https://sourceware.org/bugzilla/show_bug.cgi?id=22303
Bug ID: 22303 Summary: readelf - Heap out of bounds read in byte_get_little_endian() Product: binutils Version: 2.29 Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: fumfi.255 at gmail dot com Target Milestone: --- Created attachment 10532 --> https://sourceware.org/bugzilla/attachment.cgi?id=10532&action=edit PoC to trigger heap out of bounds read (readelf) After some fuzz testing I found a crashing test case. Version: 2.29 Command: readelf -a binutils_hoobr_byte_get_little_endian ASAN: ==29757==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e0000016b1 at pc 0x0000005aa3cb bp 0x7ffed905ac30 sp 0x7ffed905ac28 READ of size 1 at 0x61e0000016b1 thread T0 #0 0x5aa3ca in byte_get_little_endian XYZ/binutils-2.29/binutils/elfcomm.c:214:22 #1 0x54d723 in print_core_note XYZ/binutils-2.29/binutils/readelf.c:16281:18 #2 0x54d723 in process_note XYZ/binutils-2.29/binutils/readelf.c:17486 #3 0x54d723 in process_notes_at XYZ/binutils-2.29/binutils/readelf.c:17643 #4 0x515fee in process_corefile_note_segments XYZ/binutils-2.29/binutils/readelf.c:17673:8 #5 0x515fee in process_note_sections XYZ/binutils-2.29/binutils/readelf.c:17799 #6 0x515fee in process_notes XYZ/binutils-2.29/binutils/readelf.c:17812 #7 0x515fee in process_object XYZ/binutils-2.29/binutils/readelf.c:18083 #8 0x4efe7d in process_file XYZ/binutils-2.29/binutils/readelf.c:18472:13 #9 0x4efe7d in main XYZ/binutils-2.29/binutils/readelf.c:18544 #10 0x7fa36537882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #11 0x419f78 in _start (XYZ/binutils-2.29/binutils/readelf+0x419f78) 0x61e0000016b1 is located 0 bytes to the right of 2609-byte region [0x61e000000c80,0x61e0000016b1) allocated by thread T0 here: #0 0x4c0c7c in __interceptor_malloc /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66:3 #1 0x4f0e36 in get_data XYZ/binutils-2.29/binutils/readelf.c:392:9 SUMMARY: AddressSanitizer: heap-buffer-overflow XYZ/binutils-2.29/binutils/elfcomm.c:214:22 in byte_get_little_endian Shadow bytes around the buggy address: 0x0c3c7fff8280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3c7fff8290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3c7fff82a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3c7fff82b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3c7fff82c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c3c7fff82d0: 00 00 00 00 00 00[01]fa fa fa fa fa fa fa fa fa 0x0c3c7fff82e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3c7fff82f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3c7fff8300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3c7fff8310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3c7fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==29757==ABORTING -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils