From mboxrd@z Thu Jan  1 00:00:00 1970
Content-Type: multipart/mixed; boundary="===============2437609996878209935=="
MIME-Version: 1.0
From: Mark Wielaard <mjw@redhat.com>
To: elfutils-devel@lists.fedorahosted.org
Subject: Re: out-of-bounds read / crash in elfutils tools (readelf, nm,
 ...) with malformed file
Date: Fri, 07 Nov 2014 12:58:07 +0100
Message-ID: <1415361487.19702.26.camel@bordewijk.wildebeest.org>
In-Reply-To: 20141107012711.0342a419@pc

--===============2437609996878209935==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On Fri, 2014-11-07 at 01:27 +0100, Hanno B=C3=B6ck wrote:
> Am Thu, 06 Nov 2014 16:11:43 +0100
> schrieb Mark Wielaard <mjw@redhat.com>:
> =

> > > (actually this bug report is kind of a fallout of a bug search in
> > > libbfd - various parser bugs in the binutils-tools have been found
> > > and fixed in the past days and I thought I'd run other elf-related
> > > tools on the collection of bug-exposing binaries)
> > =

> > Thanks. If you have any other examples please do report them.
> =

> Ten to crash readelf -a attached, according to american-fuzzy-lop all
> distinct code paths.

Thanks. eu-readelf didn't sanitize the hash section data before use.
The attached patch should fix that.

Cheers,

Mark

--===============2437609996878209935==
Content-Type: text/x-patch
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename="0001-readelf-Sanity-check-hash-section-contents-before-pr.patch"

RnJvbSA1ZjZjZDAxZDRjYTVkNWIwZmFiNmRkMzVkMjJmYmY5MDBmNTAzNjRmIE1vbiBTZXAgMTcg
MDA6MDA6MDAgMjAwMQ0KRnJvbTogTWFyayBXaWVsYWFyZCA8bWp3QHJlZGhhdC5jb20+DQpEYXRl
OiBGcmksIDcgTm92IDIwMTQgMTI6NTQ6MDIgKzAxMDANClN1YmplY3Q6IFtQQVRDSF0gcmVhZGVs
ZjogU2FuaXR5IGNoZWNrIGhhc2ggc2VjdGlvbiBjb250ZW50cyBiZWZvcmUNCiBwcm9jZXNzaW5n
Lg0KTUlNRS1WZXJzaW9uOiAxLjANCkNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbjsgY2hhcnNldD1V
VEYtOA0KQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogOGJpdA0KDQpSZXBvcnRlZCBieTogSGFu
bm8gQsO2Y2sgPGhhbm5vQGhib2Vjay5kZT4NClNpZ25lZC1vZmYtYnk6IE1hcmsgV2llbGFhcmQg
PG1qd0ByZWRoYXQuY29tPg0KLS0tDQogc3JjL0NoYW5nZUxvZyB8ICA2ICsrKysrKw0KIHNyYy9y
ZWFkZWxmLmMgfCA0OCArKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysr
KysrKy0NCiAyIGZpbGVzIGNoYW5nZWQsIDUzIGluc2VydGlvbnMoKyksIDEgZGVsZXRpb24oLSkN
Cg0KZGlmZiAtLWdpdCBhL3NyYy9DaGFuZ2VMb2cgYi9zcmMvQ2hhbmdlTG9nDQppbmRleCBhMjUy
Y2RjLi4zZmYzZTMxIDEwMDY0NA0KLS0tIGEvc3JjL0NoYW5nZUxvZw0KKysrIGIvc3JjL0NoYW5n
ZUxvZw0KQEAgLTEsMyArMSw5IEBADQorMjAxNC0xMS0wNyAgTWFyayBXaWVsYWFyZCAgPG1qd0By
ZWRoYXQuY29tPg0KKw0KKwkqIHJlYWRlbGYuYyAoaGFuZGxlX3N5c3ZfaGFzaCk6IFNhbml0eSBj
aGVjayBzZWN0aW9uIGNvbnRlbnRzLg0KKwkoaGFuZGxlX3N5c3ZfaGFzaDY0KTogTGlrZXdpc2Uu
DQorCShoYW5kbGVfZ251X2hhc2gpOiBMaWtld2lzZS4NCisNCiAyMDE0LTA5LTE0ICBQZXRyIE1h
Y2hhdGEgIDxwbWFjaGF0YUByZWRoYXQuY29tPg0KIA0KIAkqIHJlYWRlbGYuYyAoaGFuZGxlX3Jl
bG9jc19yZWxhKTogVHlwbyBmaXgsIHRlc3QgREVTVFNIRFIgcHJvcGVybHkuDQpkaWZmIC0tZ2l0
IGEvc3JjL3JlYWRlbGYuYyBiL3NyYy9yZWFkZWxmLmMNCmluZGV4IDRkM2JiMzYuLmZiYTZjMDMg
MTAwNjQ0DQotLS0gYS9zcmMvcmVhZGVsZi5jDQorKysgYi9zcmMvcmVhZGVsZi5jDQpAQCAtMjk1
NCw4ICsyOTU0LDIxIEBAIGhhbmRsZV9zeXN2X2hhc2ggKEVibCAqZWJsLCBFbGZfU2NuICpzY24s
IEdFbGZfU2hkciAqc2hkciwgc2l6ZV90IHNoc3RybmR4KQ0KICAgICAgIHJldHVybjsNCiAgICAg
fQ0KIA0KKyAgaWYgKHVubGlrZWx5IChkYXRhLT5kX3NpemUgPCAyICogc2l6ZW9mIChFbGYzMl9X
b3JkKSkpDQorICAgIHsNCisgICAgaW52YWxpZF9kYXRhOg0KKyAgICAgIGVycm9yICgwLCAwLCBn
ZXR0ZXh0ICgiaW52YWxpZCBkYXRhIGluIHN5c3YuaGFzaCBzZWN0aW9uICVkIiksDQorCSAgICAg
KGludCkgZWxmX25keHNjbiAoc2NuKSk7DQorICAgICAgcmV0dXJuOw0KKyAgICB9DQorDQogICBF
bGYzMl9Xb3JkIG5idWNrZXQgPSAoKEVsZjMyX1dvcmQgKikgZGF0YS0+ZF9idWYpWzBdOw0KICAg
RWxmMzJfV29yZCBuY2hhaW4gPSAoKEVsZjMyX1dvcmQgKikgZGF0YS0+ZF9idWYpWzFdOw0KKw0K
KyAgdWludDMyX3QgdXNlZF9idWYgPSAoMiArIG5jaGFpbiArIG5idWNrZXQpICogc2l6ZW9mIChF
bGYzMl9Xb3JkKTsNCisgIGlmICh1c2VkX2J1ZiA+IGRhdGEtPmRfc2l6ZSB8fCB1c2VkX2J1ZiAr
IGRhdGEtPmRfc2l6ZSA8IGRhdGEtPmRfc2l6ZSkNCisgICAgZ290byBpbnZhbGlkX2RhdGE7DQor
DQogICBFbGYzMl9Xb3JkICpidWNrZXQgPSAmKChFbGYzMl9Xb3JkICopIGRhdGEtPmRfYnVmKVsy
XTsNCiAgIEVsZjMyX1dvcmQgKmNoYWluID0gJigoRWxmMzJfV29yZCAqKSBkYXRhLT5kX2J1Zilb
MiArIG5idWNrZXRdOw0KIA0KQEAgLTI5OTYsOCArMzAwOSwyMSBAQCBoYW5kbGVfc3lzdl9oYXNo
NjQgKEVibCAqZWJsLCBFbGZfU2NuICpzY24sIEdFbGZfU2hkciAqc2hkciwgc2l6ZV90IHNoc3Ry
bmR4KQ0KICAgICAgIHJldHVybjsNCiAgICAgfQ0KIA0KKyAgaWYgKHVubGlrZWx5IChkYXRhLT5k
X3NpemUgPCAyICogc2l6ZW9mIChFbGY2NF9Yd29yZCkpKQ0KKyAgICB7DQorICAgIGludmFsaWRf
ZGF0YToNCisgICAgICBlcnJvciAoMCwgMCwgZ2V0dGV4dCAoImludmFsaWQgZGF0YSBpbiBzeXN2
Lmhhc2g2NCBzZWN0aW9uICVkIiksDQorCSAgICAgKGludCkgZWxmX25keHNjbiAoc2NuKSk7DQor
ICAgICAgcmV0dXJuOw0KKyAgICB9DQorDQogICBFbGY2NF9Yd29yZCBuYnVja2V0ID0gKChFbGY2
NF9Yd29yZCAqKSBkYXRhLT5kX2J1ZilbMF07DQogICBFbGY2NF9Yd29yZCBuY2hhaW4gPSAoKEVs
ZjY0X1h3b3JkICopIGRhdGEtPmRfYnVmKVsxXTsNCisNCisgIHVpbnQzMl90IHVzZWRfYnVmID0g
KDIgKyBuY2hhaW4gKyBuYnVja2V0KSAqIHNpemVvZiAoRWxmNjRfWHdvcmQpOw0KKyAgaWYgKHVz
ZWRfYnVmID4gZGF0YS0+ZF9zaXplIHx8IHVzZWRfYnVmICsgZGF0YS0+ZF9zaXplIDwgZGF0YS0+
ZF9zaXplKQ0KKyAgICBnb3RvIGludmFsaWRfZGF0YTsNCisNCiAgIEVsZjY0X1h3b3JkICpidWNr
ZXQgPSAmKChFbGY2NF9Yd29yZCAqKSBkYXRhLT5kX2J1ZilbMl07DQogICBFbGY2NF9Yd29yZCAq
Y2hhaW4gPSAmKChFbGY2NF9Yd29yZCAqKSBkYXRhLT5kX2J1ZilbMiArIG5idWNrZXRdOw0KIA0K
QEAgLTMwMzcsMTggKzMwNjMsMzYgQEAgaGFuZGxlX2dudV9oYXNoIChFYmwgKmVibCwgRWxmX1Nj
biAqc2NuLCBHRWxmX1NoZHIgKnNoZHIsIHNpemVfdCBzaHN0cm5keCkNCiAgICAgICByZXR1cm47
DQogICAgIH0NCiANCisgIGlmICh1bmxpa2VseSAoZGF0YS0+ZF9zaXplIDwgNCAqIHNpemVvZiAo
RWxmMzJfV29yZCkpKQ0KKyAgICB7DQorICAgIGludmFsaWRfZGF0YToNCisgICAgICBlcnJvciAo
MCwgMCwgZ2V0dGV4dCAoImludmFsaWQgZGF0YSBpbiBnbnUuaGFzaCBzZWN0aW9uICVkIiksDQor
CSAgICAgKGludCkgZWxmX25keHNjbiAoc2NuKSk7DQorICAgICAgcmV0dXJuOw0KKyAgICB9DQor
DQogICBFbGYzMl9Xb3JkIG5idWNrZXQgPSAoKEVsZjMyX1dvcmQgKikgZGF0YS0+ZF9idWYpWzBd
Ow0KICAgRWxmMzJfV29yZCBzeW1iaWFzID0gKChFbGYzMl9Xb3JkICopIGRhdGEtPmRfYnVmKVsx
XTsNCiANCiAgIC8qIE5leHQgY29tZXMgdGhlIHNpemUgb2YgdGhlIGJpdG1hcC4gIEl0J3MgbWVh
c3VyZWQgaW4gd29yZHMgZm9yDQogICAgICB0aGUgYXJjaGl0ZWN0dXJlLiAgSXQncyAzMiBiaXRz
IGZvciAzMiBiaXQgYXJjaHMsIGFuZCA2NCBiaXRzIGZvcg0KLSAgICAgNjQgYml0IGFyY2hzLiAg
Ki8NCisgICAgIDY0IGJpdCBhcmNocy4gIFRoZXJlIGlzIGFsd2F5cyBhIGJsb29tIGZpbHRlciBw
cmVzZW50LCBzbyB6ZXJvIGlzDQorICAgICBhbiBpbnZhbGlkIHZhbHVlLiAgKi8NCiAgIEVsZjMy
X1dvcmQgYml0bWFza193b3JkcyA9ICgoRWxmMzJfV29yZCAqKSBkYXRhLT5kX2J1ZilbMl07DQog
ICBpZiAoZ2VsZl9nZXRjbGFzcyAoZWJsLT5lbGYpID09IEVMRkNMQVNTNjQpDQogICAgIGJpdG1h
c2tfd29yZHMgKj0gMjsNCiANCisgIGlmIChiaXRtYXNrX3dvcmRzID09IDApDQorICAgIGdvdG8g
aW52YWxpZF9kYXRhOw0KKw0KICAgRWxmMzJfV29yZCBzaGlmdCA9ICgoRWxmMzJfV29yZCAqKSBk
YXRhLT5kX2J1ZilbM107DQogDQorICAvKiBJcyB0aGVyZSBzdGlsbCByb29tIGZvciB0aGUgc3lt
IGNoYWluPyAgQ2hlY2sgZm9yIHVuc2lnbmVkIG92ZXJsb3cuICAqLw0KKyAgdWludDMyX3QgdXNl
ZF9idWYgPSAoNCArIGJpdG1hc2tfd29yZHMgKyBuYnVja2V0KSAqIHNpemVvZiAoRWxmMzJfV29y
ZCk7DQorICB1aW50MzJfdCBtYXhfbnN5bXMgPSAoZGF0YS0+ZF9zaXplIC0gdXNlZF9idWYpIC8g
c2l6ZW9mIChFbGYzMl9Xb3JkKTsNCisgIGlmICh1c2VkX2J1ZiA+IGRhdGEtPmRfc2l6ZSB8fCB1
c2VkX2J1ZiArIGRhdGEtPmRfc2l6ZSA8IGRhdGEtPmRfc2l6ZSkNCisgICAgZ290byBpbnZhbGlk
X2RhdGE7DQorDQogICB1aW50MzJfdCAqbGVuZ3RocyA9ICh1aW50MzJfdCAqKSB4Y2FsbG9jIChu
YnVja2V0LCBzaXplb2YgKHVpbnQzMl90KSk7DQogDQogICBFbGYzMl9Xb3JkICpiaXRtYXNrID0g
JigoRWxmMzJfV29yZCAqKSBkYXRhLT5kX2J1ZilbNF07DQpAQCAtMzA2OCw2ICszMTEyLDggQEAg
aGFuZGxlX2dudV9oYXNoIChFYmwgKmVibCwgRWxmX1NjbiAqc2NuLCBHRWxmX1NoZHIgKnNoZHIs
IHNpemVfdCBzaHN0cm5keCkNCiAJICAgICsrbnN5bXM7DQogCSAgICBpZiAobWF4bGVuZ3RoIDwg
KytsZW5ndGhzW2NudF0pDQogCSAgICAgICsrbWF4bGVuZ3RoOw0KKwkgICAgaWYgKGlubmVyID4g
bWF4X25zeW1zKQ0KKwkgICAgICBnb3RvIGludmFsaWRfZGF0YTsNCiAJICB9DQogCXdoaWxlICgo
Y2hhaW5baW5uZXIrK10gJiAxKSA9PSAwKTsNCiAgICAgICB9DQotLSANCjEuOS4zDQoNCg==

--===============2437609996878209935==--