[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/22303] New: readelf - Heap out of bounds read in byte_get_
|
From: |
fumfi.255 at gmail dot com |
|
Subject: |
[Bug binutils/22303] New: readelf - Heap out of bounds read in byte_get_little_endian() |
|
Date: |
Mon, 16 Oct 2017 08:34:23 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=22303
Bug ID: 22303
Summary: readelf - Heap out of bounds read in
byte_get_little_endian()
Product: binutils
Version: 2.29
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: fumfi.255 at gmail dot com
Target Milestone: ---
Created attachment 10532
--> https://sourceware.org/bugzilla/attachment.cgi?id=10532&action=edit
PoC to trigger heap out of bounds read (readelf)
After some fuzz testing I found a crashing test case.
Version: 2.29
Command: readelf -a binutils_hoobr_byte_get_little_endian
ASAN:
==29757==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61e0000016b1 at pc 0x0000005aa3cb bp 0x7ffed905ac30 sp 0x7ffed905ac28
READ of size 1 at 0x61e0000016b1 thread T0
#0 0x5aa3ca in byte_get_little_endian
XYZ/binutils-2.29/binutils/elfcomm.c:214:22
#1 0x54d723 in print_core_note
XYZ/binutils-2.29/binutils/readelf.c:16281:18
#2 0x54d723 in process_note XYZ/binutils-2.29/binutils/readelf.c:17486
#3 0x54d723 in process_notes_at XYZ/binutils-2.29/binutils/readelf.c:17643
#4 0x515fee in process_corefile_note_segments
XYZ/binutils-2.29/binutils/readelf.c:17673:8
#5 0x515fee in process_note_sections
XYZ/binutils-2.29/binutils/readelf.c:17799
#6 0x515fee in process_notes XYZ/binutils-2.29/binutils/readelf.c:17812
#7 0x515fee in process_object XYZ/binutils-2.29/binutils/readelf.c:18083
#8 0x4efe7d in process_file XYZ/binutils-2.29/binutils/readelf.c:18472:13
#9 0x4efe7d in main XYZ/binutils-2.29/binutils/readelf.c:18544
#10 0x7fa36537882f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#11 0x419f78 in _start (XYZ/binutils-2.29/binutils/readelf+0x419f78)
0x61e0000016b1 is located 0 bytes to the right of 2609-byte region
[0x61e000000c80,0x61e0000016b1)
allocated by thread T0 here:
#0 0x4c0c7c in __interceptor_malloc
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66:3
#1 0x4f0e36 in get_data XYZ/binutils-2.29/binutils/readelf.c:392:9
SUMMARY: AddressSanitizer: heap-buffer-overflow
XYZ/binutils-2.29/binutils/elfcomm.c:214:22 in byte_get_little_endian
Shadow bytes around the buggy address:
0x0c3c7fff8280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7fff8290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7fff82a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7fff82b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7fff82c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3c7fff82d0: 00 00 00 00 00 00[01]fa fa fa fa fa fa fa fa fa
0x0c3c7fff82e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff82f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff8300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff8310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==29757==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/22303] New: readelf - Heap out of bounds read in byte_get_little_endian(),
fumfi.255 at gmail dot com <=