Unknown-crash in function dwarf::line_table::begin at dwarf/line.cc:153 #71
Comments
|
There is also a SEGV in function dwarf::line_table::begin at dwarf/line.cc:153, here I just upload the file: badelf_segv_begin.zip ASAN says:
|
{{ message }}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
I am running some experiments for AFLAPI and it has found a Unknown-crash in function dwarf::line_table::begin at dwarf/line.cc:153. This bug may allows attackers to cause DoS, so I report it here.
Environment: Ubuntu 18.04 + Clang 6.0
Test target: examples/dump-lines
Testcase here: badelf_unknown_crash.zip
To reproduce:
• Complie the hole project and examples with ASAN
You can use like this: ./dump-lines ./badelf_unknown_crash
🤔 ASAN says:
=================================================================
==5860==ERROR: AddressSanitizer: unknown-crash on address 0x7f7a5bbdd7de at pc 0x0000005a4d22 bp 0x7fff60293fb0 sp 0x7fff60293fa8
READ of size 1 at 0x7f7a5bbdd7de thread T0
#0 0x5a4d21 in dwarf::line_table::iterator::step(dwarf::cursor*) /home/ubuntu/libelfin/dwarf/./internal.hh:211:24
#1 0x59adea in dwarf::line_table::iterator::operator++() /home/ubuntu/libelfin/dwarf/line.cc:280:26
#2 0x59822e in dwarf::line_table::iterator::iterator(dwarf::line_table const*, unsigned long) /home/ubuntu/libelfin/dwarf/line.cc:267:17
#3 0x59822e in dwarf::line_table::begin() const /home/ubuntu/libelfin/dwarf/line.cc:153
#4 0x5188e1 in dump_line_table(dwarf::line_table const&) /home/ubuntu/libelfin/examples/dump-lines.cc:13:25
#5 0x519ff0 in main /home/ubuntu/libelfin/examples/dump-lines.cc:41:17
#6 0x7f7a5a768c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#7 0x41bf29 in _start (/home/ubuntu/libelfin/examples/dump-lines+0x41bf29)
Address 0x7f7a5bbdd7de is a wild pointer.
SUMMARY: AddressSanitizer: unknown-crash /home/ubuntu/libelfin/dwarf/./internal.hh:211:24 in dwarf::line_table::iterator::step(dwarf::cursor*)
Shadow bytes around the buggy address:
0x0fefcb773aa0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0fefcb773ab0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0fefcb773ac0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0fefcb773ad0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0fefcb773ae0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
=>0x0fefcb773af0: fe fe fe fe fe fe fe fe fe fe fe[fe]fe fe fe fe
0x0fefcb773b00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0fefcb773b10: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0fefcb773b20: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0fefcb773b30: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0fefcb773b40: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==5860==ABORTING
Impact:
An attacker can exploit this vulnerability by submitting a malicious elf file that exploits this bug which will result in a DoS.
The text was updated successfully, but these errors were encountered: