patchelf icon indicating copy to clipboard operation
patchelf copied to clipboard

Published 20 hours ago verified publisher icon NixOS

Buffer Overread while attempting to patch a malformed ELF file

Open kirit1193 opened this issue 8 years ago • 1 comments

Supplying a malformed file and running shrink rpath, using the command ./patchelf --shrink-rpath %file% leads to a Buffer Overread vulnerability. The relevant Address Sanitizer output is:

./src/patchelf --shrink-rpath src/crashes/patchelf003000008
ASAN:DEADLYSIGNAL
=================================================================
==29431==ERROR: AddressSanitizer: SEGV on unknown address 0x7f379abfe558 (pc 0x00000055b44f bp 0x7fff22447270 sp 0x7fff22446c00 T0)
==29431==The signal is caused by a READ memory access.
    #0 0x55b44e in ElfFile<Elf64_Ehdr, Elf64_Phdr, Elf64_Shdr, unsigned long, unsigned long, Elf64_Dyn, Elf64_Sym, Elf64_Verneed>::modifyRPath(ElfFile<Elf64_Ehdr, Elf64_Phdr, Elf64_Shdr, unsigned long, unsigned long, Elf64_Dyn, Elf64_Sym, Elf64_Verneed>::RPathOp, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /tmp/ramdisk/patchelf/src/patchelf.cc:1140:22
    #1 0x50d1e3 in void patchElf2<ElfFile<Elf64_Ehdr, Elf64_Phdr, Elf64_Shdr, unsigned long, unsigned long, Elf64_Dyn, Elf64_Sym, Elf64_Verneed> >(ElfFile<Elf64_Ehdr, Elf64_Phdr, Elf64_Shdr, unsigned long, unsigned long, Elf64_Dyn, Elf64_Sym, Elf64_Verneed>&&) /tmp/ramdisk/patchelf/src/patchelf.cc:1567:17
    #2 0x50d1e3 in patchElf() /tmp/ramdisk/patchelf/src/patchelf.cc:1601
    #3 0x50d1e3 in mainWrapped(int, char**) /tmp/ramdisk/patchelf/src/patchelf.cc:1730
    #4 0x51670a in main /tmp/ramdisk/patchelf/src/patchelf.cc:1738:16
    #5 0x7f359f4d23f0 in __libc_start_main /build/glibc-mXZSwJ/glibc-2.24/csu/../csu/libc-start.c:291
    #6 0x41d9b9 in _start (/tmp/ramdisk/patchelf/src/patchelf+0x41d9b9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/ramdisk/patchelf/src/patchelf.cc:1140:22 in ElfFile<Elf64_Ehdr, Elf64_Phdr, Elf64_Shdr, unsigned long, unsigned long, Elf64_Dyn, Elf64_Sym, Elf64_Verneed>::modifyRPath(ElfFile<Elf64_Ehdr, Elf64_Phdr, Elf64_Shdr, unsigned long, unsigned long, Elf64_Dyn, Elf64_Sym, Elf64_Verneed>::RPathOp, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >)
==29431==ABORTING

The file causing the crash has been attached. patchelf003000008.zip

kirit1193 avatar Sep 19 '17 17:09 kirit1193

Fixed in 0.16, should make a test-case.

Ericson2314 avatar Aug 13 '25 03:08 Ericson2314