search

elfmaster / libelfmaster

Secure ELF parsing/loading library for forensics reconstruction of malware, and robust reverse engineering tools
http://www.bitlackeys.org
411 stars 64 forks source link

SEGV in section_name_cmp at internal.c:125 #22

Open bladchan opened 2 years ago

bladchan commented 2 years ago

Describe the bug A bad elf file which can lead elf_open_object() to a segmentation fault. Poc here: poc5.zip

To Reproduce

  1. Build the whole project with ASAN
  2. Run examples/elfparse 
    $ ./elfparse ./segv4

Expected behavior Parse elf file without segmentation fault because segmentation fault can cause a Denial of Service (Dos).

Environment (please complete the following information):

Additional context ASAN says:

=================================================================
==38155==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000003b8 (pc 0x559f08fb4fcf bp 0x7ffc3e0c5010 sp 0x7ffc3e0c5010 T0)
==38155==The signal is caused by a READ memory access.
==38155==Hint: address points to the zero page.
    #0 0x559f08fb4fce in section_name_cmp /home/ubuntu/some_c_test/libelfmaster/src/internal.c:125
    #1 0x559f08f954f1 in bsearch /usr/include/x86_64-linux-gnu/bits/stdlib-bsearch.h:33
    #2 0x559f08f954f1 in elf_section_by_name /home/ubuntu/some_c_test/libelfmaster/src/libelfmaster.c:1261
    #3 0x559f08f8d1d8 in main /home/ubuntu/some_c_test/libelfmaster/examples/elfparse.c:209
    #4 0x7fee4dc77c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    #5 0x559f08f8dc19 in _start (/home/ubuntu/some_c_test/libelfmaster/fuzz/elfparse+0x8c19)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ubuntu/some_c_test/libelfmaster/src/internal.c:125 in section_name_cmp
==38155==ABORTING
elfmaster commented 2 years ago

Thank you. I will look into fixing these. Are you using the library for anything in particular?

bladchan commented 2 years ago

Nope, I was just fuzzing it. It seemed that there are some bugs in examples/elfparse.c. When providing a correct format ELF file, the parser seems to work normally. But when providing a crafted ELF file, the parser will be corrupted due to memory issues. In total: 1 heap overflow, 12 segv, 1 bad free, 1 floating pointer exception, and 3 unknown crashes. If you need these pocs, I'll organize and upload them.