elfcomm.c:148)

brian.carpenter at gmail dot com Thu, 27 Apr 2017 11:58:44 -0700

https://sourceware.org/bugzilla/show_bug.cgi?id=21437


--- Comment #2 from Brian 'geeknik' Carpenter <brian.carpenter at gmail dot 
com> ---
Built `da3d25a` with afl-gcc instead of afl-clang-fast. Same result. And I was
mistaken in my original comment, this is Ubuntu 16.x, not Debian 8. 

gcc (Ubuntu 6.3.0-12ubuntu2) 6.3.0 20170406

od -tx1 ../test000
0000000 7f 45 4c 46 30 30 30 30 30 30 30 30 ff ff ff ff
0000020 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
0000040 54 00 00 00 30 30 30 30 30 30 30 30 30 30 28 00
0000060 04 00 30 30 30 30 30 30 30 30 30 30 30 30 30 30
0000100 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
*
0000200 fd ff ff 6f 30 30 30 30 30 30 30 30 00 00 00 00
0000220 30 00 00 00 30 30 30 30 30 30 30 30 30 30 30 30
0000240 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
*
0000360 30 30 30 30
0000364

binutils/readelf -a ../test000
ELF Header:
  Magic:   7f 45 4c 46 30 30 30 30 30 30 30 30 ff ff ff ff
  Class:                             <unknown: 30>
  Data:                              <unknown: 30>
  Version:                           48 <unknown: %lx>
  OS/ABI:                            <unknown: 30>
  ABI Version:                       48
  Type:                              <unknown>: 3030
  Machine:                           <unknown>: 0x3030
  Version:                           0x30303030
  Entry point address:               0x30303030
  Start of program headers:          808464432 (bytes into file)
  Start of section headers:          84 (bytes into file)
  Flags:                             0x30303030
  Size of this header:               12336 (bytes)
  Size of program headers:           12336 (bytes)
  Number of program headers:         12336
  Size of section headers:           40 (bytes)
  Number of section headers:         4
  Section header string table index: 12336 <corrupt: out of range>
readelf: Warning: Section 0 has an out of range sh_link value of 808464432
readelf: Warning: Section 1 has an out of range sh_link value of 808464432
readelf: Warning: Section 2 has an out of range sh_link value of 808464432
readelf: Warning: Section 3 has an out of range sh_link value of 808464432

Section Headers:
  [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf
Al
readelf: Warning: [ 0]: Unexpected value (808464432) in info field.
readelf: Warning: Size of section 0 is larger than the entire file!
  [ 0] <no-name>         30303030: <unkn 30303030 30303030 30303030 30303030
MSxxop 808464432 808464432 808464432
readelf: Warning: section 0: sh_link value of 808464432 is larger than the
number of sections
readelf: Warning: [ 1]: Link field (808464432) should index a string section.
  [ 1] <no-name>         VERDEF          30303030 000000 000030 30303030 MSxxop
808464432 808464432 808464432
readelf: Warning: section 1: sh_link value of 808464432 is larger than the
number of sections
readelf: Warning: [ 2]: Unexpected value (808464432) in info field.
readelf: Warning: Size of section 2 is larger than the entire file!
  [ 2] <no-name>         30303030: <unkn 30303030 30303030 30303030 30303030
MSxxop 808464432 808464432 808464432
readelf: Warning: section 2: sh_link value of 808464432 is larger than the
number of sections
readelf: Warning: [ 3]: Unexpected value (808464432) in info field.
readelf: Warning: Size of section 3 is larger than the entire file!
  [ 3] <no-name>         30303030: <unkn 30303030 30303030 30303030 30303030
MSxxop 808464432 808464432 808464432
readelf: Warning: section 3: sh_link value of 808464432 is larger than the
number of sections
Key to Flags:
  W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
  L (link order), O (extra OS processing required), G (group), T (TLS),
  C (compressed), x (unknown), o (OS specific), E (exclude),
  p (processor specific)

There are no section groups in this file.
readelf: Error: Too many program headers - 0x3030 - the file is not that big

There is no dynamic section in this file.

There are no relocations in this file.

The decoding of unwind sections for machine type <unknown>: 0x3030 is not
currently supported.

Version definition section '<no-name>' contains 808464432 entries:
  Addr: 0x0000000030303030  Offset: 00000000  Link: 808464432 (<corrupt>)
=================================================================
==9065==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb540337f at
pc 0x08165676 bp 0xbf9c14b8 sp 0xbf9c14a8
READ of size 4 at 0xb540337f thread T0
    #0 0x8165675 in byte_get_little_endian
/root/binutils/binutils/elfcomm.c:151
    #1 0x806fed6 in process_version_sections
/root/binutils/binutils/readelf.c:10189
    #2 0x80d7740 in process_object /root/binutils/binutils/readelf.c:17788
    #3 0x804b77a in process_file /root/binutils/binutils/readelf.c:18183
    #4 0x804b77a in main /root/binutils/binutils/readelf.c:18255
    #5 0xb7045275 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18275)
    #6 0x804c520  (/root/binutils/binutils/readelf+0x804c520)

0xb540337f is located 1 bytes to the left of 49-byte region
[0xb5403380,0xb54033b1)
allocated by thread T0 here:
    #0 0xb72aaaf4 in __interceptor_malloc
(/usr/lib/i386-linux-gnu/libasan.so.3+0xc3af4)
    #1 0x8067762 in get_data /root/binutils/binutils/readelf.c:392

SUMMARY: AddressSanitizer: heap-buffer-overflow
/root/binutils/binutils/elfcomm.c:151 in byte_get_little_endian
Shadow bytes around the buggy address:
  0x36a80610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a80620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a80630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a80640: fa fa fa fa fa fa fa fa fa fa fa fa fd fd fd fd
  0x36a80650: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
=>0x36a80660: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa[fa]
  0x36a80670: 00 00 00 00 00 00 01 fa fa fa fa fa fd fd fd fd
  0x36a80680: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
  0x36a80690: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x36a806a0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x36a806b0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==9065==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/21437] heap-buffer-overflow in byte_get_little_endian (binutils/elfcomm.c:148)

Reply via email to