SEGV in function elf::swizzle at elf/common.hh:73

Question

SEGV in function elf::swizzle at elf/common.hh:73

Opened this issue 2 years ago · 0 comments

Description

Whilst experimenting with Libelfin, built from commit 946dde5, we are able to induce a vulnerability in function elf::swizzle(elf/common.hh:73), using a harness compiled from examples/dump-segments.cc.

A segmentation fault will be triggered when the software encounters a malformed file, which could induce denial of service.

Environment

Ubuntu 20.04 LTS x86_64

gcc 10.3.0

Proof of Concept

The POC is: poc

The reproducing process is:

# build with address sanitizer
cd examples && CXX=g++ CFLAGS="-g -fsanitize=address" LDFLAGS="-g -fsanitize=address" make -j8
# disable some features of address sanitizer to avoid false positives
export ASAN_OPTIONS=detect_leaks=0
# trigger the crash
./dump-segments poc

The ASAN report is:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==97242==ERROR: AddressSanitizer: SEGV on unknown address 0x7ffff44c2f07 (pc 0x555555558090 bp 0x7fffffffe3f0 sp 0x7fffffffe3b0 T0)
==97242==The signal is caused by a READ memory access.
    #0 0x555555558090 in unsigned int elf::swizzle<unsigned int>(unsigned int, elf::byte_order, elf::byte_order) /work/libraries/libelfin/elf/common.hh:73
    #1 0x555555558090 in void elf::Shdr<elf::Elf64, (elf::byte_order)0>::from<elf::Shdr<elf::Elf64, (elf::byte_order)2> >(elf::Shdr<elf::Elf64, (elf::byte_order)2> const&) /work/libraries/libelfin/elf/data.hh:299
    #2 0x555555558090 in void elf::canon_hdr<elf::Shdr>(elf::Shdr<elf::Elf64, (elf::byte_order)0>*, void const*, elf::elfclass, elf::elfdata) /work/libraries/libelfin/elf/elf.cc:34
    #3 0x555555558090 in elf::section::section(elf::elf const&, void const*) /work/libraries/libelfin/elf/elf.cc:236
    #4 0x555555558af2 in elf::elf::elf(std::shared_ptr<elf::loader> const&) /work/libraries/libelfin/elf/elf.cc:111
    #5 0x555555556d04 in main /work/libraries/libelfin/examples/dump-segments.cc:22
    #6 0x7ffff70900b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #7 0x555555556f5d in _start (/work/libraries/libelfin/examples/dump-segments+0x2f5d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /work/libraries/libelfin/elf/common.hh:73 in unsigned int elf::swizzle<unsigned int>(unsigned int, elf::byte_order, elf::byte_order)
==97242==ABORTING

Impact

This vulnerability is capable of inducing denial of service.