From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: multipart/mixed; boundary="===============1820244452174425331==" MIME-Version: 1.0 From: =?utf-8?q?Hanno_B=C3=B6ck_=3Channo_at_hboeck=2Ede=3E?= To: elfutils-devel@lists.fedorahosted.org Subject: Re: out-of-bounds read / crash in elfutils tools (readelf, nm, ...) with malformed file Date: Fri, 07 Nov 2014 17:13:36 +0100 Message-ID: <20141107171336.42dd94a9@pc> In-Reply-To: 1415375107.19702.36.camel@bordewijk.wildebeest.org --===============1820244452174425331== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Am Fri, 07 Nov 2014 16:45:07 +0100 schrieb Mark Wielaard : > > Fixes some of them but not all. > > Still crashers: > > id:000053,src:000000,op:flip1,pos:879 > > id:000054,src:000000,op:flip1,pos:885 > = > Those seem fine for me. How do they crash for you? Could you run under > gdb and provide a backtrace? Hmm, interesting, seems these only crash if compiled with american fuzzy lop instructions... Maybe this is a bug in afl or maybe it is triggered by the circumstances. valgrind says on id:000053,src:000000,op:flip1,pos:879: ELF Header: vex x86->IR: unhandled instruction bytes: 0xC5 0xF8 0x77 0xE8 =3D=3D6217=3D=3D valgrind: Unrecognised instruction at address 0x410f7a7. =3D=3D6217=3D=3D at 0x410F7A7: vfprintf (in /lib32/libc-2.19.so) =3D=3D6217=3D=3D by 0x41C766F: __printf_chk (in /lib32/libc-2.19.so) =3D=3D6217=3D=3D by 0x805F27D: printf (stdio2.h:104) =3D=3D6217=3D=3D by 0x805F27D: print_ehdr (readelf.c:944) =3D=3D6217=3D=3D by 0x806E004: process_elf_file (readelf.c:869) =3D=3D6217=3D=3D by 0x806E004: process_dwflmod (readelf.c:691) =3D=3D6217=3D=3D by 0x4082BE3: dwfl_getmodules (in /usr/lib32/libdw-0.15= 8.so) =3D=3D6217=3D=3D by 0x80580D2: process_file (readelf.c:790) =3D=3D6217=3D=3D by 0x804AD57: main (readelf.c:296) gdb backtrace: Program received signal SIGSEGV, Segmentation fault. 0xf7de4e37 in vfprintf () from /lib32/libc.so.6 (gdb) bt #0 0xf7de4e37 in vfprintf () from /lib32/libc.so.6 #1 0xf7e99670 in __printf_chk () from /lib32/libc.so.6 #2 0x08064818 in printf (__fmt=3D0x809e055 "(%s)") at /usr/include/bits/stdio2.h:104 #3 handle_versym (scn=3D0x80aef04, shdr=3D0xffffcae8, ebl=3D) at readelf.c:2860 #4 0x08070531 in print_verinfo (ebl=3D) at readelf.c:2402 #5 process_elf_file (fd=3D, dwflmod=3D) at readelf.c:885 #6 process_dwflmod (dwflmod=3D0x80ae8a8, userdata=3D0x80ae8b0, name=3D0x80ae9b8 "id:000053,src:000000,op:flip1,pos:879", base=3D4194304, arg=3D0xffffca00) at readelf.c:691 #7 0xf7f7ebe4 in dwfl_getmodules () from /usr/lib32/libdw.so.1 #8 0x080580d3 in process_file (fd=3Dfd(a)entry=3D3, fname=3D, only_one=3Donly_one(a)entry= =3Dtrue) at readelf.c:790 #9 0x0804ad58 in main (argc=3D3, argv=3D0xffffce84) at readelf.c:296 -- = Hanno B=C3=B6ck http://hboeck.de/ mail/jabber: hanno@hboeck.de GPG: BBB51E42 --===============1820244452174425331== Content-Type: application/pgp-signature MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjIKCmlRSWNCQUVC Q2dBR0JRSlVYTyt3QUFvSkVLV0lBSEs3dFI1Q0tXUVAvMjlJWmlheHBUUE52dFVmSGNPSVZZYWoK NXFTaE1URHNDbmVDZ2hFTVl2cU9XaGFSWU1Tak5BOHNOcTArYlhHR0t5clQxQVFEajlNSWFtMm16 Q3V4cmpGdwpOKzR6ZDVyeFFpUXRPMFhWRDY0RHd2RjhrOFUrUzdHeVp3SlM0M3FkUmhQbXdGWXh6 cElSTTcvWSsrOHNBcDNRCmY1b2tLK1hFV01YSS9uWDJWem5MbXIyb2diQnoycG9EbTh4R2ZTT3NJ aS9XRkgwaFVmamIydzZqc3NnMHcxbmMKcVJ3b3NFRHA3U0hSQklMUlR0WHpRVURmQ1ZtWDV5MnBs Vzg0NEQzZzRwaGRNbDcvRFljY2RFSytZMHFNZGNYbQpZQzZUSURiNjF0UmZOYXBFdkFPbVhDMHEw MFBJd1hzcmc0SG52cDB5TFdKTy9pL1dIaDVyM0VBUDYzSkZ4YllWCitITkdlRCtGQ05xL1YrVnF4 cHFkSHZnQm9Qc04xNWE5ZGxlaklpRXo3eklhanFKNm9CNUtxakRzbFNOQUtOV3kKVno4bWJjVDdp TjRVaDNFUmxZN1dBc3AzMnQ2UkhkZDEvd1NSVS9YRFhYWTJSalltcU5zaStXWm1jWGNTWmE3Ywo1 WW1TM3EwNzhUSlFwTGxKMjI3RGREUmx0TXFSNzltVnUyekpyRE1KNnBsWFkwenBVMGgvRmhFNlBX dVBRb0hOCjJySStYc1J1R1Y1RWpiR0pvdmNCTUdyRU0ycEJXQ2JKbjRuSUJGQ0c4U3EwVFlrWUw1 RFpacUV6UytRRW9TQ20KOXF3Mk5ISUMwU3huMDExUUpIZ1krRWZ3emZSY2RMQTNTS1gvQUNsZU9F ZHhKY1ZCU3lLSWhteWJpUkdReU5EVQpZUFgrMW9XOXg1eDlxVjBocnFFYwo9dGdrTgotLS0tLUVO RCBQR1AgU0lHTkFUVVJFLS0tLS0K --===============1820244452174425331==--