Re: Fuzzing elfutils

[Mark Wielaard <mjw@redhat.com>]

[-- Attachment #1: Type: text/plain, Size: 1244 bytes --]

On Thu, 2014-12-04 at 15:27 +0100, Mark Wielaard wrote:
> Thanks! We have been fixing various issues the last couple of weeks
> and I just pushed some my fixes to git master. So if you could retry
> against the very latest git checkout that would be very helpful.
> I'll run your crashers locally against my tree and will report which
> issues still exist.

Good news, the asserts from readelf-asserts.tar.gz don't trigger anymore
and the command seems to run fine.

Mixed news, some of the crashes in readelf-crashes.tar.gz have been
fixed (1e76f17f, 66ad10d4). But a lot still crash. The somewhat good
news is that all of the crashes seem to come from either handling
archives or debuginfo, both of which haven't seen much robustness fixes
yet. And most of the crashes are the same in
__libdw_form_val_compute_len which does a strlen and runs out of the
debug section data. We'll need to pass around the length of the data
section and use strnlen here. But still some more work to do.

Bad news, all of the eu-objdump crashes are still there. The good news
is that all but one (af293379) that deals with ar archives again are
simple to fix by some sanity checks. Patch attached and pushed to
master.

Thanks,

Mark

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-objdump-Add-various-sanity-checks-to-guard-against-c.patch --]
[-- Type: text/x-patch, Size: 2998 bytes --]

From d0070a982cfddbff9c3f744b518b4cde539e5e65 Mon Sep 17 00:00:00 2001
From: Mark Wielaard <mjw@redhat.com>
Date: Thu, 4 Dec 2014 17:01:20 +0100
Subject: [PATCH] objdump: Add various sanity checks to guard against corrupted
 data.

Reported-by: Alexander Cherepanov <cherepan@mccme.ru>
Signed-off-by: Mark Wielaard <mjw@redhat.com>
---
 src/ChangeLog |  7 +++++++
 src/objdump.c | 12 +++++++++---
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/src/ChangeLog b/src/ChangeLog
index 0819c1e..c149a9c 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,10 @@
+2014-12-04  Mark Wielaard  <mjw@redhat.com>
+
+	* objdump.c (show_relocs_x): Make sure destshdr exists.
+	(show_relocs_rel): Don't rely on shdr->sh_entsize, use gelf_fsize.
+	(show_relocs_rela): Likewise.
+	(show_relocs): Make sure destshdr, symshdr and symdata exists.
+
 2014-11-30  Mark Wielaard  <mjw@redhat.com>
 
 	* readelf.c (handle_sysv_hash64): Fix overflow check.
diff --git a/src/objdump.c b/src/objdump.c
index 5376447..87290cc 100644
--- a/src/objdump.c
+++ b/src/objdump.c
@@ -389,7 +389,7 @@ show_relocs_x (Ebl *ebl, GElf_Shdr *shdr, Elf_Data *symdata,
 					   ? xndx : sym->st_shndx),
 			       &destshdr_mem);
 
-      if (shdr == NULL)
+      if (shdr == NULL || destshdr == NULL)
 	printf ("<%s %ld>",
 		gettext ("INVALID SECTION"),
 		(long int) (sym->st_shndx == SHN_XINDEX
@@ -418,7 +418,8 @@ show_relocs_rel (Ebl *ebl, GElf_Shdr *shdr, Elf_Data *data,
 		 Elf_Data *symdata, Elf_Data *xndxdata, size_t symstrndx,
 		 size_t shstrndx)
 {
-  int nentries = shdr->sh_size / shdr->sh_entsize;
+  size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_REL, 1, EV_CURRENT);
+  int nentries = shdr->sh_size / sh_entsize;
 
   for (int cnt = 0; cnt < nentries; ++cnt)
     {
@@ -438,7 +439,8 @@ show_relocs_rela (Ebl *ebl, GElf_Shdr *shdr, Elf_Data *data,
 		  Elf_Data *symdata, Elf_Data *xndxdata, size_t symstrndx,
 		  size_t shstrndx)
 {
-  int nentries = shdr->sh_size / shdr->sh_entsize;
+  size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_RELA, 1, EV_CURRENT);
+  int nentries = shdr->sh_size / sh_entsize;
 
   for (int cnt = 0; cnt < nentries; ++cnt)
     {
@@ -506,6 +508,8 @@ show_relocs (Ebl *ebl, const char *fname, uint32_t shstrndx)
 	  GElf_Shdr *destshdr = gelf_getshdr (elf_getscn (ebl->elf,
 							  shdr->sh_info),
 					      &destshdr_mem);
+	  if (unlikely (destshdr == NULL))
+	    continue;
 
 	  printf (gettext ("\nRELOCATION RECORDS FOR [%s]:\n"
 			   "%-*s TYPE                 VALUE\n"),
@@ -522,6 +526,8 @@ show_relocs (Ebl *ebl, const char *fname, uint32_t shstrndx)
 	  GElf_Shdr symshdr_mem;
 	  GElf_Shdr *symshdr = gelf_getshdr (symscn, &symshdr_mem);
 	  Elf_Data *symdata = elf_getdata (symscn, NULL);
+	  if (unlikely (symshdr == NULL || symdata == NULL))
+	    continue;
 
 	  /* Search for the optional extended section index table.  */
 	  Elf_Data *xndxdata = NULL;
-- 
1.8.3.1