https://sourceware.org/bugzilla/show_bug.cgi?id=32035
Bug ID: 32035
Summary: heap overlfow in readelf (binutils/dwarf.c:3648)
Product: binutils
Version: 2.42
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: jaehoon.jang at kaist dot ac.kr
Target Milestone: ---
Created attachment 15651
--> https://sourceware.org/bugzilla/attachment.cgi?id=15651&action=edit
poc
readelf build (binutils-2.42)
$ wget http://ftp.gnu.org/gnu/binutils/binutils-2.42.tar.gz
$ tar xvzf binutils-2.42.tar.gz
$ cd binutils-2.42
$ CC="clang -fsanitize=address -g" CXX="clang++ -fsanitize=address -g"
./configure --disable-shared --disable-gdb
$ make
readelf version
$ binutils/readelf --version
GNU readelf (GNU Binutils) 2.42
Copyright (C) 2024 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.
triggering heap-overflow with ASAN
root@56f3beb5803c:/benchmark/project/binutils-2.42/binutils-2.42#
binutils/readelf -w ~/poc1
File: /root/poc1(main1.o)
readelf: Warning: skipping invalid relocation symbol index 0x190009 in section
.debug_info
readelf: Warning: Invalid pointer size (0) in compunit header, using 4 instead
readelf: Warning: Unexpected form in top DIE
=================================================================
==221878==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6080000000a4 at pc 0x00000042efef bp 0x7ffcf59dbad0 sp 0x7ffcf59db290
READ of size 1 at 0x6080000000a4 thread T0
#0 0x42efee in strnlen
/src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:386:5
#1 0x527e68 in skip_attribute
/benchmark/project/binutils-2.42/binutils-2.42/binutils/./dwarf.c:3648:15
#2 0x527e68 in read_bases
/benchmark/project/binutils-2.42/binutils-2.42/binutils/./dwarf.c:3715:9
#3 0x527e68 in process_debug_info
/benchmark/project/binutils-2.42/binutils-2.42/binutils/./dwarf.c:4243:8
#4 0x52459a in load_separate_debug_files
/benchmark/project/binutils-2.42/binutils-2.42/binutils/./dwarf.c:12163:11
#5 0x4d59d8 in process_object
/benchmark/project/binutils-2.42/binutils-2.42/binutils/./readelf.c:23153:27
#6 0x4d4eaf in process_archive
/benchmark/project/binutils-2.42/binutils-2.42/binutils/./readelf.c:23490:10
#7 0x4cbdaa in process_file
/benchmark/project/binutils-2.42/binutils-2.42/binutils/./readelf.c
#8 0x4cbdaa in main
/benchmark/project/binutils-2.42/binutils-2.42/binutils/./readelf.c:23651:11
error: failed to decompress '.debug_aranges', zlib is not available
error: failed to decompress '.debug_info', zlib is not available
error: failed to decompress '.debug_abbrev', zlib is not available
error: failed to decompress '.debug_line', zlib is not available
error: failed to decompress '.debug_str', zlib is not available
error: failed to decompress '.debug_loc', zlib is not available
error: failed to decompress '.debug_ranges', zlib is not available
#9 0x7f6f6a344082 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x24082)
#10 0x41c4ad in _start
(/benchmark/project/binutils-2.42/binutils-2.42/binutils/readelf+0x41c4ad)
0x6080000000a4 is located 48 bytes to the right of 84-byte region
[0x608000000020,0x608000000074)
allocated by thread T0 here:
#0 0x498ddd in malloc
/src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#1 0x4c923a in get_data
/benchmark/project/binutils-2.42/binutils-2.42/binutils/./readelf.c:533:14
SUMMARY: AddressSanitizer: heap-buffer-overflow
/src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:386:5
in strnlen
Shadow bytes around the buggy address:
0x0c107fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 04 fa
=>0x0c107fff8010: fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==221878==ABORTING
Analysis
- The skip_attribute function appears to cause an error when data points to an
invalid pointer.
- This bug has been fixed by the following commit:
-
https://github.com/bminor/binutils-gdb/commit/4b8c2aaf2d37c6f2a2d21e208d5473d2e4f13df9
- However, the error persists in the released version, making it a valid
security vulnerability in distributions like Ubuntu.
- Version 2.42.90.20240720-2ubuntu1 has been patched and no longer causes
the error. (The Oracular Oriole (active development))
- However, version 2.42-4ubuntu2 is still vulnerable. (The Noble Numbat
(current stable release))
- https://launchpad.net/ubuntu/+source/binutils
--
You are receiving this mail because:
You are on the CC list for the bug.
