https://sourceware.org/bugzilla/show_bug.cgi?id=33099
Bug ID: 33099
Summary: heap overflow in print_dwarf_addr
Product: elfutils
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: libelf
Assignee: unassigned at sourceware dot org
Reporter: ZeroTrac3r at outlook dot com
CC: elfutils-devel at sourceware dot org
Target Milestone: ---
Created attachment 16142
--> https://sourceware.org/bugzilla/attachment.cgi?id=16142&action=edit
poc
There is a heap overflow vulnerability in print_dwarf_addr.
# reproduce
export ASAN_OPTIONS=detect_leaks=0
export CFLAGS='-g -fsanitize=address'
export CXXFLAGS='-g -fsanitize=address'
export LDFLAGS='-g -fsanitize=address'
git clone git://sourceware.org/git/elfutils.git
cd elfutils
mkdir install
autoreconf --install
automake --add-missing
./configure --enable-maintainer-mode --prefix=`realpath ./install`
--disable-shared
make install
cd src
export LD_LIBRARY_PATH=`realpath ../install/lib`
./readelf -a /tmp/crash_poc
# result
```
==175347==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x50b000000625 at pc 0x7696e4ca1a6a bp 0x7ffc9a40cc80 sp 0x7ffc9a40c3f8
READ of size 24 at 0x50b000000625 thread T0
#0 0x7696e4ca1a69 in printf_common
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:563
#1 0x7696e4cce33b in vprintf
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1644
#2 0x7696e4cd0180 in printf
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1702
#3 0x635c1b30f257 in print_dwarf_addr
/reproduce/elfutils/src/readelf.c:4295
#4 0x635c1b301fb1 in handle_relocs_relr
/reproduce/elfutils/src/readelf.c:2527
#5 0x635c1b2fe496 in print_relocs /reproduce/elfutils/src/readelf.c:2077
#6 0x635c1b2f6fb7 in process_elf_file
/reproduce/elfutils/src/readelf.c:1060
#7 0x635c1b2f5c1c in process_dwflmod /reproduce/elfutils/src/readelf.c:840
#8 0x7696e495cb57 in dwfl_getmodules
/reproduce/elfutils/libdwfl/dwfl_getmodules.c:86
#9 0x635c1b2f6675 in process_file /reproduce/elfutils/src/readelf.c:948
#10 0x635c1b2f4217 in main /reproduce/elfutils/src/readelf.c:417
#11 0x7696e442a1c9 in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
#12 0x7696e442a28a in __libc_start_main_impl ../csu/libc-start.c:360
#13 0x635c1b2f1b24 in _start (/reproduce/elfutils/src/readelf+0x6cb24)
(BuildId: 011a0a61bf1bcafb77c221afb5fa4098d53c67e2)
0x50b000000625 is located 0 bytes after 101-byte region
[0x50b0000005c0,0x50b000000625)
allocated by thread T0 here:
#0 0x7696e4cfd9c7 in malloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7696e4bcc8fb in elf_getdata_rawchunk
/reproduce/elfutils/libelf/elf_getdata_rawchunk.c:188
#2 0x7696e49628fe in translate_offs
/reproduce/elfutils/libdwfl/dwfl_module_getdwarf.c:805
#3 0x7696e49632b9 in find_dynsym
/reproduce/elfutils/libdwfl/dwfl_module_getdwarf.c:893
#4 0x7696e4965978 in find_symtab
/reproduce/elfutils/libdwfl/dwfl_module_getdwarf.c:1226
#5 0x7696e49671e3 in dwfl_module_getsymtab
/reproduce/elfutils/libdwfl/dwfl_module_getdwarf.c:1477
#6 0x7696e4981762 in __libdwfl_addrsym
/reproduce/elfutils/libdwfl/dwfl_module_addrsym.c:248
#7 0x7696e498219b in dwfl_module_addrinfo
/reproduce/elfutils/libdwfl/dwfl_module_addrsym.c:332
#8 0x635c1b30efea in print_dwarf_addr
/reproduce/elfutils/src/readelf.c:4263
#9 0x635c1b301fb1 in handle_relocs_relr
/reproduce/elfutils/src/readelf.c:2527
#10 0x635c1b2fe496 in print_relocs /reproduce/elfutils/src/readelf.c:2077
#11 0x635c1b2f6fb7 in process_elf_file
/reproduce/elfutils/src/readelf.c:1060
#12 0x635c1b2f5c1c in process_dwflmod /reproduce/elfutils/src/readelf.c:840
#13 0x7696e495cb57 in dwfl_getmodules
/reproduce/elfutils/libdwfl/dwfl_getmodules.c:86
#14 0x635c1b2f6675 in process_file /reproduce/elfutils/src/readelf.c:948
#15 0x635c1b2f4217 in main /reproduce/elfutils/src/readelf.c:417
#16 0x7696e442a1c9 in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
#17 0x7696e442a28a in __libc_start_main_impl ../csu/libc-start.c:360
#18 0x635c1b2f1b24 in _start (/reproduce/elfutils/src/readelf+0x6cb24)
(BuildId: 011a0a61bf1bcafb77c221afb5fa4098d53c67e2)
SUMMARY: AddressSanitizer: heap-buffer-overflow
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:563
in printf_common
Shadow bytes around the buggy address:
0x50b000000380: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
0x50b000000400: 00 00 00 fa fa fa fa fa fa fa fa fa 00 00 00 00
0x50b000000480: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
0x50b000000500: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
0x50b000000580: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x50b000000600: 00 00 00 00[05]fa fa fa fa fa fa fa fa fa fa fa
0x50b000000680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x50b000000700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x50b000000780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x50b000000800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x50b000000880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==175347==ABORTING
```
--
You are receiving this mail because:
You are on the CC list for the bug.
