https://sourceware.org/bugzilla/show_bug.cgi?id=34383
Bug ID: 34383
Summary: OOB read in str_offsets_base_off() with truncated
.debug_str_offsets
Product: elfutils
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: libdw
Assignee: unassigned at sourceware dot org
Reporter: karankurani3k at gmail dot com
CC: elfutils-devel at sourceware dot org
Target Milestone: ---
Created attachment 16831
--> https://sourceware.org/bugzilla/attachment.cgi?id=16831&action=edit
ASan trace and standalone reproducer for str_offsets_base_off OOB read
OOB read in libdwP.h str_offsets_base_off() (HEAD commit
77156c031116e7759783ced4fe61b99e72a35a5e)
The .debug_str_offsets fallback parsing in str_offsets_base_off() reads the
4-byte unit_length field before checking that the section contains at least
4 bytes.
The issue is reachable when a DWARF5 CU uses DW_FORM_strx, omits
DW_AT_str_offsets_base, and a .debug_str_offsets section is present but
truncated.
Relevant read:
unit_length = read_4ubyte_unaligned_inc (dbg, readp);
The later section-size validation happens after this read, so a
.debug_str_offsets section shorter than 4 bytes can trigger an OOB read.
Minimal trigger:
.debug_str_offsets size = 1 byte
DWARF5 CU with DW_AT_name encoded as DW_FORM_strx
no DW_AT_str_offsets_base
The attached reproducer creates a minimal ELF64 object with .debug_abbrev,
.debug_info, .debug_str, and a final 1-byte .debug_str_offsets section. The
harness loads the ELF through elf_memory() using an exact malloc-backed buffer,
finds the CU DIE, fetches DW_AT_name, and calls dwarf_formstring().
ASan confirms the OOB read:
ERROR: AddressSanitizer: heap-buffer-overflow
READ of size 4
#0 read_4ubyte_unaligned_1 libdw/memory-access.h:291
#1 str_offsets_base_off libdw/libdwP.h:1285
#2 __libdw_cu_str_off_base libdw/libdwP.h:1326
#3 dwarf_formstring libdw/dwarf_formstring.c:141
ASan reports the read reaches past the malloc-backed ELF buffer:
0x51600000029f is located 0 bytes after 543-byte region
[0x516000000080,0x51600000029f)
CWE-125 (Out-of-bounds Read)
Impact: crash/DoS from crafted DWARF5 .debug_str_offsets data
Suggested fix: check that .debug_str_offsets has at least 4 bytes before
calling read_4ubyte_unaligned_inc() in str_offsets_base_off().
Discoverer: Karan Kurani
--
You are receiving this mail because:
You are on the CC list for the bug.