You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Whilst experimenting with Libelfin, built from commit 946dde5, we are able to induce a vulnerability in function elf::swizzle(elf/common.hh:73), using a harness compiled from examples/dump-segments.cc.
A segmentation fault will be triggered when the software encounters a malformed file, which could induce denial of service.
# build with address sanitizer
cd examples && CXX=g++ CFLAGS="-g -fsanitize=address" LDFLAGS="-g -fsanitize=address" make -j8
# disable some features of address sanitizer to avoid false positives
export ASAN_OPTIONS=detect_leaks=0
# trigger the crash
./dump-segments poc
The ASAN report is:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==97242==ERROR: AddressSanitizer: SEGV on unknown address 0x7ffff44c2f07 (pc 0x555555558090 bp 0x7fffffffe3f0 sp 0x7fffffffe3b0 T0)
==97242==The signal is caused by a READ memory access.
#0 0x555555558090 in unsigned int elf::swizzle<unsigned int>(unsigned int, elf::byte_order, elf::byte_order) /work/libraries/libelfin/elf/common.hh:73
#1 0x555555558090 in void elf::Shdr<elf::Elf64, (elf::byte_order)0>::from<elf::Shdr<elf::Elf64, (elf::byte_order)2> >(elf::Shdr<elf::Elf64, (elf::byte_order)2> const&) /work/libraries/libelfin/elf/data.hh:299
#2 0x555555558090 in void elf::canon_hdr<elf::Shdr>(elf::Shdr<elf::Elf64, (elf::byte_order)0>*, void const*, elf::elfclass, elf::elfdata) /work/libraries/libelfin/elf/elf.cc:34
#3 0x555555558090 in elf::section::section(elf::elf const&, void const*) /work/libraries/libelfin/elf/elf.cc:236
#4 0x555555558af2 in elf::elf::elf(std::shared_ptr<elf::loader> const&) /work/libraries/libelfin/elf/elf.cc:111
#5 0x555555556d04 in main /work/libraries/libelfin/examples/dump-segments.cc:22
#6 0x7ffff70900b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#7 0x555555556f5d in _start (/work/libraries/libelfin/examples/dump-segments+0x2f5d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /work/libraries/libelfin/elf/common.hh:73 in unsigned int elf::swizzle<unsigned int>(unsigned int, elf::byte_order, elf::byte_order)
==97242==ABORTING
Impact
This vulnerability is capable of inducing denial of service.
The text was updated successfully, but these errors were encountered:
Description
Whilst experimenting with
Libelfin, built from commit 946dde5, we are able to induce a vulnerability in function elf::swizzle(elf/common.hh:73), using a harness compiled fromexamples/dump-segments.cc.A segmentation fault will be triggered when the software encounters a malformed file, which could induce denial of service.
Environment
Ubuntu 20.04 LTS x86_64
gcc 10.3.0
Proof of Concept
The POC is: poc
The reproducing process is:
The ASAN report is:
Impact
This vulnerability is capable of inducing denial of service.
The text was updated successfully, but these errors were encountered: