[Bug binutils/21138] New: readelf segfault - multiple buffer overflow in

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/21138] New: readelf segfault - multiple buffer overflow in

From:	thuanpv at comp dot nus.edu.sg
Subject:	[Bug binutils/21138] New: readelf segfault - multiple buffer overflow in elfcomm.c
Date:	Mon, 13 Feb 2017 09:20:39 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=21138

            Bug ID: 21138
           Summary: readelf segfault - multiple buffer overflow in
                    elfcomm.c
           Product: binutils
           Version: 2.29 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: thuanpv at comp dot nus.edu.sg
  Target Milestone: ---

Created attachment 9805
  --> https://sourceware.org/bugzilla/attachment.cgi?id=9805&action=edit
Crashing input

Dear all,

This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks also
to Marcel Böhme. 

This bug was found on Ubuntu 14.04 64-bit & binutils was checkout from main
repository at git://sourceware.org/git/binutils-gdb.git. Its commit is
53f7e8ea7fad1fcff1b58f4cbd74e192e0bcbc1d (Fri Feb 10 00:00:16 2017) 

binutils was built with ASAN using gcc-6.2 and clang-3.4. The configure command
was:

CC=clang CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all
-fsanitize=undefined,address -fno-omit-frame-pointer -g -Wno-error"
../configure --disable-shared --disable-gdb --disable-libdecnumber
--disable-readline --disable-sim

To reproduce:
Download the attached file - bug_4
readelf -R6 bug_4
Valgrind says:
Hex dump of section '.debug_info':
==34395== Invalid write of size 1
==34395==    at 0x438C87: byte_put_little_endian (elfcomm.c:75)
==34395==    by 0x408B97: target_specific_reloc_handling (readelf.c:11640)
==34395==    by 0x408B97: apply_relocations (readelf.c:12343)
==34395==    by 0x40EAC6: dump_section_as_bytes (readelf.c:12744)
==34395==    by 0x42334D: process_section_contents (readelf.c:13085)
==34395==    by 0x42334D: process_object (readelf.c:16780)
==34395==    by 0x402111: process_file (readelf.c:17154)
==34395==    by 0x402111: main (readelf.c:17225)
==34395==  Address 0x53e3926 is 1,963,078 bytes inside an unallocated block of
size 4,160,256 in arena "client"
==34395== 
==34395== Invalid write of size 1
==34395==    at 0x438C91: byte_put_little_endian (elfcomm.c:78)
==34395==    by 0x408B97: target_specific_reloc_handling (readelf.c:11640)
==34395==    by 0x408B97: apply_relocations (readelf.c:12343)
==34395==    by 0x40EAC6: dump_section_as_bytes (readelf.c:12744)
==34395==    by 0x42334D: process_section_contents (readelf.c:13085)
==34395==    by 0x42334D: process_object (readelf.c:16780)
==34395==    by 0x402111: process_file (readelf.c:17154)
==34395==    by 0x402111: main (readelf.c:17225)
==34395==  Address 0x53e3925 is 1,963,077 bytes inside an unallocated block of
size 4,160,256 in arena "client"
==34395== 
==34395== Invalid write of size 1
==34395==    at 0x438C9B: byte_put_little_endian (elfcomm.c:81)
==34395==    by 0x408B97: target_specific_reloc_handling (readelf.c:11640)
==34395==    by 0x408B97: apply_relocations (readelf.c:12343)
==34395==    by 0x40EAC6: dump_section_as_bytes (readelf.c:12744)
==34395==    by 0x42334D: process_section_contents (readelf.c:13085)
==34395==    by 0x42334D: process_object (readelf.c:16780)
==34395==    by 0x402111: process_file (readelf.c:17154)
==34395==    by 0x402111: main (readelf.c:17225)
==34395==  Address 0x53e3924 is 1,963,076 bytes inside an unallocated block of
size 4,160,256 in arena "client"

ASAN says:
==20311==ERROR: AddressSanitizer: SEGV on unknown address 0x6110001e9df6 (pc
0x000000722aa9 sp 0x7ffc5c7d84a0 bp 0x7ffc5c7d8750 T0)
    #0 0x722aa8 in byte_put_little_endian
/home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/elfcomm.c:75
    #1 0x54acfa in target_specific_reloc_handling
/home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:11640
    #2 0x52e6dc in apply_relocations
/home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:12343
    #3 0x55de03 in dump_section_as_bytes
/home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:12744
    #4 0x4e1531 in process_section_contents
/home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:13085
    #5 0x48d610 in process_object
/home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:16780
    #6 0x488365 in process_file
/home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:17154
    #7 0x4855c3 in main
/home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:17225
    #8 0x7fa9b0d4ef44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #9 0x47ddfc in _start
(/home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/readelf+0x47ddfc)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/21138] New: readelf segfault - multiple buffer overflow in elfcomm.c, thuanpv at comp dot nus.edu.sg <=
- [Bug binutils/21138] readelf segfault - multiple buffer overflow in elfcomm.c, nickc at redhat dot com, 2017/02/13

Prev by Date: [Bug binutils/21137] New: readelf - heap buffer overflow in elfcomm
Next by Date: [Bug binutils/21139] New: readelf crashes - corrupted double-linked list because of use after free
Previous by thread: [Bug binutils/21137] New: readelf - heap buffer overflow in elfcomm
Next by thread: [Bug binutils/21138] readelf segfault - multiple buffer overflow in elfcomm.c
Index(es):
- Date
- Thread