Hi,

Attached is a file that's a fuzzed elf executable which will crash
various tools shipped with elfutils, I tried it with nm and readelf -a,
maybe others affected.

What puzzles me a bit is that valgrin suggests nm and readelf crash at
different code paths. Both times its a one byte out of bounds read.

(actually this bug report is kind of a fallout of a bug search in
libbfd - various parser bugs in the binutils-tools have been found and
fixed in the past days and I thought I'd run other elf-related tools on
the collection of bug-exposing binaries)

I tested it both with 0.160 and latest git code.


Here's the valgrind output for nm:

==20828== Invalid read of size 1
==20828==    at 0x4C2C4D2: strlen
(in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==20828==
by 0x40346D: show_symbols (nm.c:1264) ==20828==    by 0x4047AC:
handle_elf (nm.c:1485) ==20828==    by 0x404E32: process_file (nm.c:391)
==20828==    by 0x40247E: main (nm.c:252)
==20828==  Address 0x4043dac is not stack'd, malloc'd or (recently)
free'd ==20828== 
==20828== 
==20828== Process terminating with default action of signal 11 (SIGSEGV)
==20828==  Access not within mapped region at address 0x4043DAC
==20828==    at 0x4C2C4D2: strlen
(in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==20828==
by 0x40346D: show_symbols (nm.c:1264) ==20828==    by 0x4047AC:
handle_elf (nm.c:1485) ==20828==    by 0x404E32: process_file (nm.c:391)
==20828==    by 0x40247E: main (nm.c:252)

Here for readelf -a:

==20829== Invalid read of size 1
==20829==    at 0x54DA9A7: vfprintf (in /lib64/libc-2.19.so)
==20829==    by 0x558737F: __printf_chk (in /lib64/libc-2.19.so)
==20829==    by 0x4057E6: printf (stdio2.h:104)
==20829==    by 0x4057E6: handle_symtab (readelf.c:2245)
==20829==    by 0x4057E6: print_symtab (readelf.c:2139)
==20829==    by 0x40F26E: process_elf_file (readelf.c:887)
==20829==    by 0x411735: process_dwflmod (readelf.c:691)
==20829==    by 0x4E52620: dwfl_getmodules
(in /usr/lib64/libdw-0.160.so) ==20829==    by 0x408024: process_file
(readelf.c:790) ==20829==    by 0x403D93: main (readelf.c:296)
==20829==  Address 0x4043dac is not stack'd, malloc'd or (recently)
free'd ==20829== 
==20829== 
==20829== Process terminating with default action of signal 11 (SIGSEGV)
==20829==  Access not within mapped region at address 0x4043DAC
==20829==    at 0x54DA9A7: vfprintf (in /lib64/libc-2.19.so)
==20829==    by 0x558737F: __printf_chk (in /lib64/libc-2.19.so)
==20829==    by 0x4057E6: printf (stdio2.h:104)
==20829==    by 0x4057E6: handle_symtab (readelf.c:2245)
==20829==    by 0x4057E6: print_symtab (readelf.c:2139)
==20829==    by 0x40F26E: process_elf_file (readelf.c:887)
==20829==    by 0x411735: process_dwflmod (readelf.c:691)
==20829==    by 0x4E52620: dwfl_getmodules
(in /usr/lib64/libdw-0.160.so) ==20829==    by 0x408024: process_file
(readelf.c:790) ==20829==    by 0x403D93: main (readelf.c:296)

cu,
-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: BBB51E42