[Bug libelf/27076] New: heap-buffer-overflow when calling file_read_elf function in elf_begin.c in libelf

[2060271023 at email dot szu.edu.cn via Elfutils-devel]

https://sourceware.org/bugzilla/show_bug.cgi?id=27076

            Bug ID: 27076
           Summary: heap-buffer-overflow when calling file_read_elf
                    function in elf_begin.c in libelf
           Product: elfutils
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: libelf
          Assignee: unassigned at sourceware dot org
          Reporter: 2060271023 at email dot szu.edu.cn
                CC: elfutils-devel at sourceware dot org
  Target Milestone: ---

Created attachment 13055
  --> https://sourceware.org/bugzilla/attachment.cgi?id=13055&action=edit
the crafted input causing heap-buffer-overflow

Hi, 

A Heap-buffer-overflow problem was discovered in the function file_read_elf in
elf_begin.c in libelf, as distributed in elfutils-0.182. A crafted input can
cause segment faults and I have confirmed them with address sanitizer too.

Here are the POC files. Please use "./eu-stack --core=$POS -abdilmsv" to
reproduce the error.

$ git log

> commit 609290a61d4f900c65b7e0e273981022a826e4c0 (HEAD -> master, 
> origin/master, origin/HEAD)
> Author: Mark Wielaard <m...@klomp.org>
> Date:   Sun Nov 29 01:57:53 2020 +0100
> 
>     libdwfl: Use 64bit GElf_Addr instead of size_t to calculate address.
> 
>     size_t is too small on 32 bit systems to analyze a 64 bit core file.
> 
>     Signed-off-by: Mark Wielaard <m...@klomp.org>

The ASAN dumps the stack trace as follows:

> =================================================================
> ==5661==ERROR: AddressSanitizer: heap-buffer-overflow on address 
> 0x6060000000b0 at pc 0x7f3dda845483 bp 0x7ffcfffb4ad0 sp 0x7ffcfffb4ac0
> READ of size 2 at 0x6060000000b0 thread T0
>     #0 0x7f3dda845482 in file_read_elf /elfutils/libelf/elf_begin.c:453
>     #1 0x7f3dda845482 in __libelf_read_mmaped_file 
> /elfutils/libelf/elf_begin.c:552
>     #2 0x7f3dda54f44f in dwfl_segment_report_module 
> /elfutils/libdwfl/dwfl_segment_report_module.c:955
>     #3 0x7f3dda567165 in dwfl_core_file_report 
> /elfutils/libdwfl/core-file.c:558
>     #4 0x5584957f0f15 in parse_opt /elfutils/src/stack.c:595
>     #5 0x7f3dd9fe0d4a in argp_parse (/lib/x86_64-linux-gnu/libc.so.6+0x12fd4a)
>     #6 0x5584957f01f4 in main /elfutils/src/stack.c:695
>     #7 0x7f3dd9ed2bf6 in __libc_start_main 
> (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
>     #8 0x5584957f0bc9 in _start (/elfutils/build/bin/eu-stack+0x5bc9)
> 
> 0x6060000000b1 is located 0 bytes to the right of 49-byte region 
> [0x606000000080,0x6060000000b1)
> allocated by thread T0 here:
>     #0 0x7f3ddabc9d28 in __interceptor_calloc 
> (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28)
>     #1 0x7f3dda54f1a6 in dwfl_segment_report_module 
> /elfutils/libdwfl/dwfl_segment_report_module.c:907
>     #2 0x7f3dda567165 in dwfl_core_file_report 
> /elfutils/libdwfl/core-file.c:558
>     #3 0x5584957f0f15 in parse_opt /elfutils/src/stack.c:595
>     #4 0x7f3dd9fe0d4a in argp_parse (/lib/x86_64-linux-gnu/libc.so.6+0x12fd4a)
>     #5 0x5584957f01f4 in main /elfutils/src/stack.c:695
>     #6 0x7f3dd9ed2bf6 in __libc_start_main 
> (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
> 
> SUMMARY: AddressSanitizer: heap-buffer-overflow 
> /elfutils/libelf/elf_begin.c:453 in file_read_elf
> Shadow bytes around the buggy address:
>   0x0c0c7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c0c7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c0c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c0c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c0c7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
> =>0x0c0c7fff8010: 00 00 00 00 00 00[01]fa fa fa fa fa fa fa fa fa
>   0x0c0c7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c0c7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c0c7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c0c7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c0c7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
>   Left alloca redzone:     ca
>   Right alloca redzone:    cb
> ==5661==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.