https://sourceware.org/bugzilla/show_bug.cgi?id=34383

            Bug ID: 34383
           Summary: OOB read in str_offsets_base_off() with truncated
                    .debug_str_offsets
           Product: elfutils
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: libdw
          Assignee: unassigned at sourceware dot org
          Reporter: karankurani3k at gmail dot com
                CC: elfutils-devel at sourceware dot org
  Target Milestone: ---

Created attachment 16831
  --> https://sourceware.org/bugzilla/attachment.cgi?id=16831&action=edit
ASan trace and standalone reproducer for str_offsets_base_off OOB read

OOB read in libdwP.h str_offsets_base_off() (HEAD commit
77156c031116e7759783ced4fe61b99e72a35a5e)

The .debug_str_offsets fallback parsing in str_offsets_base_off() reads the
4-byte unit_length field before checking that the section contains at least
4 bytes.

The issue is reachable when a DWARF5 CU uses DW_FORM_strx, omits
DW_AT_str_offsets_base, and a .debug_str_offsets section is present but
truncated.

Relevant read:

  unit_length = read_4ubyte_unaligned_inc (dbg, readp);

The later section-size validation happens after this read, so a
.debug_str_offsets section shorter than 4 bytes can trigger an OOB read.

Minimal trigger:

  .debug_str_offsets size = 1 byte
  DWARF5 CU with DW_AT_name encoded as DW_FORM_strx
  no DW_AT_str_offsets_base

The attached reproducer creates a minimal ELF64 object with .debug_abbrev,
.debug_info, .debug_str, and a final 1-byte .debug_str_offsets section. The
harness loads the ELF through elf_memory() using an exact malloc-backed buffer,
finds the CU DIE, fetches DW_AT_name, and calls dwarf_formstring().

ASan confirms the OOB read:

  ERROR: AddressSanitizer: heap-buffer-overflow
  READ of size 4
      #0 read_4ubyte_unaligned_1 libdw/memory-access.h:291
      #1 str_offsets_base_off libdw/libdwP.h:1285
      #2 __libdw_cu_str_off_base libdw/libdwP.h:1326
      #3 dwarf_formstring libdw/dwarf_formstring.c:141

ASan reports the read reaches past the malloc-backed ELF buffer:

  0x51600000029f is located 0 bytes after 543-byte region
  [0x516000000080,0x51600000029f)

CWE-125 (Out-of-bounds Read)
Impact: crash/DoS from crafted DWARF5 .debug_str_offsets data

Suggested fix: check that .debug_str_offsets has at least 4 bytes before
calling read_4ubyte_unaligned_inc() in str_offsets_base_off().

Discoverer: Karan Kurani

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Reply via email to