[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/24243] New: readelf: heap buffer overflow in process_mips_
From: |
spinpx at gmail dot com |
Subject: |
[Bug binutils/24243] New: readelf: heap buffer overflow in process_mips_specific |
Date: |
Wed, 20 Feb 2019 08:12:12 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=24243
Bug ID: 24243
Summary: readelf: heap buffer overflow in process_mips_specific
Product: binutils
Version: 2.33 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: spinpx at gmail dot com
Target Milestone: ---
Created attachment 11623
--> https://sourceware.org/bugzilla/attachment.cgi?id=11623&action=edit
Heap buffer overflow input
- Intel Xeon Gold 5118 processors and 256 GB memory
- Linux n18-065-139 4.19.0-1-amd64 #1 SMP Debian 4.19.12-1 (2018-12-22) x86_64
GNU/Linux
- clang version 4.0.0 (tags/RELEASE_400/final)
- version: commit c72e75a64030b0f6535a80481f37968ad55c333a (Feb 19 2019)
- run: readelf -a input_file
- asan_report:
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 2d 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: MIPS R3000
Version: 0x1
Entry point address: 0x70000029
Start of program headers: 52 (bytes into file)
Start of section headers: 164 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 2
Size of section headers: 40 (bytes)
Number of section headers: 4
Section header string table index: 3
readelf: Warning: Section 1 has an out of range sh_link value of 127
Section Headers:
[Nr] Name Type Addr Off Size ES Flg Lk Inf
Al
[ 0] NULL 00001000 000000 000000 00 0 0
0
[ 1] .text MIPS_OPTIONS 08048074 000074 000001 00 AX 127 0
4
readelf: Warning: section 1: sh_link value of 127 is larger than the number of
sections
[ 2] .data LOUSER+0x5dff00 08000000 000080 00000d 00 WADop 0
57087 4
[ 3] .shstrtab STRTAB 00000000 00008c 000017 00 0 0
1
Key to Flags:
W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
L (link order), O (extra OS processing required), G (group), T (TLS),
C (compressed), x (unknown), o (OS specific), E (exclude),
p (processor specific)
There are no section groups in this file.
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
DYNAMIC 0x000000 0x08048000 0x08048000 0x00090 0x00080 R E 0x1000
readelf: Error: no .dynamic section in the dynamic segment
LOAD 0x17000080 0x08049080 0x08049080 0x0000c 0x0000c RW 0x1000
Section to Segment mapping:
Segment Sections...
00 .text
01
Tag Type Name/Value
0x464c457f (<unknown>: 464c457f) 0x10101
0x00002d00 (<unknown>: 2d00) 0x0
0x00080002 (<unknown>: 80002) 0x1
0x70000029 (MIPS_OPTIONS) 0x34
0x000000a4 (<unknown>: a4) 0x0
0x00200034 (<unknown>: 200034) 0x280002
0x00030004 (<unknown>: 30004) 0x2
0x00000000 (NULL) 0x8048000
There are no relocations in this file.
The decoding of unwind sections for machine type MIPS R3000 is not currently
supported.
No version information found in this file.
readelf: Warning: Virtual address 0x34 not located in any PT_LOAD segment.
=================================================================
==395575==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6020000000f1 at pc 0x00000057a23d bp 0x7fff14a78db0 sp 0x7fff14a78da8
WRITE of size 1 at 0x6020000000f1 thread T0
#0 0x57a23c in process_mips_specific
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:16211:21
#1 0x5255f7 in process_arch_specific
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:18994:14
#2 0x505ccf in process_object
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:19309:9
#3 0x4f547d in process_file
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:19715:13
#4 0x4f3ec8 in main
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:19774:11
#5 0x7f8ee3f4709a in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
#6 0x41d4b9 in _start
(/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/readelf+0x41d4b9)
0x6020000000f1 is located 0 bytes to the right of 1-byte region
[0x6020000000f0,0x6020000000f1)
allocated by thread T0 here:
#0 0x4c41ac in malloc
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66:3
#1 0x5eacf7 in xmalloc
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/xmalloc.c:147:12
#2 0x5890e9 in cmalloc
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/dwarf.c:9576:10
#3 0x57a01a in process_mips_specific
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:16194:15
#4 0x5255f7 in process_arch_specific
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:18994:14
#5 0x505ccf in process_object
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:19309:9
#6 0x4f547d in process_file
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:19715:13
#7 0x4f3ec8 in main
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:19774:11
#8 0x7f8ee3f4709a in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/readelf.c:16211:21
in process_mips_specific
Shadow bytes around the buggy address:
0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff8000: fa fa fd fa fa fa 00 04 fa fa 00 04 fa fa 00 04
=>0x0c047fff8010: fa fa 00 01 fa fa fd fa fa fa 02 fa fa fa[01]fa
0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==395575==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/24243] New: readelf: heap buffer overflow in process_mips_specific,
spinpx at gmail dot com <=