public inbox for elfutils@sourceware.org
 help / color / mirror / Atom feed
From: Mark Wielaard <mjw@redhat.com>
To: elfutils-devel@lists.fedorahosted.org
Subject: Re: Fuzzing elfutils
Date: Thu, 04 Dec 2014 17:03:19 +0100	[thread overview]
Message-ID: <1417708999.18974.21.camel@bordewijk.wildebeest.org> (raw)
In-Reply-To: 20141204142734.GA19050@bordewijk.redhat.com

[-- Attachment #1: Type: text/plain, Size: 1244 bytes --]

On Thu, 2014-12-04 at 15:27 +0100, Mark Wielaard wrote:
> Thanks! We have been fixing various issues the last couple of weeks
> and I just pushed some my fixes to git master. So if you could retry
> against the very latest git checkout that would be very helpful.
> I'll run your crashers locally against my tree and will report which
> issues still exist.

Good news, the asserts from readelf-asserts.tar.gz don't trigger anymore
and the command seems to run fine.

Mixed news, some of the crashes in readelf-crashes.tar.gz have been
fixed (1e76f17f, 66ad10d4). But a lot still crash. The somewhat good
news is that all of the crashes seem to come from either handling
archives or debuginfo, both of which haven't seen much robustness fixes
yet. And most of the crashes are the same in
__libdw_form_val_compute_len which does a strlen and runs out of the
debug section data. We'll need to pass around the length of the data
section and use strnlen here. But still some more work to do.

Bad news, all of the eu-objdump crashes are still there. The good news
is that all but one (af293379) that deals with ar archives again are
simple to fix by some sanity checks. Patch attached and pushed to
master.

Thanks,

Mark

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-objdump-Add-various-sanity-checks-to-guard-against-c.patch --]
[-- Type: text/x-patch, Size: 2998 bytes --]

From d0070a982cfddbff9c3f744b518b4cde539e5e65 Mon Sep 17 00:00:00 2001
From: Mark Wielaard <mjw@redhat.com>
Date: Thu, 4 Dec 2014 17:01:20 +0100
Subject: [PATCH] objdump: Add various sanity checks to guard against corrupted
 data.

Reported-by: Alexander Cherepanov <cherepan@mccme.ru>
Signed-off-by: Mark Wielaard <mjw@redhat.com>
---
 src/ChangeLog |  7 +++++++
 src/objdump.c | 12 +++++++++---
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/src/ChangeLog b/src/ChangeLog
index 0819c1e..c149a9c 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,10 @@
+2014-12-04  Mark Wielaard  <mjw@redhat.com>
+
+	* objdump.c (show_relocs_x): Make sure destshdr exists.
+	(show_relocs_rel): Don't rely on shdr->sh_entsize, use gelf_fsize.
+	(show_relocs_rela): Likewise.
+	(show_relocs): Make sure destshdr, symshdr and symdata exists.
+
 2014-11-30  Mark Wielaard  <mjw@redhat.com>
 
 	* readelf.c (handle_sysv_hash64): Fix overflow check.
diff --git a/src/objdump.c b/src/objdump.c
index 5376447..87290cc 100644
--- a/src/objdump.c
+++ b/src/objdump.c
@@ -389,7 +389,7 @@ show_relocs_x (Ebl *ebl, GElf_Shdr *shdr, Elf_Data *symdata,
 					   ? xndx : sym->st_shndx),
 			       &destshdr_mem);
 
-      if (shdr == NULL)
+      if (shdr == NULL || destshdr == NULL)
 	printf ("<%s %ld>",
 		gettext ("INVALID SECTION"),
 		(long int) (sym->st_shndx == SHN_XINDEX
@@ -418,7 +418,8 @@ show_relocs_rel (Ebl *ebl, GElf_Shdr *shdr, Elf_Data *data,
 		 Elf_Data *symdata, Elf_Data *xndxdata, size_t symstrndx,
 		 size_t shstrndx)
 {
-  int nentries = shdr->sh_size / shdr->sh_entsize;
+  size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_REL, 1, EV_CURRENT);
+  int nentries = shdr->sh_size / sh_entsize;
 
   for (int cnt = 0; cnt < nentries; ++cnt)
     {
@@ -438,7 +439,8 @@ show_relocs_rela (Ebl *ebl, GElf_Shdr *shdr, Elf_Data *data,
 		  Elf_Data *symdata, Elf_Data *xndxdata, size_t symstrndx,
 		  size_t shstrndx)
 {
-  int nentries = shdr->sh_size / shdr->sh_entsize;
+  size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_RELA, 1, EV_CURRENT);
+  int nentries = shdr->sh_size / sh_entsize;
 
   for (int cnt = 0; cnt < nentries; ++cnt)
     {
@@ -506,6 +508,8 @@ show_relocs (Ebl *ebl, const char *fname, uint32_t shstrndx)
 	  GElf_Shdr *destshdr = gelf_getshdr (elf_getscn (ebl->elf,
 							  shdr->sh_info),
 					      &destshdr_mem);
+	  if (unlikely (destshdr == NULL))
+	    continue;
 
 	  printf (gettext ("\nRELOCATION RECORDS FOR [%s]:\n"
 			   "%-*s TYPE                 VALUE\n"),
@@ -522,6 +526,8 @@ show_relocs (Ebl *ebl, const char *fname, uint32_t shstrndx)
 	  GElf_Shdr symshdr_mem;
 	  GElf_Shdr *symshdr = gelf_getshdr (symscn, &symshdr_mem);
 	  Elf_Data *symdata = elf_getdata (symscn, NULL);
+	  if (unlikely (symshdr == NULL || symdata == NULL))
+	    continue;
 
 	  /* Search for the optional extended section index table.  */
 	  Elf_Data *xndxdata = NULL;
-- 
1.8.3.1


             reply	other threads:[~2014-12-04 16:03 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-12-04 16:03 Mark Wielaard [this message]
     [not found] <199C1200-40AC-4AD2-89D4-24E172CBA353@catenacyber.fr>
2022-10-21 12:58 ` Philippe Antoine
2022-10-21 13:22   ` Frank Ch. Eigler
2022-10-21 19:57     ` Evgeny Vereshchagin
2022-10-22  9:27       ` Philippe Antoine
2022-10-22 10:21         ` Evgeny Vereshchagin
2022-10-21 13:33   ` Evgeny Vereshchagin
  -- strict thread matches above, loose matches on Subject: below --
2014-12-31 11:03 Mark Wielaard
2014-12-29  3:16 Alexander Cherepanov
2014-12-23 11:42 Mark Wielaard
2014-12-21 22:20 Alexander Cherepanov
2014-12-19  0:13 Mark Wielaard
2014-12-18 18:15 Alexander Cherepanov
2014-12-12 12:08 Mark Wielaard
2014-12-08  9:14 Mark Wielaard
2014-12-08  8:52 Mark Wielaard
2014-12-08  3:06 Alexander Cherepanov
2014-12-08  1:01 Alexander Cherepanov
2014-12-05  8:58 Mark Wielaard
2014-12-04 23:10 Alexander Cherepanov
2014-12-04 14:27 Mark Wielaard
2014-12-03 15:16 Alexander Cherepanov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1417708999.18974.21.camel@bordewijk.wildebeest.org \
    --to=mjw@redhat.com \
    --cc=elfutils-devel@lists.fedorahosted.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).