[Bug binutils/25821] New: Double free in readelf

nguyenmanhdung1710 at gmail dot com Tue, 14 Apr 2020 16:58:10 -0700

https://sourceware.org/bugzilla/show_bug.cgi?id=25821


            Bug ID: 25821
           Summary: Double free in readelf
           Product: binutils
           Version: 2.35 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: nguyenmanhdung1710 at gmail dot com
  Target Milestone: ---

Created attachment 12456
  --> https://sourceware.org/bugzilla/attachment.cgi?id=12456&action=edit
PoC for a Double Free bug

Hi,

An double free was discovered in readelf (the latest commit f717994) in
process_symbol_table(), via a crafted file.

To reproduce: readelf -a PoC.

ASAN says:
==23637==ERROR: AddressSanitizer: attempting double-free on 0x60200000eef0 in
thread T0:
    #0 0x7f6f6a79632a in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9832a)
    #1 0x4423c3 in process_symbol_table ../../binutils/readelf.c:12201
    #2 0x4619d2 in process_object ../../binutils/readelf.c:20124
    #3 0x463527 in process_file ../../binutils/readelf.c:20602
    #4 0x463941 in main ../../binutils/readelf.c:20671
    #5 0x7f6f6a35482f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x402808 in _start (/home/dungnguyen/PoCs/readelf/readelf+0x402808)

0x60200000eef0 is located 0 bytes inside of 1-byte region
[0x60200000eef0,0x60200000eef1)
freed by thread T0 here:
    #0 0x7f6f6a79632a in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9832a)
    #1 0x438faa in get_num_dynamic_syms ../../binutils/readelf.c:9999
    #2 0x43a19c in process_dynamic_section ../../binutils/readelf.c:10273
    #3 0x46198f in process_object ../../binutils/readelf.c:20114
    #4 0x463527 in process_file ../../binutils/readelf.c:20602
    #5 0x463941 in main ../../binutils/readelf.c:20671
    #6 0x7f6f6a35482f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T0 here:
    #0 0x7f6f6a796662 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98662)
    #1 0x4ddbca in xmalloc ../../libiberty/xmalloc.c:147
    #2 0x49dab6 in cmalloc ../../binutils/dwarf.c:9898
    #3 0x438a3e in get_dynamic_data ../../binutils/readelf.c:9923
    #4 0x438f58 in get_num_dynamic_syms ../../binutils/readelf.c:9987
    #5 0x43a19c in process_dynamic_section ../../binutils/readelf.c:10273
    #6 0x46198f in process_object ../../binutils/readelf.c:20114
    #7 0x463527 in process_file ../../binutils/readelf.c:20602
    #8 0x463941 in main ../../binutils/readelf.c:20671
    #9 0x7f6f6a35482f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Thanks,
Manh Dung

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug binutils/25821] New: Double free in readelf

Reply via email to