Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SEGV in function elf::Shdr::from at elf/data.hh:299 #66

Open
hdthky opened this issue Apr 22, 2022 · 0 comments
Open

SEGV in function elf::Shdr::from at elf/data.hh:299 #66

hdthky opened this issue Apr 22, 2022 · 0 comments

Comments

@hdthky
Copy link

hdthky commented Apr 22, 2022
edited
Loading

Description

Whilst experimenting with Libelfin, built from commit 946dde5, we are able to induce a vulnerability in function elf::Shdr::from(elf/data.hh:299), using a harness compiled from examples/dump-segments.cc.

A segmentation fault will be triggered when the software encounters a malformed file, which could induce denial of service.

Environment

Ubuntu 20.04 LTS x86_64

gcc 10.3.0

Proof of Concept

The POC is: poc

The reproducing process is:

# build with address sanitizer
cd examples && CXX=g++ CFLAGS="-g -fsanitize=address" LDFLAGS="-g -fsanitize=address" make -j8
# disable some features of address sanitizer to avoid false positives
export ASAN_OPTIONS=detect_leaks=0
# trigger the crash
./dump-segments poc

The ASAN report is:

=================================================================
==128086==ERROR: AddressSanitizer: SEGV on unknown address 0x7ffff44c3e80 (pc 0x555555558100 bp 0x7fffffffe3f0 sp 0x7fffffffe3b0 T0)
==128086==The signal is caused by a READ memory access.
    #0 0x555555558100 in void elf::Shdr<elf::Elf64, (elf::byte_order)0>::from<elf::Shdr<elf::Elf64, (elf::byte_order)1> >(elf::Shdr<elf::Elf64, (elf::byte_order)1> const&) /work/libraries/libelfin/elf/data.hh:299
    #1 0x555555558100 in void elf::canon_hdr<elf::Shdr>(elf::Shdr<elf::Elf64, (elf::byte_order)0>*, void const*, elf::elfclass, elf::elfdata) /work/libraries/libelfin/elf/elf.cc:31
    #2 0x555555558100 in elf::section::section(elf::elf const&, void const*) /work/libraries/libelfin/elf/elf.cc:236
    #3 0x555555558af2 in elf::elf::elf(std::shared_ptr<elf::loader> const&) /work/libraries/libelfin/elf/elf.cc:111
    #4 0x555555556d04 in main /work/libraries/libelfin/examples/dump-segments.cc:22
    #5 0x7ffff70900b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #6 0x555555556f5d in _start (/work/libraries/libelfin/examples/dump-segments+0x2f5d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /work/libraries/libelfin/elf/data.hh:299 in void elf::Shdr<elf::Elf64, (elf::byte_order)0>::from<elf::Shdr<elf::Elf64, (elf::byte_order)1> >(elf::Shdr<elf::Elf64, (elf::byte_order)1> const&)
==128086==ABORTING

Impact

This vulnerability is capable of inducing denial of service.
@hdthky hdthky changed the title heap-buffer-overflow in function elf::Shdr::from SEGV in function elf::Shdr::from Apr 22, 2022
@hdthky hdthky changed the title SEGV in function elf::Shdr::from SEGV in function elf::Shdr::from at data.hh:299 Apr 22, 2022
@hdthky hdthky changed the title SEGV in function elf::Shdr::from at data.hh:299 SEGV in function elf::Shdr::from at elf/data.hh:299 Apr 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hdthky