readelf.c:2654)

swj22 at mails dot tsinghua.edu.cn Fri, 07 Feb 2025 01:11:25 -0800

https://sourceware.org/bugzilla/show_bug.cgi?id=32654


            Bug ID: 32654
           Summary: eu-readelf SEGV (head-buffer-overread) in
                    process_symtab (src/readelf.c:2654)
           Product: elfutils
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: tools
          Assignee: unassigned at sourceware dot org
          Reporter: swj22 at mails dot tsinghua.edu.cn
                CC: elfutils-devel at sourceware dot org
  Target Milestone: ---

Created attachment 15925
  --> https://sourceware.org/bugzilla/attachment.cgi?id=15925&action=edit
poc

**Description**
A segv can occur in eu-readelf  when using the  -D and -a options with a
specially crafted input file. This issue leads to buffer-overflow

**Affected Version**
elfutils 0.192

**Steps to Reproduce**

Build elfutils 0.192 with AddressSanitizer (e.g., CFLAGS="-g
-fsanitize=address" ./configure && make -j).

/mnt/data/optfuzz/benchmark/elfutils-0.192/bins/bin/eu-readelf  -a -D /tmp/poc
ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
  Class:                             ELF64
  Data:                              2's complement, little endian
  Ident Version:                     1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              ???
  Machine:                           SH
  Version:                           1 (current)
  Entry point address:               0xf100000000000000
  Start of program headers:          255 (bytes into file)
  Start of section headers:          1144 (bytes into file)
  Flags:
  Size of this header:               64 (bytes)
  Size of program header entries:    0 (bytes)
  Number of program headers entries: 10
  Size of section header entries:    29760 (bytes)
  Number of section headers entries: 25441
  Section header string table index: 11627

Section Headers:
[Nr] Name                 Type         Addr             Off      Size     ES
Flags Lk Inf Al

Program Headers:
  Type           Offset   VirtAddr           PhysAddr           FileSiz  MemSiz
  Flg Align
  LOAD           0x0001e7 0x0000000000000000 0x0000030000000000
0x6e75746d2d200001 0x6972656e65673d65     0x686372616d2d2063
  <unknown>: 909670461 0x4f2d20672d20672d 0x662d20334f2d2032 0x6c2d6c6c6f726e75
0x73662d2073706f6f 0x6f72702d6b636174 R E 0x732d726f74636574
  LOOS+242184820 0x2f637a772f656d6f 0x5f666c6564616572 0x2f666c655f4c4641
0x6c697474756e6962 0x7274735373690073 RWE 0x732d746f6e007069
  LOPROC+6910580 0x625528203a434347 0x342e352075746e75 0x01000d0efb010134
0x1000000010101 0x362d306f6e000100 RW  0x75746e756275
  <unknown>: 9   0x1100000000 0x0000000aff7fffff 0x000000a400000009
0x3032000400000001 0x1c0000003631     0x800000000000200
  NULL           0x3930363000000000 0x0100100000000000 0x0000000000000000
0x000000 0xf100040000000100     0xff
  NULL           0x000000 0x0000000000000000 0x0000000000000000
0x280000000000000 0x000000     0x0
  NULL           0x3a900010000 0x0000000000000000 0x040000de00000000
0xf2ff000000000000 0x000000     0x600030000000000
  NULL           0x000000 0x0700030000000000 0x0000000000000000 0x000000
0x900030000000000     0x0
  NULL           0xa00030000000000 0x3930363000000000 0x0000000000000000
0x1100000000 0xaff7fffff     0xa400000009
    0: 0000000aff7fffff 704374636553 OBJECT  GLOBAL DEFAULT    UNDEF
    1: 00001c0000003631 576460752303424000 FILE    LOCAL  DEFAULT   <unknown>:
12338
    2: 3930363000000000 72075186223972352 NOTYPE  LOCAL  DEFAULT    UNDEF
/mnt/data/optfuzz/benchmark/elfutils-0.192/bins/bin/eu-readelf: bad dynamic
symbol

    3: 0000000000000000 -1080859512522407680 NOTYPE  LOCAL  DEFAULT    UNDEF
    4: 0000000000000000      0 NOTYPE  LOCAL  DEFAULT    UNDEF
/mnt/data/optfuzz/benchmark/elfutils-0.192/bins/bin/eu-readelf: bad dynamic
symbol

    5: 0000000000000000 180143985094819840 NOTYPE  LOCAL  DEFAULT    UNDEF
/mnt/data/optfuzz/benchmark/elfutils-0.192/bins/bin/eu-readelf: bad dynamic
symbol

    6: 0000000000000000 216176080648667136 NOTYPE  LOCAL  DEFAULT    UNDEF
/mnt/data/optfuzz/benchmark/elfutils-0.192/bins/bin/eu-readelf: bad dynamic
symbol

=================================================================
==1470162==ERROR: AddressSanitizer: unknown-crash on address 0x7f798c42e1e7 at
pc 0x7f798f44cdcb bp 0x7ffe7c9ad050 sp 0x7ffe7c9ac7c8
READ of size 1 at 0x7f798c42e1e7 thread T0
    #0 0x7f798f44cdca in printf_common
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:546
    #1 0x7f798f44ddec in __interceptor_vprintf
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1600
    #2 0x7f798f44dee6 in __interceptor_printf
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1658
    #3 0x55ac52999d2b in process_symtab
/mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:2654
    #4 0x55ac5299cd92 in handle_dynamic_symtab
/mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:3062
    #5 0x55ac52999104 in print_symtab
/mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:2582
    #6 0x55ac5298df39 in process_elf_file
/mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:1064
    #7 0x55ac5298cb5b in process_dwflmod
/mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:840
    #8 0x7f798ff51708 in dwfl_getmodules
/mnt/data/optfuzz/benchmark/elfutils-0.192/libdwfl/dwfl_getmodules.c:86
    #9 0x55ac5298d5b9 in process_file
/mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:948
    #10 0x55ac5298b1e6 in main
/mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:417
    #11 0x7f798f1c6082 in __libc_start_main ../csu/libc-start.c:308
    #12 0x55ac52988b2d in _start
(/mnt/data/optfuzz/benchmark/elfutils-0.192/bins/bin/eu-readelf+0x6bb2d)

Address 0x7f798c42e1e7 is a wild pointer.
SUMMARY: AddressSanitizer: unknown-crash
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:546
in printf_common
Shadow bytes around the buggy address:
  0x0fefb187dbe0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fefb187dbf0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fefb187dc00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fefb187dc10: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fefb187dc20: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
=>0x0fefb187dc30: fe fe fe fe fe fe fe fe fe fe fe fe[fe]fe fe fe
  0x0fefb187dc40: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fefb187dc50: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fefb187dc60: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fefb187dc70: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fefb187dc80: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1470162==ABORTING

**Env**
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.6 LTS
Release:        20.04
Codename:       focal

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug tools/32654] New: eu-readelf SEGV (head-buffer-overread) in process_symtab (src/readelf.c:2654)

Reply via email to