4064d8) > > 0x610002fc is located 0 bytes to the right of 188-byte region > [0x61000240,0x610002fc) > allocated by thread T0 here: > #0 0x7f38d474eb90 in __interceptor_malloc > (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90) > #1 0x7f38d4003f7f in convert_data /elfutils/libelf/elf_getdata.c:157 > #2 0x7f38d4003f7f in __libelf_set_data_list_rdlock > /elfutils/libelf/elf_getdata.c:447 > > SUMMARY: AddressSanitizer: heap-buffer-overflow ../libdw/memory-access.h:80 > in __libdw_get_uleb128 > Shadow bytes around the buggy address: > 0x0c207fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 > 0x0c207fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c207fff8020: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 > 0x0c207fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c207fff8040: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 > =>0x0c207fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[04] > 0x0c207fff8060: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 > 0x0c207fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c207fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c207fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c207fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user:f7 > Container overflow: fc > Array cookie:ac > Intra object redzone:bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone:cb > ==23533==ABORTING -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/24116] A Heap-buffer-overflow problem was discovered in the function print_debug_line_section in readelf.c
https://sourceware.org/bugzilla/show_bug.cgi?id=24116 --- Comment #2 from wcventure --- Created attachment 11561 --> https://sourceware.org/bugzilla/attachment.cgi?id=11561&action=edit POC3 -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/24116] A Heap-buffer-overflow problem was discovered in the function print_debug_line_section in readelf.c
https://sourceware.org/bugzilla/show_bug.cgi?id=24116 --- Comment #1 from wcventure --- Created attachment 11560 --> https://sourceware.org/bugzilla/attachment.cgi?id=11560&action=edit POC2 -- You are receiving this mail because: You are on the CC list for the bug.
[Bug backends/24075] Program Crash due to buffer over-read in ebl_object_note function in eblobjnote.c in libebl.
https://sourceware.org/bugzilla/show_bug.cgi?id=24075 wcventure changed: What|Removed |Added Status|RESOLVED|UNCONFIRMED Resolution|FIXED |--- --- Comment #4 from wcventure --- Regression Testing: I have done regression testing. This problem can be broken again! Here is the POC file. The Commit ID I used: > commit a17c2c0917901ffa542ac4d3e327d46742219e04 > Author: Mark Wielaard > Date: Tue Jan 22 15:55:18 2019 +0100 > > readelf: Don't go past end of line data reading unknown opcode parameters. > > https://sourceware.org/bugzilla/show_bug.cgi?id=24116 > > Signed-off-by: Mark Wielaard ASAN trace: > ==22829==ERROR: AddressSanitizer: unknown-crash on address 0x7f07d1c81000 at > pc 0x004c0857 bp 0x7ffc6580df50 sp 0x7ffc6580df40 READ of size 1 at 0x7f07d1c81000 thread T0 > #0 0x4c0856 in ebl_object_note > /home/wencheng/Experiment/elfutils/libebl/eblobjnote.c:495 > #1 0x452e0f in handle_notes_data > /home/wencheng/Experiment/elfutils/src/readelf.c:12256 > #2 0x465ec3 in handle_notes > /home/wencheng/Experiment/elfutils/src/readelf.c:12320 > #3 0x465ec3 in process_elf_file > /home/wencheng/Experiment/elfutils/src/readelf.c:1000 > #4 0x465ec3 in process_dwflmod > /home/wencheng/Experiment/elfutils/src/readelf.c:760 > #5 0x7f07d0893961 in dwfl_getmodules > /home/wencheng/Experiment/elfutils/libdwfl/dwfl_getmodules.c:86 > #6 0x40d035 in process_file > /home/wencheng/Experiment/elfutils/src/readelf.c:868 > #7 0x40579e in main /home/wencheng/Experiment/elfutils/src/readelf.c:350 > #8 0x7f07cff1882f in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) > #9 0x406428 in _start > (/home/wencheng/Experiment/elfutils/build/bin/eu-readelf+0x406428) > > Address 0x7f07d1c81000 is a wild pointer. > SUMMARY: AddressSanitizer: unknown-crash > /home/wencheng/Experiment/elfutils/libebl/eblobjnote.c:495 in ebl_object_note > Shadow bytes around the buggy address: > 0x0fe17a3881b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0fe17a3881c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0fe17a3881d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0fe17a3881e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0fe17a3881f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > =>0x0fe17a388200:[fe]fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0fe17a388210: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0fe17a388220: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0fe17a388230: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0fe17a388240: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0fe17a388250: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user:f7 > Container overflow: fc > Array cookie:ac > Intra object redzone:bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone:cb > ==22829==ABORTING -- You are receiving this mail because: You are on the CC list for the bug.
[Bug backends/24075] Program Crash due to buffer over-read in ebl_object_note function in eblobjnote.c in libebl.
https://sourceware.org/bugzilla/show_bug.cgi?id=24075 --- Comment #5 from wcventure --- Created attachment 11573 --> https://sourceware.org/bugzilla/attachment.cgi?id=11573&action=edit Regressiong_POC -- You are receiving this mail because: You are on the CC list for the bug.
[Bug backends/24075] Program Crash due to buffer over-read in ebl_object_note function in eblobjnote.c in libebl.
https://sourceware.org/bugzilla/show_bug.cgi?id=24075 wcventure changed: What|Removed |Added Priority|P2 |P1 Severity|normal |critical -- You are receiving this mail because: You are on the CC list for the bug.
[Bug libdw/24140] New: A Heap-buffer-overflow problem was discovered in the function __libdw_next_unit in dwarf_nextcu.c in libdw
https://sourceware.org/bugzilla/show_bug.cgi?id=24140 Bug ID: 24140 Summary: A Heap-buffer-overflow problem was discovered in the function __libdw_next_unit in dwarf_nextcu.c in libdw Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: critical Priority: P2 Component: libdw Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Created attachment 11574 --> https://sourceware.org/bugzilla/attachment.cgi?id=11574&action=edit POC Hi, A Heap-buffer-overflow problem was discovered in the function __libdw_next_unit in dwarf_nextcu.c in libdw, as distributed in Elfutils 0.175. A crafted ELF input can cause segment faults and I have confirmed them with address sanitizer too. Here are the POC files. Please use "./eu-nm -C $POC" to reproduce the error. $git log > commit a17c2c0917901ffa542ac4d3e327d46742219e04 > Author: Mark Wielaard > Date: Tue Jan 22 15:55:18 2019 +0100 > > readelf: Don't go past end of line data reading unknown opcode parameters. > > https://sourceware.org/bugzilla/show_bug.cgi?id=24116 > > Signed-off-by: Mark Wielaard The ASAN dumps the stack trace as follows: > = > ==12766==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x60300032 at pc 0x7f1605a83c52 bp 0x7ffeba226910 sp 0x7ffeba226900 > READ of size 2 at 0x60300032 thread T0 > #0 0x7f1605a83c51 in __libdw_next_unit > /home/wencheng/Experiment/elfutils/libdw/dwarf_nextcu.c:249 > #1 0x7f1605a83f3c in dwarf_next_unit > /home/wencheng/Experiment/elfutils/libdw/dwarf_nextcu.c:46 > #2 0x7f1605a83f3c in dwarf_nextcu > /home/wencheng/Experiment/elfutils/libdw/dwarf_nextcu.c:294 > #3 0x408273 in get_local_names > /home/wencheng/Experiment/elfutils/src/nm.c:627 > #4 0x408273 in show_symbols > /home/wencheng/Experiment/elfutils/src/nm.c:1285 > #5 0x40e5bd in handle_elf /home/wencheng/Experiment/elfutils/src/nm.c:1578 > #6 0x40387c in process_file > /home/wencheng/Experiment/elfutils/src/nm.c:374 > #7 0x40387c in main /home/wencheng/Experiment/elfutils/src/nm.c:249 > #8 0x7f1604e6782f in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) > #9 0x404568 in _start > (/home/wencheng/Experiment/elfutils/build/bin/eu-nm+0x404568) > > 0x60300032 is located 2 bytes to the right of 32-byte region > [0x60300010,0x60300030) > allocated by thread T0 here: > #0 0x7f1605f4ab90 in __interceptor_malloc > (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90) > #1 0x7f16057feec3 in convert_data > /home/wencheng/Experiment/elfutils/libelf/elf_getdata.c:157 > #2 0x7f16057feec3 in __libelf_set_data_list_rdlock > /home/wencheng/Experiment/elfutils/libelf/elf_getdata.c:447 > > SUMMARY: AddressSanitizer: heap-buffer-overflow > /home/wencheng/Experiment/elfutils/libdw/dwarf_nextcu.c:249 in > __libdw_next_unit > Shadow bytes around the buggy address: > 0x0c067fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > =>0x0c067fff8000: fa fa 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa > 0x0c067fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user:f7 > Container overflow: fc > Array cookie:ac > Intra object redzone:bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone:cb > ==12766==ABORTING -- You are receiving this mail because: You are on the CC list for the bug.
[Bug backends/24075] Program Crash due to buffer over-read in ebl_object_note function in eblobjnote.c in libebl.
https://sourceware.org/bugzilla/show_bug.cgi?id=24075 --- Comment #6 from wcventure --- CVE-2019-7146 -- You are receiving this mail because: You are on the CC list for the bug.
[Bug libelf/24081] buffer over-read Problem in elf32_xlatetom function in libelf
https://sourceware.org/bugzilla/show_bug.cgi?id=24081 wcventure changed: What|Removed |Added Summary|Use-After-free Problem in |buffer over-read Problem in |elf32_xlatetom function in |elf32_xlatetom function in |libelf |libelf -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/24116] A Heap-buffer-overflow problem was discovered in the function print_debug_line_section in readelf.c
https://sourceware.org/bugzilla/show_bug.cgi?id=24116 --- Comment #4 from wcventure --- (In reply to Mark Wielaard from comment #3) Not completely repaired. Here is the Regression test case. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/24116] A Heap-buffer-overflow problem was discovered in the function print_debug_line_section in readelf.c
https://sourceware.org/bugzilla/show_bug.cgi?id=24116 --- Comment #5 from wcventure --- Created attachment 11581 --> https://sourceware.org/bugzilla/attachment.cgi?id=11581&action=edit Regression -- You are receiving this mail because: You are on the CC list for the bug.
[Bug general/24385] New: Regression lead to Invalid Address Deference, in handle_elf function in /src/strip.c
https://sourceware.org/bugzilla/show_bug.cgi?id=24385 Bug ID: 24385 Summary: Regression lead to Invalid Address Deference, in handle_elf function in /src/strip.c Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: general Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Created attachment 11698 --> https://sourceware.org/bugzilla/attachment.cgi?id=11698&action=edit POC1 Hi, I found some a regression bug. This is anInvalid Address Deference bug, in handle_elf function in /src/strip.c. This problem exists in elfutils-0.176, but cannot reproduce in elfutils-0.175. Thus this is a regression bug. elfutils 0.175 is right. Here are the POC files. Please use " ./eu-strip $POC " to reproduce this ASAN bt: > ASAN:SIGSEGV > = > ==10044==ERROR: AddressSanitizer: SEGV on unknown address 0x7ffce19d97b0 (pc > 0x0041339d bp 0x7ffce1978410 sp 0x7ffce1976750 T0) > #0 0x41339c in handle_elf elfutils-0.176/src/strip.c:1978 > #1 0x41a2d1 in process_file elfutils-0.176/src/strip.c:769 > #2 0x403b4b in main elfutils-0.176/src/strip.c:272 > #3 0x7f505ec0382f in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) > #4 0x4046d8 in _start (elfutils-0.176_ASAN/build/bin/eu-strip+0x4046d8) > > AddressSanitizer can not provide additional info. > SUMMARY: AddressSanitizer: SEGV elfutils-0.176/src/strip.c:1978 handle_elf > ==10044==ABORTING -- You are receiving this mail because: You are on the CC list for the bug.
[Bug general/24385] Regression lead to Invalid Address Deference, in handle_elf function in /src/strip.c
https://sourceware.org/bugzilla/show_bug.cgi?id=24385 --- Comment #1 from wcventure --- Created attachment 11699 --> https://sourceware.org/bugzilla/attachment.cgi?id=11699&action=edit POC2 -- You are receiving this mail because: You are on the CC list for the bug.
[Bug libelf/24387] New: Invalid address Deference in elf32_xlatetom function in libelf/elf32_xlatetom.c
https://sourceware.org/bugzilla/show_bug.cgi?id=24387 Bug ID: 24387 Summary: Invalid address Deference in elf32_xlatetom function in libelf/elf32_xlatetom.c Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: libelf Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Created attachment 11701 --> https://sourceware.org/bugzilla/attachment.cgi?id=11701&action=edit POC1 Similar to Bug 24103. But this bug happened in elf32_xlatetom function, and can still reproduce on elfutils 0.176. So the Fixed is Incomplete. Need to check the root cause. Here are the POC file. Please use the "eu-stack --core=$POC"to reproduce the bug. ASAN backtrace: > = > ==6345==ERROR: AddressSanitizer: unknown-crash on address 0x7f79e8976000 at > pc 0x7f79e7886df8 bp 0x7ffd4529cf30 sp 0x7ffd4529c6d8 > READ of size 3104 at 0x7f79e8976000 thread T0 > #0 0x7f79e7886df7 in __asan_memmove > (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8cdf7) > #1 0x7f79e756ac2b in memmove > /usr/include/x86_64-linux-gnu/bits/string3.h:59 > #2 0x7f79e756ac2b in elf32_xlatetom > /Regression/elfutils-0.176/libelf/elf32_xlatetom.c:100 > #3 0x7f79e72c29c8 in dwfl_segment_report_module > /Regression/elfutils-0.176/libdwfl/dwfl_segment_report_module.c:607 > #4 0x7f79e72d51b9 in dwfl_core_file_report > /Regression/elfutils-0.176/libdwfl/core-file.c:543 > #5 0x40322d in parse_opt /Regression/elfutils-0.176/src/stack.c:590 > #6 0x7f79e6b2a847 in argp_parse (/lib/x86_64-linux-gnu/libc.so.6+0x114847) > #7 0x40271b in main /Regression/elfutils-0.176/src/stack.c:690 > #8 0x7f79e6a3682f in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) > #9 0x402ef8 in _start > (/Regression/elfutils-0.176_ASAN/build/bin/eu-stack+0x402ef8) > > AddressSanitizer can not describe address in more detail (wild memory access > suspected). > SUMMARY: AddressSanitizer: unknown-crash ??:0 __asan_memmove > Shadow bytes around the buggy address: > 0x0fefbd126bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0fefbd126bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0fefbd126bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0fefbd126be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0fefbd126bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > =>0x0fefbd126c00:[fe]fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0fefbd126c10: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0fefbd126c20: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0fefbd126c30: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0fefbd126c40: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 0x0fefbd126c50: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Heap right redzone: fb > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack partial redzone: f4 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user:f7 > Container overflow: fc > Array cookie:ac > Intra object redzone:bb > ASan internal: fe > ==6345==ABORTING -- You are receiving this mail because: You are on the CC list for the bug.
[Bug libelf/24387] Invalid address Deference in elf32_xlatetom function in libelf/elf32_xlatetom.c
https://sourceware.org/bugzilla/show_bug.cgi?id=24387 --- Comment #1 from wcventure --- Created attachment 11702 --> https://sourceware.org/bugzilla/attachment.cgi?id=11702&action=edit POC2 -- You are receiving this mail because: You are on the CC list for the bug.
[Bug libdw/24398] New: An invalid address deference problem was discovered in the print_debug_macinfo_section function __libdw_next_unit in libdw/dwarf_filesrc.c in libdw
https://sourceware.org/bugzilla/show_bug.cgi?id=24398 Bug ID: 24398 Summary: An invalid address deference problem was discovered in the print_debug_macinfo_section function __libdw_next_unit in libdw/dwarf_filesrc.c in libdw Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: libdw Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Created attachment 11709 --> https://sourceware.org/bugzilla/attachment.cgi?id=11709&action=edit POC Hi, An invalid address deference problem was discovered in the print_debug_macinfo_section function __libdw_next_unit in libdw/dwarf_filesrc.c in libdw, as distributed in Elfutils 0.176(release version). A crafted ELF input can cause segment faults and I have confirmed them with address sanitizer too. Here are the POC files. Please use "./eu-readelf -w $POC" to reproduce the error. > ASAN:SIGSEGV > = > ==7264==ERROR: AddressSanitizer: SEGV on unknown address 0x02007c2b0d91 (pc > 0x7fe377095ed7 bp 0x7fff0ae365f0 sp 0x7fff0ae36380 T0) > #0 0x7fe377095ed6 in dwarf_filesrc > /elfutils-0.176/libdw/dwarf_filesrc.c:41 > #1 0x435ca5 in print_debug_macinfo_section > /elfutils-0.176/src/readelf.c:9701 > #2 0x4553a6 in print_debug /elfutils-0.176/src/readelf.c:11222 > #3 0x45c74e in process_elf_file /elfutils-0.176/src/readelf.c:998 > #4 0x4639cf in process_dwflmod /elfutils-0.176/src/readelf.c:760 > #5 0x7fe3771220b8 in dwfl_getmodules > /elfutils-0.176/libdwfl/dwfl_getmodules.c:86 > #6 0x40c28b in process_file /elfutils-0.176/src/readelf.c:868 > #7 0x405a8a in main /elfutils-0.176/src/readelf.c:350 > #8 0x7fe3767ac82f in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) > #9 0x406cd8 in _start (/elfutils-0.176_ASAN/build/bin/eu-readelf+0x406cd8) > > AddressSanitizer can not provide additional info. > SUMMARY: AddressSanitizer: SEGV /elfutils-0.176/libdw/dwarf_filesrc.c:41 > dwarf_filesrc > ==7264==ABORTING -- You are receiving this mail because: You are on the CC list for the bug.
