[Bug debug/107416] New: A heap buffer overflow was fould in find_section_in_set() of binutils-2.39 (commit 49c843e6)

Wed, 26 Oct 2022 07:33:51 -0700 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107416

            Bug ID: 107416
           Summary: A heap buffer overflow was fould in
                    find_section_in_set() of binutils-2.39 (commit
                    49c843e6)
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: debug
          Assignee: unassigned at gcc dot gnu.org
          Reporter: bjchan9an at foxmail dot com
  Target Milestone: ---

Created attachment 53777
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=53777&action=edit
readelf poc file

Hi

There is a heap buffer overflow bug in binutils-2.39 (commit 49c843e6). 

The bug is triggered in find_section_in_set() at binutils/readelf.c:970 when
parsing the debug sections of a malformed ELF file.

The bug is caused by improper checks of the array boundary when iterating
through the array "section_subset" of ELF debug section.

To reproduce this bug, use:

1. compile binutils-2.39 with clang-6.0 and address sanitizer:
```sh
./configure --disable-shared --disable-gdb --disable-werror
make
```

2. use readelf to process the PoC file (see attachment):
```sh
readelf -w ./PoC
```

The address sanitizer reports are as follows.

readelf: Error: Internal error: out of space in the shndx pool.
readelf: Error: Internal error: out of space in the shndx pool.
readelf: Error: Internal error: out of space in the shndx pool.
readelf: Error: Internal error: out of space in the shndx pool.
readelf: Error: Internal error: out of space in the shndx pool.
readelf: Error: Internal error: out of space in the shndx pool.
Contents of the .debug_names section:

readelf: Warning: Debug info is corrupted, .debug_names header at 0 has length
0x4c457f
Contents of the .debug_names section:

=================================================================
==29074==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61a000000bd8 at pc 0x0000005143de bp 0x7fffffffd6c0 sp 0x7fffffffd6b8
READ of size 4 at 0x61a000000bd8 thread T0
    #0 0x5143dd in find_section_in_set
/binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:970:19
    #1 0x5130b6 in load_debug_section
/binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:16160:9
    #2 0x612472 in load_debug_section_with_follow
/binutils-gdb/obj-asan/binutils/../../binutils/dwarf.c:3453:7
    #3 0x606ce0 in display_debug_names
/binutils-gdb/obj-asan/binutils/../../binutils/dwarf.c:10002:3
    #4 0x558c9b in display_debug_section
/binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:16258:18
    #5 0x558c9b in process_section_contents
/binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:16354
    #6 0x52ae91 in process_object
/binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:22372:9
    #7 0x517f9e in process_file
/binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:22795:13
    #8 0x517f9e in main
/binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:22866
    #9 0x7ffff6e22c86 in __libc_start_main
/build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #10 0x41a909 in _start (/binutils-gdb/obj-asan/binutils/readelf+0x41a909)

0x61a000000bd8 is located 0 bytes to the right of 1368-byte region
[0x61a000000680,0x61a000000bd8)
allocated by thread T0 here:
    #0 0x4dac40 in realloc (/binutils-gdb/obj-asan/binutils/readelf+0x4dac40)
    #1 0x74eeed in xrealloc
/binutils-gdb/obj-asan/libiberty/../../libiberty/xmalloc.c:181:14

SUMMARY: AddressSanitizer: heap-buffer-overflow
/binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:970:19 in
find_section_in_set
Shadow bytes around the buggy address:
  0x0c347fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c347fff8170: 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa
  0x0c347fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

Found by SyntaxAFL.

Reply via email to