https://sourceware.org/bugzilla/show_bug.cgi?id=34385

            Bug ID: 34385
           Summary: OOB read in __libdw_cu_ranges_base() with truncated
                    .debug_rnglists
           Product: elfutils
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: libdw
          Assignee: unassigned at sourceware dot org
          Reporter: karankurani3k at gmail dot com
                CC: elfutils-devel at sourceware dot org
  Target Milestone: ---

Created attachment 16832
  --> https://sourceware.org/bugzilla/attachment.cgi?id=16832&action=edit
ASan trace and standalone reproducer for __libdw_cu_ranges_base OOB read

OOB read in libdwP.h __libdw_cu_ranges_base() (HEAD commit
6f8f78ce4a1b56f96f2db531cc2c9eddb5be1fc3)

The .debug_rnglists fallback parsing in __libdw_cu_ranges_base() reads the
4-byte unit_length field before checking that the section contains at least
4 bytes.

The issue is reachable when a DWARF5 CU uses DW_FORM_rnglistx, omits
DW_AT_rnglists_base, and a .debug_rnglists section is present but truncated.

Relevant read:

  uint64_t unit_length = read_4ubyte_unaligned_inc (dbg, readp);

The first later guard checks the buffer only after this read:

  if (readp > dataend - 8

So a .debug_rnglists section shorter than 4 bytes can trigger an OOB read.

Minimal trigger:

  .debug_rnglists size = 1 byte
  DWARF5 CU with DW_AT_ranges encoded as DW_FORM_rnglistx
  no DW_AT_rnglists_base

The attached reproducer creates a minimal ELF64 object with .debug_abbrev,
.debug_info, .shstrtab, and a final 1-byte .debug_rnglists section. The
harness loads the ELF through elf_memory() using an exact malloc-backed buffer,
finds the CU DIE, and calls dwarf_ranges().

ASan confirms the OOB read:

  ERROR: AddressSanitizer: heap-buffer-overflow
  READ of size 4
      #0 __libdw_cu_ranges_base libdw/libdwP.h:1376
      #1 initial_offset libdw/dwarf_ranges.c:420
      #2 dwarf_ranges libdw/dwarf_ranges.c:526
      #3 main rnglists_harness.c:53

ASan reports the read reaches past the malloc-backed ELF buffer:

  0x5150000004cc is located 0 bytes after 460-byte region
  [0x515000000300,0x5150000004cc)

CWE-125 (Out-of-bounds Read)
Impact: crash/DoS from crafted DWARF5 .debug_rnglists data

Suggested fix: check that .debug_rnglists has at least 4 bytes before
calling read_4ubyte_unaligned_inc() in __libdw_cu_ranges_base().

Discoverer: Karan Kurani

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Reply via email to