Bug 21137 - readelf - heap buffer overflow in elfcomm
Summary: readelf - heap buffer overflow in elfcomm
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.29
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
: 21138 21140 21141 21146 (view as bug list)
Depends on:
Blocks:
 
Reported: 2017-02-13 09:13 UTC by Thuan Pham
Modified: 2017-04-13 06:05 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
Bug triggering input (1.28 KB, application/x-object)
2017-02-13 09:13 UTC, Thuan Pham 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thuan Pham 2017-02-13 09:13:16 UTC 
Created attachment 9804 [details]
Bug triggering input

Dear all,

This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks also to Marcel Böhme. 

This bug was found on Ubuntu 14.04 64-bit & binutils was checkout from main repository at git://sourceware.org/git/binutils-gdb.git. Its commit is 53f7e8ea7fad1fcff1b58f4cbd74e192e0bcbc1d (Fri Feb 10 00:00:16 2017) 

To reproduce:
Download the attached file - bug_3
readelf -w bug_3

binutils was built with ASAN using gcc-6.2 and clang-3.4. The configure command was:

CC=clang CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=undefined,address -fno-omit-frame-pointer -g -Wno-error" ../configure --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim

==81550==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e00000e00c at pc 0x722a9d bp 0x7ffd132dc8b0 sp 0x7ffd132dc8a8
WRITE of size 1 at 0x60e00000e00c thread T0
    #0 0x722a9c in byte_put_little_endian /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/elfcomm.c:75
    #1 0x54acfa in target_specific_reloc_handling /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:11640
    #2 0x52e6dc in apply_relocations /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:12343
    #3 0x4846b5 in load_specific_debug_section /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:12905
    #4 0x564b4c in display_debug_section /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:13009
    #5 0x4e194f in process_section_contents /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:13091
    #6 0x48d610 in process_object /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:16780
    #7 0x488365 in process_file /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:17154
    #8 0x4855c3 in main /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:17225
    #9 0x7efe28957f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #10 0x47ddfc in _start (/home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/readelf+0x47ddfc)

0x60e00000e00c is located 15 bytes to the right of 157-byte region [0x60e00000df60,0x60e00000dffd)
allocated by thread T0 here:
    #0 0x467d19 in __interceptor_malloc (/home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/readelf+0x467d19)
    #1 0x503114 in get_data /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:393
    #2 0x48180a in load_specific_debug_section /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:12829
    #3 0x564b4c in display_debug_section /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:13009
    #4 0x4e194f in process_section_contents /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:13091
    #5 0x48d610 in process_object /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:16780
    #6 0x488365 in process_file /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:17154
    #7 0x4855c3 in main /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:17225
Comment 1 Sourceware Commits 2017-02-13 13:10:20 UTC 
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=03f7786e2f440b9892b1c34a58fb26222ce1b493

commit 03f7786e2f440b9892b1c34a58fb26222ce1b493
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Feb 13 13:08:32 2017 +0000

    Fix readelf writing to illegal addresses whilst processing corrupt input files containing symbol-difference relocations.
    
    	PR binutils/21137
    	* readelf.c (target_specific_reloc_handling): Add end parameter.
    	Check for buffer overflow before writing relocated values.
    	(apply_relocations): Pass end to target_specific_reloc_handling.
Comment 2 Nick Clifton 2017-02-13 13:10:58 UTC 
*** Bug 21138 has been marked as a duplicate of this bug. ***
Comment 3 Nick Clifton 2017-02-13 13:12:19 UTC 
Hi Thuan,

  Thanks for reporting this bug.  I have applied a patch to fix the problem.

  The issue was the code in readelf that processes target specific relocations
  was not checking for possible buffer overflow.  So I have added these checks.

Cheers
  Nick
Comment 4 Nick Clifton 2017-02-13 14:05:05 UTC 
*** Bug 21141 has been marked as a duplicate of this bug. ***
Comment 5 Nick Clifton 2017-02-13 14:05:32 UTC 
*** Bug 21140 has been marked as a duplicate of this bug. ***
Comment 6 Nick Clifton 2017-02-13 14:12:16 UTC 
*** Bug 21146 has been marked as a duplicate of this bug. ***
Comment 7 Nick Clifton 2017-02-13 15:21:55 UTC 
*** Bug 21136 has been marked as a duplicate of this bug. ***
Comment 8 Thuan Pham 2017-04-13 06:05:14 UTC 
This is CVE-2017-6965