Headline
CVE-2022-38934: Some arbitrary address read vulnerabilities in readelf · Issue #244 · klange/toaruos
readelf in ToaruOS 2.0.1 has some arbitrary address read vulnerabilities when parsing a crafted ELF file.
Hi,
there are many out-of-bounds read leading to possible temporary denial of service in readelf.
PoC
poc_elf_out_of_bounds.zip
./readelf -a poc_elf_out_of_bounds ELF Header: … Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flags Align PHDR 0x0000000000000040 0x0000000000000040 0x0000000000000040 0x00000000000002d8 0x00000000000002d8 R 0x8 …
Relocation section ‘’ at offset 0x200000007 contains 159629617834 entries. Offset Info Type Sym. Value Sym. Name + Addend zsh: segmentation fault ./readelf -a poc_elf_out_of_bounds
In fact, when printing external data in%s format, readelf need to judge the legitimacy of the address, which cannot exceed the range of the ELF file.
git diff
diff --git a/apps/readelf.c b/apps/readelf.c
index ce25d5e1…5832f88f 100644
— a/apps/readelf.c
+++ b/apps/readelf.c
@@ -670,9 +670,11 @@ int main(int argc, char * argv[]) {
break;
case SHT_RELA:
if (show_bits & SHOW_RELOCATIONS) {
- printf("\nRelocation section ‘%s’ at offset 0x%lx contains %ld entries.\n",
if (is\_valid(stringTable + sectionHeader.sh\_name)) {printf("\\nRelocation section '%s' at offset 0x%lx contains %ld entries.\\n", stringTable + sectionHeader.sh\_name, sectionHeader.sh\_offset, sectionHeader.sh\_size / sizeof(Elf64\_Rela));} printf(" Offset Info Type Sym. Value Sym. Name + Addend\\n"); /\* Section this relocation is in \*/