[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/24837] New: readelf: heap buffer overflow
From: |
rmirzazadeh at gmail dot com |
Subject: |
[Bug binutils/24837] New: readelf: heap buffer overflow |
Date: |
Mon, 22 Jul 2019 21:37:51 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=24837
Bug ID: 24837
Summary: readelf: heap buffer overflow
Product: binutils
Version: 2.32
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: rmirzazadeh at gmail dot com
Target Milestone: ---
Created attachment 11917
--> https://sourceware.org/bugzilla/attachment.cgi?id=11917&action=edit
readelf-heapoverflow-poc
I encountered a heap buffer overflow in `readelf` during my fuzz testing.
(GNU readelf (GNU Binutils) 2.32.51.20190722)
To reproduce ( I assumed the binary is compiled with ASan)
./readelf -A PoC
Here is the ASan output:
readelf: Warning: Section 1 has an out of range sh_link value of 12
readelf: Warning: Section 2 has an out of range sh_link value of 12
readelf: Warning: Section 3 has an out of range sh_link value of 23
readelf: Error: Section 1 has invalid sh_entsize of 0000000000000004
readelf: Error: (Using the expected size of 16 for the rest of this dump)
readelf: Error: Reading 116 bytes extends past end of file for symbols
readelf: Error: no .dynamic section in the dynamic segment
readelf: Warning: Virtual address 0x6f not located in any PT_LOAD segment.
Section '^�ELF<80> ^A' contains 1 entry:
=================================================================
==20157==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000000140 at pc 0x00000060b187 bp 0x7ffdbbacb4e0 sp 0x7ffdbbacb4d8
READ of size 1 at 0x602000000140 thread T0
#0 0x60b186 (/tmp/binutils-gdb/binutils/readelf+0x60b186)
#1 0x5a5e7c (/tmp/binutils-gdb/binutils/readelf+0x5a5e7c)
#2 0x54c877 (/tmp/binutils-gdb/binutils/readelf+0x54c877)
#3 0x52c12e (/tmp/binutils-gdb/binutils/readelf+0x52c12e)
#4 0x51b0c7 (/tmp/binutils-gdb/binutils/readelf+0x51b0c7)
#5 0x5198cf (/tmp/binutils-gdb/binutils/readelf+0x5198cf)
#6 0x7fadfc83782f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#7 0x41a828 (/tmp/binutils-gdb/binutils/readelf+0x41a828)
0x602000000140 is located 0 bytes to the right of 16-byte region
[0x602000000130,0x602000000140)
allocated by thread T0 here:
#0 0x4dea58 (/tmp/binutils-gdb/binutils/readelf+0x4dea58)
#1 0x65bc07 (/tmp/binutils-gdb/binutils/readelf+0x65bc07)
#2 0x5b5299 (/tmp/binutils-gdb/binutils/readelf+0x5b5299)
#3 0x5a5032 (/tmp/binutils-gdb/binutils/readelf+0x5a5032)
#4 0x54c877 (/tmp/binutils-gdb/binutils/readelf+0x54c877)
#5 0x52c12e (/tmp/binutils-gdb/binutils/readelf+0x52c12e)
#6 0x51b0c7 (/tmp/binutils-gdb/binutils/readelf+0x51b0c7)
#7 0x5198cf (/tmp/binutils-gdb/binutils/readelf+0x5198cf)
#8 0x7fadfc83782f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/tmp/binutils-gdb/binutils/readelf+0x60b186)
Shadow bytes around the buggy address:
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff8000: fa fa fd fa fa fa 00 04 fa fa 00 04 fa fa 00 04
0x0c047fff8010: fa fa 00 01 fa fa fd fa fa fa fd fd fa fa 00 00
=>0x0c047fff8020: fa fa 00 01 fa fa 00 00[fa]fa fa fa fa fa fa fa
0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==20157==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/24837] New: readelf: heap buffer overflow,
rmirzazadeh at gmail dot com <=