From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: multipart/mixed; boundary="===============3143498734294503441==" MIME-Version: 1.0 From: Mark Wielaard To: elfutils-devel@lists.fedorahosted.org Subject: Re: Fuzzing elfutils Date: Thu, 04 Dec 2014 17:03:19 +0100 Message-ID: <1417708999.18974.21.camel@bordewijk.wildebeest.org> In-Reply-To: 20141204142734.GA19050@bordewijk.redhat.com --===============3143498734294503441== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable On Thu, 2014-12-04 at 15:27 +0100, Mark Wielaard wrote: > Thanks! We have been fixing various issues the last couple of weeks > and I just pushed some my fixes to git master. So if you could retry > against the very latest git checkout that would be very helpful. > I'll run your crashers locally against my tree and will report which > issues still exist. Good news, the asserts from readelf-asserts.tar.gz don't trigger anymore and the command seems to run fine. Mixed news, some of the crashes in readelf-crashes.tar.gz have been fixed (1e76f17f, 66ad10d4). But a lot still crash. The somewhat good news is that all of the crashes seem to come from either handling archives or debuginfo, both of which haven't seen much robustness fixes yet. And most of the crashes are the same in __libdw_form_val_compute_len which does a strlen and runs out of the debug section data. We'll need to pass around the length of the data section and use strnlen here. But still some more work to do. Bad news, all of the eu-objdump crashes are still there. The good news is that all but one (af293379) that deals with ar archives again are simple to fix by some sanity checks. Patch attached and pushed to master. Thanks, Mark --===============3143498734294503441== Content-Type: text/x-patch MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="0001-objdump-Add-various-sanity-checks-to-guard-against-c.patch" RnJvbSBkMDA3MGE5ODJjZmRkYmZmOWMzZjc0NGI1MThiNGNkZTUzOWU1ZTY1IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQ0KRnJvbTogTWFyayBXaWVsYWFyZCA8bWp3QHJlZGhhdC5jb20+DQpEYXRl OiBUaHUsIDQgRGVjIDIwMTQgMTc6MDE6MjAgKzAxMDANClN1YmplY3Q6IFtQQVRDSF0gb2JqZHVt cDogQWRkIHZhcmlvdXMgc2FuaXR5IGNoZWNrcyB0byBndWFyZCBhZ2FpbnN0IGNvcnJ1cHRlZA0K IGRhdGEuDQoNClJlcG9ydGVkLWJ5OiBBbGV4YW5kZXIgQ2hlcmVwYW5vdiA8Y2hlcmVwYW5AbWNj bWUucnU+DQpTaWduZWQtb2ZmLWJ5OiBNYXJrIFdpZWxhYXJkIDxtandAcmVkaGF0LmNvbT4NCi0t LQ0KIHNyYy9DaGFuZ2VMb2cgfCAgNyArKysrKysrDQogc3JjL29iamR1bXAuYyB8IDEyICsrKysr KysrKy0tLQ0KIDIgZmlsZXMgY2hhbmdlZCwgMTYgaW5zZXJ0aW9ucygrKSwgMyBkZWxldGlvbnMo LSkNCg0KZGlmZiAtLWdpdCBhL3NyYy9DaGFuZ2VMb2cgYi9zcmMvQ2hhbmdlTG9nDQppbmRleCAw ODE5YzFlLi5jMTQ5YTljIDEwMDY0NA0KLS0tIGEvc3JjL0NoYW5nZUxvZw0KKysrIGIvc3JjL0No YW5nZUxvZw0KQEAgLTEsMyArMSwxMCBAQA0KKzIwMTQtMTItMDQgIE1hcmsgV2llbGFhcmQgIDxt andAcmVkaGF0LmNvbT4NCisNCisJKiBvYmpkdW1wLmMgKHNob3dfcmVsb2NzX3gpOiBNYWtlIHN1 cmUgZGVzdHNoZHIgZXhpc3RzLg0KKwkoc2hvd19yZWxvY3NfcmVsKTogRG9uJ3QgcmVseSBvbiBz aGRyLT5zaF9lbnRzaXplLCB1c2UgZ2VsZl9mc2l6ZS4NCisJKHNob3dfcmVsb2NzX3JlbGEpOiBM aWtld2lzZS4NCisJKHNob3dfcmVsb2NzKTogTWFrZSBzdXJlIGRlc3RzaGRyLCBzeW1zaGRyIGFu ZCBzeW1kYXRhIGV4aXN0cy4NCisNCiAyMDE0LTExLTMwICBNYXJrIFdpZWxhYXJkICA8bWp3QHJl ZGhhdC5jb20+DQogDQogCSogcmVhZGVsZi5jIChoYW5kbGVfc3lzdl9oYXNoNjQpOiBGaXggb3Zl cmZsb3cgY2hlY2suDQpkaWZmIC0tZ2l0IGEvc3JjL29iamR1bXAuYyBiL3NyYy9vYmpkdW1wLmMN CmluZGV4IDUzNzY0NDcuLjg3MjkwY2MgMTAwNjQ0DQotLS0gYS9zcmMvb2JqZHVtcC5jDQorKysg Yi9zcmMvb2JqZHVtcC5jDQpAQCAtMzg5LDcgKzM4OSw3IEBAIHNob3dfcmVsb2NzX3ggKEVibCAq ZWJsLCBHRWxmX1NoZHIgKnNoZHIsIEVsZl9EYXRhICpzeW1kYXRhLA0KIAkJCQkJICAgPyB4bmR4 IDogc3ltLT5zdF9zaG5keCksDQogCQkJICAgICAgICZkZXN0c2hkcl9tZW0pOw0KIA0KLSAgICAg IGlmIChzaGRyID09IE5VTEwpDQorICAgICAgaWYgKHNoZHIgPT0gTlVMTCB8fCBkZXN0c2hkciA9 PSBOVUxMKQ0KIAlwcmludGYgKCI8JXMgJWxkPiIsDQogCQlnZXR0ZXh0ICgiSU5WQUxJRCBTRUNU SU9OIiksDQogCQkobG9uZyBpbnQpIChzeW0tPnN0X3NobmR4ID09IFNITl9YSU5ERVgNCkBAIC00 MTgsNyArNDE4LDggQEAgc2hvd19yZWxvY3NfcmVsIChFYmwgKmVibCwgR0VsZl9TaGRyICpzaGRy LCBFbGZfRGF0YSAqZGF0YSwNCiAJCSBFbGZfRGF0YSAqc3ltZGF0YSwgRWxmX0RhdGEgKnhuZHhk YXRhLCBzaXplX3Qgc3ltc3RybmR4LA0KIAkJIHNpemVfdCBzaHN0cm5keCkNCiB7DQotICBpbnQg bmVudHJpZXMgPSBzaGRyLT5zaF9zaXplIC8gc2hkci0+c2hfZW50c2l6ZTsNCisgIHNpemVfdCBz aF9lbnRzaXplID0gZ2VsZl9mc2l6ZSAoZWJsLT5lbGYsIEVMRl9UX1JFTCwgMSwgRVZfQ1VSUkVO VCk7DQorICBpbnQgbmVudHJpZXMgPSBzaGRyLT5zaF9zaXplIC8gc2hfZW50c2l6ZTsNCiANCiAg IGZvciAoaW50IGNudCA9IDA7IGNudCA8IG5lbnRyaWVzOyArK2NudCkNCiAgICAgew0KQEAgLTQz OCw3ICs0MzksOCBAQCBzaG93X3JlbG9jc19yZWxhIChFYmwgKmVibCwgR0VsZl9TaGRyICpzaGRy LCBFbGZfRGF0YSAqZGF0YSwNCiAJCSAgRWxmX0RhdGEgKnN5bWRhdGEsIEVsZl9EYXRhICp4bmR4 ZGF0YSwgc2l6ZV90IHN5bXN0cm5keCwNCiAJCSAgc2l6ZV90IHNoc3RybmR4KQ0KIHsNCi0gIGlu dCBuZW50cmllcyA9IHNoZHItPnNoX3NpemUgLyBzaGRyLT5zaF9lbnRzaXplOw0KKyAgc2l6ZV90 IHNoX2VudHNpemUgPSBnZWxmX2ZzaXplIChlYmwtPmVsZiwgRUxGX1RfUkVMQSwgMSwgRVZfQ1VS UkVOVCk7DQorICBpbnQgbmVudHJpZXMgPSBzaGRyLT5zaF9zaXplIC8gc2hfZW50c2l6ZTsNCiAN CiAgIGZvciAoaW50IGNudCA9IDA7IGNudCA8IG5lbnRyaWVzOyArK2NudCkNCiAgICAgew0KQEAg LTUwNiw2ICs1MDgsOCBAQCBzaG93X3JlbG9jcyAoRWJsICplYmwsIGNvbnN0IGNoYXIgKmZuYW1l LCB1aW50MzJfdCBzaHN0cm5keCkNCiAJICBHRWxmX1NoZHIgKmRlc3RzaGRyID0gZ2VsZl9nZXRz aGRyIChlbGZfZ2V0c2NuIChlYmwtPmVsZiwNCiAJCQkJCQkJICBzaGRyLT5zaF9pbmZvKSwNCiAJ CQkJCSAgICAgICZkZXN0c2hkcl9tZW0pOw0KKwkgIGlmICh1bmxpa2VseSAoZGVzdHNoZHIgPT0g TlVMTCkpDQorCSAgICBjb250aW51ZTsNCiANCiAJICBwcmludGYgKGdldHRleHQgKCJcblJFTE9D QVRJT04gUkVDT1JEUyBGT1IgWyVzXTpcbiINCiAJCQkgICAiJS0qcyBUWVBFICAgICAgICAgICAg ICAgICBWQUxVRVxuIiksDQpAQCAtNTIyLDYgKzUyNiw4IEBAIHNob3dfcmVsb2NzIChFYmwgKmVi bCwgY29uc3QgY2hhciAqZm5hbWUsIHVpbnQzMl90IHNoc3RybmR4KQ0KIAkgIEdFbGZfU2hkciBz eW1zaGRyX21lbTsNCiAJICBHRWxmX1NoZHIgKnN5bXNoZHIgPSBnZWxmX2dldHNoZHIgKHN5bXNj biwgJnN5bXNoZHJfbWVtKTsNCiAJICBFbGZfRGF0YSAqc3ltZGF0YSA9IGVsZl9nZXRkYXRhIChz eW1zY24sIE5VTEwpOw0KKwkgIGlmICh1bmxpa2VseSAoc3ltc2hkciA9PSBOVUxMIHx8IHN5bWRh dGEgPT0gTlVMTCkpDQorCSAgICBjb250aW51ZTsNCiANCiAJICAvKiBTZWFyY2ggZm9yIHRoZSBv cHRpb25hbCBleHRlbmRlZCBzZWN0aW9uIGluZGV4IHRhYmxlLiAgKi8NCiAJICBFbGZfRGF0YSAq eG5keGRhdGEgPSBOVUxMOw0KLS0gDQoxLjguMy4xDQoNCg== --===============3143498734294503441==--