https://sourceware.org/bugzilla/show_bug.cgi?id=26335
Bug ID: 26335
Summary: A stack-buffer-overflow in readelf.c:12096:20 causes
Segmentation fault
Product: binutils
Version: 2.35
Status: UNCONFIRMED
Severity: critical
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: seviezhou at 163 dot com
Target Milestone: ---
Created attachment 12745
--> https://sourceware.org/bugzilla/attachment.cgi?id=12745&action=edit
stack-overflow-print_dynamic_symbol-readelf-12096
There is a stack-buffer-overflow in readelf.c:12096:20 that can cause readelf
to Segmentation fault.
## System info
Ubuntu X64, gcc (Ubuntu 5.5.0-12ubuntu1), binutils 2.35
## Configure
CFLAGS="-fno-stack-protector" ./configure
CFLAGS="-g -fsanitize=address" LDFLAGS="-fsanitize=address" ./configure
## Command line
./binutils/readelf -a @@
## Output
```
Symbol table '.dynsym' contains 73 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 00000000 0 NOTYPE LOCAL DEFAULT UND ^P
Segmentation fault (core dumped)
```
## AddressSanitizer output
```
=================================================================
==74564==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffe1e0e0160 at pc 0x00000044792a bp 0x7ffe1e0dff20 sp 0x7ffe1e0df6d0
WRITE of size 335 at 0x7ffe1e0e0160 thread T0
#0 0x447929 in vsprintf
(/home/seviezhou/binutils-2.35/binutils/readelf+0x447929)
#1 0x447c56 in __interceptor_sprintf
(/home/seviezhou/binutils-2.35/binutils/readelf+0x447c56)
#2 0x593686 in print_dynamic_symbol
/home/seviezhou/binutils-2.35/binutils/readelf.c:12096:20
#3 0x533412 in process_symbol_table
/home/seviezhou/binutils-2.35/binutils/readelf.c:12221:6
#4 0x533412 in process_object
/home/seviezhou/binutils-2.35/binutils/readelf.c:20333
#5 0x5178f4 in process_file
/home/seviezhou/binutils-2.35/binutils/readelf.c:20795:13
#6 0x5178f4 in main /home/seviezhou/binutils-2.35/binutils/readelf.c:20868
#7 0x7fecc6418b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#8 0x41aa99 in _start
(/home/seviezhou/binutils-2.35/binutils/readelf+0x41aa99)
Address 0x7ffe1e0e0160 is located in stack of thread T0 at offset 320 in frame
#0 0x591fcf in print_dynamic_symbol
/home/seviezhou/binutils-2.35/binutils/readelf.c:12053
This frame has 3 object(s):
[32, 36) 'sym_info' (line 12055)
[48, 50) 'vna_other' (line 12056)
[64, 320) 'buffer' (line 12094) <== Memory access at offset 320 overflows
this variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
(/home/seviezhou/binutils-2.35/binutils/readelf+0x447929) in vsprintf
Shadow bytes around the buggy address:
0x100043c13fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100043c13fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100043c13ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100043c14000: 00 00 00 00 f1 f1 f1 f1 04 f2 02 f2 00 00 00 00
0x100043c14010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100043c14020: 00 00 00 00 00 00 00 00 00 00 00 00[f3]f3 f3 f3
0x100043c14030: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x100043c14040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100043c14050: f1 f1 f1 f1 f8 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8
0x100043c14060: f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f8 f2 f2 f2
0x100043c14070: f8 f8 f2 f2 f8 f8 f2 f2 f8 f8 f8 f2 f2 f2 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==74564==ABORTING
```
--
You are receiving this mail because:
You are on the CC list for the bug.
