https://sourceware.org/bugzilla/show_bug.cgi?id=34386

            Bug ID: 34386
           Summary: OOB read in __libdw_cu_locs_base() with truncated
                    .debug_loclists
           Product: elfutils
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: libdw
          Assignee: unassigned at sourceware dot org
          Reporter: karankurani3k at gmail dot com
                CC: elfutils-devel at sourceware dot org
  Target Milestone: ---

Created attachment 16833
  --> https://sourceware.org/bugzilla/attachment.cgi?id=16833&action=edit
ASan trace and standalone reproducer for __libdw_cu_locs_base OOB read

OOB read in libdwP.h __libdw_cu_locs_base() (HEAD commit
6f8f78ce4a1b56f96f2db531cc2c9eddb5be1fc3)

The .debug_loclists fallback parsing in __libdw_cu_locs_base() reads the
4-byte unit_length field before checking that the section contains at least
4 bytes.

The issue is reachable when a DWARF5 CU uses DW_FORM_loclistx, omits
DW_AT_loclists_base, and a .debug_loclists section is present but truncated.

Relevant read:

  uint64_t unit_length = read_4ubyte_unaligned_inc (dbg, readp);

The first later guard checks the buffer only after this read:

  if (readp > dataend - 8

So a .debug_loclists section shorter than 4 bytes can trigger an OOB read.

Minimal trigger:

  .debug_loclists size = 1 byte
  DWARF5 CU with DW_AT_location encoded as DW_FORM_loclistx
  no DW_AT_loclists_base

The attached reproducer creates a minimal ELF64 object with .debug_abbrev,
.debug_info, .shstrtab, and a final 1-byte .debug_loclists section. The
harness loads the ELF through elf_memory() using an exact malloc-backed buffer,
finds the CU DIE, fetches DW_AT_location, and calls dwarf_getlocation_addr().

ASan confirms the OOB read:

  ERROR: AddressSanitizer: heap-buffer-overflow
  READ of size 4
      #0 __libdw_cu_locs_base libdw/libdwP.h:1459
      #1 initial_offset libdw/dwarf_getlocation.c:788
      #2 dwarf_getlocation_addr libdw/dwarf_getlocation.c:956
      #3 main loclists_harness.c:59

ASan reports the read reaches past the malloc-backed ELF buffer:

  0x5150000004cc is located 0 bytes after 460-byte region
  [0x515000000300,0x5150000004cc)

CWE-125 (Out-of-bounds Read)
Impact: crash/DoS from crafted DWARF5 .debug_loclists data

Suggested fix: check that .debug_loclists has at least 4 bytes before
calling read_4ubyte_unaligned_inc() in __libdw_cu_locs_base().

Discoverer: Karan Kurani

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Reply via email to