From mboxrd@z Thu Jan  1 00:00:00 1970
Content-Type: multipart/mixed; boundary="===============4040946310212610630=="
MIME-Version: 1.0
From: Mark Wielaard <mjw@redhat.com>
To: elfutils-devel@lists.fedorahosted.org
Subject: Re: out-of-bounds read / crash in elfutils tools (readelf, nm,
 ...) with malformed file
Date: Sat, 08 Nov 2014 15:04:16 +0100
Message-ID: <20141108140416.GB28913@blokker.redhat.com>
In-Reply-To: 20141107163249.1ded8b70@pc

--===============4040946310212610630==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On Fri, Nov 07, 2014 at 04:32:49PM +0100, Hanno B=C3=B6ck wrote:
> Also see attachmend, output from american fuzzy lop with latest git
> code and your two patches. 9 crashes, 10 hangs.

Thanks. One of those pointed out that my overflow check for hash section
sizes was bogus. Fixed version attached. The others seem to be because
handle_versym didn't initialize its vernames and filenames. Then when
an ELF file didn't set them we did check they were not set (NULL), but
that check failed, because the elements still contained random data.
The second second patch fixes that.

I have pushed all three fuzz-robustify patches to master.

Note that the testcases you say are hanging are just really, realy slow.
Because of very large input values they try to process a lot of elements,
but eventually they will finish. We still might to sanity check some of
those excessively large input values, but they don't lead to hangs or
crashes. Just very long runtimes.

Cheers,

Mark

--===============4040946310212610630==
Content-Type: text/plain
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename="0001-readelf-Sanity-check-hash-section-contents-before-pr.patch"

PkZyb20gNmIyNDZlMDYyMGJkYmFmODI0MGYzYmYzOTFlYzc3M2VlYTNmN2Y0OCBNb24gU2VwIDE3
IDAwOjAwOjAwIDIwMDEKRnJvbTogTWFyayBXaWVsYWFyZCA8bWp3QHJlZGhhdC5jb20+CkRhdGU6
IEZyaSwgNyBOb3YgMjAxNCAxMjo1NDowMiArMDEwMApTdWJqZWN0OiBbUEFUQ0ggMS8yXSByZWFk
ZWxmOiBTYW5pdHkgY2hlY2sgaGFzaCBzZWN0aW9uIGNvbnRlbnRzIGJlZm9yZQogcHJvY2Vzc2lu
Zy4KTUlNRS1WZXJzaW9uOiAxLjAKQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluOyBjaGFyc2V0PVVU
Ri04CkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IDhiaXQKClJlcG9ydGVkIGJ5OiBIYW5ubyBC
9mNrIDxoYW5ub0BoYm9lY2suZGU+ClNpZ25lZC1vZmYtYnk6IE1hcmsgV2llbGFhcmQgPG1qd0By
ZWRoYXQuY29tPgotLS0KIHNyYy9DaGFuZ2VMb2cgfCAgNiArKysrKysKIHNyYy9yZWFkZWxmLmMg
fCA0OSArKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKystCiAy
IGZpbGVzIGNoYW5nZWQsIDU0IGluc2VydGlvbnMoKyksIDEgZGVsZXRpb24oLSkKCmRpZmYgLS1n
aXQgYS9zcmMvQ2hhbmdlTG9nIGIvc3JjL0NoYW5nZUxvZwppbmRleCBhMjUyY2RjLi4zZmYzZTMx
IDEwMDY0NAotLS0gYS9zcmMvQ2hhbmdlTG9nCisrKyBiL3NyYy9DaGFuZ2VMb2cKQEAgLTEsMyAr
MSw5IEBACisyMDE0LTExLTA3ICBNYXJrIFdpZWxhYXJkICA8bWp3QHJlZGhhdC5jb20+CisKKwkq
IHJlYWRlbGYuYyAoaGFuZGxlX3N5c3ZfaGFzaCk6IFNhbml0eSBjaGVjayBzZWN0aW9uIGNvbnRl
bnRzLgorCShoYW5kbGVfc3lzdl9oYXNoNjQpOiBMaWtld2lzZS4KKwkoaGFuZGxlX2dudV9oYXNo
KTogTGlrZXdpc2UuCisKIDIwMTQtMDktMTQgIFBldHIgTWFjaGF0YSAgPHBtYWNoYXRhQHJlZGhh
dC5jb20+CiAKIAkqIHJlYWRlbGYuYyAoaGFuZGxlX3JlbG9jc19yZWxhKTogVHlwbyBmaXgsIHRl
c3QgREVTVFNIRFIgcHJvcGVybHkuCmRpZmYgLS1naXQgYS9zcmMvcmVhZGVsZi5jIGIvc3JjL3Jl
YWRlbGYuYwppbmRleCA0ZDNiYjM2Li5lMDNhNzcxIDEwMDY0NAotLS0gYS9zcmMvcmVhZGVsZi5j
CisrKyBiL3NyYy9yZWFkZWxmLmMKQEAgLTI5NTQsOCArMjk1NCwyMSBAQCBoYW5kbGVfc3lzdl9o
YXNoIChFYmwgKmVibCwgRWxmX1NjbiAqc2NuLCBHRWxmX1NoZHIgKnNoZHIsIHNpemVfdCBzaHN0
cm5keCkKICAgICAgIHJldHVybjsKICAgICB9CiAKKyAgaWYgKHVubGlrZWx5IChkYXRhLT5kX3Np
emUgPCAyICogc2l6ZW9mIChFbGYzMl9Xb3JkKSkpCisgICAgeworICAgIGludmFsaWRfZGF0YToK
KyAgICAgIGVycm9yICgwLCAwLCBnZXR0ZXh0ICgiaW52YWxpZCBkYXRhIGluIHN5c3YuaGFzaCBz
ZWN0aW9uICVkIiksCisJICAgICAoaW50KSBlbGZfbmR4c2NuIChzY24pKTsKKyAgICAgIHJldHVy
bjsKKyAgICB9CisKICAgRWxmMzJfV29yZCBuYnVja2V0ID0gKChFbGYzMl9Xb3JkICopIGRhdGEt
PmRfYnVmKVswXTsKICAgRWxmMzJfV29yZCBuY2hhaW4gPSAoKEVsZjMyX1dvcmQgKikgZGF0YS0+
ZF9idWYpWzFdOworCisgIHVpbnQ2NF90IHVzZWRfYnVmID0gKDJVTEwgKyBuY2hhaW4gKyBuYnVj
a2V0KSAqIHNpemVvZiAoRWxmMzJfV29yZCk7CisgIGlmICh1c2VkX2J1ZiA+IGRhdGEtPmRfc2l6
ZSkKKyAgICBnb3RvIGludmFsaWRfZGF0YTsKKwogICBFbGYzMl9Xb3JkICpidWNrZXQgPSAmKChF
bGYzMl9Xb3JkICopIGRhdGEtPmRfYnVmKVsyXTsKICAgRWxmMzJfV29yZCAqY2hhaW4gPSAmKChF
bGYzMl9Xb3JkICopIGRhdGEtPmRfYnVmKVsyICsgbmJ1Y2tldF07CiAKQEAgLTI5OTYsOCArMzAw
OSwyMSBAQCBoYW5kbGVfc3lzdl9oYXNoNjQgKEVibCAqZWJsLCBFbGZfU2NuICpzY24sIEdFbGZf
U2hkciAqc2hkciwgc2l6ZV90IHNoc3RybmR4KQogICAgICAgcmV0dXJuOwogICAgIH0KIAorICBp
ZiAodW5saWtlbHkgKGRhdGEtPmRfc2l6ZSA8IDIgKiBzaXplb2YgKEVsZjY0X1h3b3JkKSkpCisg
ICAgeworICAgIGludmFsaWRfZGF0YToKKyAgICAgIGVycm9yICgwLCAwLCBnZXR0ZXh0ICgiaW52
YWxpZCBkYXRhIGluIHN5c3YuaGFzaDY0IHNlY3Rpb24gJWQiKSwKKwkgICAgIChpbnQpIGVsZl9u
ZHhzY24gKHNjbikpOworICAgICAgcmV0dXJuOworICAgIH0KKwogICBFbGY2NF9Yd29yZCBuYnVj
a2V0ID0gKChFbGY2NF9Yd29yZCAqKSBkYXRhLT5kX2J1ZilbMF07CiAgIEVsZjY0X1h3b3JkIG5j
aGFpbiA9ICgoRWxmNjRfWHdvcmQgKikgZGF0YS0+ZF9idWYpWzFdOworCisgIHVpbnQ2NF90IHVz
ZWRfYnVmID0gKDJVTEwgKyBuY2hhaW4gKyBuYnVja2V0KSAqIHNpemVvZiAoRWxmNjRfWHdvcmQp
OworICBpZiAodXNlZF9idWYgPiBkYXRhLT5kX3NpemUpCisgICAgZ290byBpbnZhbGlkX2RhdGE7
CisKICAgRWxmNjRfWHdvcmQgKmJ1Y2tldCA9ICYoKEVsZjY0X1h3b3JkICopIGRhdGEtPmRfYnVm
KVsyXTsKICAgRWxmNjRfWHdvcmQgKmNoYWluID0gJigoRWxmNjRfWHdvcmQgKikgZGF0YS0+ZF9i
dWYpWzIgKyBuYnVja2V0XTsKIApAQCAtMzAzNywxOCArMzA2MywzNyBAQCBoYW5kbGVfZ251X2hh
c2ggKEVibCAqZWJsLCBFbGZfU2NuICpzY24sIEdFbGZfU2hkciAqc2hkciwgc2l6ZV90IHNoc3Ry
bmR4KQogICAgICAgcmV0dXJuOwogICAgIH0KIAorICBpZiAodW5saWtlbHkgKGRhdGEtPmRfc2l6
ZSA8IDQgKiBzaXplb2YgKEVsZjMyX1dvcmQpKSkKKyAgICB7CisgICAgaW52YWxpZF9kYXRhOgor
ICAgICAgZXJyb3IgKDAsIDAsIGdldHRleHQgKCJpbnZhbGlkIGRhdGEgaW4gZ251Lmhhc2ggc2Vj
dGlvbiAlZCIpLAorCSAgICAgKGludCkgZWxmX25keHNjbiAoc2NuKSk7CisgICAgICByZXR1cm47
CisgICAgfQorCiAgIEVsZjMyX1dvcmQgbmJ1Y2tldCA9ICgoRWxmMzJfV29yZCAqKSBkYXRhLT5k
X2J1ZilbMF07CiAgIEVsZjMyX1dvcmQgc3ltYmlhcyA9ICgoRWxmMzJfV29yZCAqKSBkYXRhLT5k
X2J1ZilbMV07CiAKICAgLyogTmV4dCBjb21lcyB0aGUgc2l6ZSBvZiB0aGUgYml0bWFwLiAgSXQn
cyBtZWFzdXJlZCBpbiB3b3JkcyBmb3IKICAgICAgdGhlIGFyY2hpdGVjdHVyZS4gIEl0J3MgMzIg
Yml0cyBmb3IgMzIgYml0IGFyY2hzLCBhbmQgNjQgYml0cyBmb3IKLSAgICAgNjQgYml0IGFyY2hz
LiAgKi8KKyAgICAgNjQgYml0IGFyY2hzLiAgVGhlcmUgaXMgYWx3YXlzIGEgYmxvb20gZmlsdGVy
IHByZXNlbnQsIHNvIHplcm8gaXMKKyAgICAgYW4gaW52YWxpZCB2YWx1ZS4gICovCiAgIEVsZjMy
X1dvcmQgYml0bWFza193b3JkcyA9ICgoRWxmMzJfV29yZCAqKSBkYXRhLT5kX2J1ZilbMl07CiAg
IGlmIChnZWxmX2dldGNsYXNzIChlYmwtPmVsZikgPT0gRUxGQ0xBU1M2NCkKICAgICBiaXRtYXNr
X3dvcmRzICo9IDI7CiAKKyAgaWYgKGJpdG1hc2tfd29yZHMgPT0gMCkKKyAgICBnb3RvIGludmFs
aWRfZGF0YTsKKwogICBFbGYzMl9Xb3JkIHNoaWZ0ID0gKChFbGYzMl9Xb3JkICopIGRhdGEtPmRf
YnVmKVszXTsKIAorICAvKiBJcyB0aGVyZSBzdGlsbCByb29tIGZvciB0aGUgc3ltIGNoYWluPwor
ICAgICBVc2UgdWludDY0X3QgY2FsY3VsYXRpb24gdG8gcHJldmVudCAzMmJpdCBvdmVybG93LiAg
Ki8KKyAgdWludDY0X3QgdXNlZF9idWYgPSAoNFVMTCArIGJpdG1hc2tfd29yZHMgKyBuYnVja2V0
KSAqIHNpemVvZiAoRWxmMzJfV29yZCk7CisgIHVpbnQzMl90IG1heF9uc3ltcyA9IChkYXRhLT5k
X3NpemUgLSB1c2VkX2J1ZikgLyBzaXplb2YgKEVsZjMyX1dvcmQpOworICBpZiAodXNlZF9idWYg
PiBkYXRhLT5kX3NpemUpCisgICAgZ290byBpbnZhbGlkX2RhdGE7CisKICAgdWludDMyX3QgKmxl
bmd0aHMgPSAodWludDMyX3QgKikgeGNhbGxvYyAobmJ1Y2tldCwgc2l6ZW9mICh1aW50MzJfdCkp
OwogCiAgIEVsZjMyX1dvcmQgKmJpdG1hc2sgPSAmKChFbGYzMl9Xb3JkICopIGRhdGEtPmRfYnVm
KVs0XTsKQEAgLTMwNjgsNiArMzExMyw4IEBAIGhhbmRsZV9nbnVfaGFzaCAoRWJsICplYmwsIEVs
Zl9TY24gKnNjbiwgR0VsZl9TaGRyICpzaGRyLCBzaXplX3Qgc2hzdHJuZHgpCiAJICAgICsrbnN5
bXM7CiAJICAgIGlmIChtYXhsZW5ndGggPCArK2xlbmd0aHNbY250XSkKIAkgICAgICArK21heGxl
bmd0aDsKKwkgICAgaWYgKGlubmVyID4gbWF4X25zeW1zKQorCSAgICAgIGdvdG8gaW52YWxpZF9k
YXRhOwogCSAgfQogCXdoaWxlICgoY2hhaW5baW5uZXIrK10gJiAxKSA9PSAwKTsKICAgICAgIH0K
LS0gCjEuOS4zCgo=

--===============4040946310212610630==
Content-Type: text/plain
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename="0002-readelf.c-handle_versym-Initialize-vername-and-filen.patch"

PkZyb20gZDhiOTY4MmIxYTVmZjI3NDZmMTcyNDg3ZWFmMTllYmQwODhiYjdmNCBNb24gU2VwIDE3
IDAwOjAwOjAwIDIwMDEKRnJvbTogTWFyayBXaWVsYWFyZCA8bWp3QHJlZGhhdC5jb20+CkRhdGU6
IFNhdCwgOCBOb3YgMjAxNCAxNDowNDoyNyArMDEwMApTdWJqZWN0OiBbUEFUQ0ggMi8yXSByZWFk
ZWxmLmMgKGhhbmRsZV92ZXJzeW0pOiBJbml0aWFsaXplIHZlcm5hbWUgYW5kCiBmaWxlbmFtZSBh
cnJheSBlbGVtZW50cy4KTUlNRS1WZXJzaW9uOiAxLjAKQ29udGVudC1UeXBlOiB0ZXh0L3BsYWlu
OyBjaGFyc2V0PVVURi04CkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IDhiaXQKCldlIGNoZWNr
IHdoZXRoZXIgdGhlIGVsZW1lbnRzIGFyZSBzZXQgYmVmb3JlIHByaW50aW5nIHRoZWlyIGNvbnRl
bnRzLApidXQgZGlkbid0IG1ha2Ugc3VyZSB0aGV5IHdlcmUgaW5pdGlhbGl6ZWQuCgpSZXBvcnRl
ZC1ieTogSGFubm8gQvZjayA8aGFubm9AaGJvZWNrLmRlPgpTaWduZWQtb2ZmLWJ5OiBNYXJrIFdp
ZWxhYXJkIDxtandAcmVkaGF0LmNvbT4KLS0tCiBzcmMvQ2hhbmdlTG9nIHwgNSArKysrKwogc3Jj
L3JlYWRlbGYuYyB8IDIgKysKIDIgZmlsZXMgY2hhbmdlZCwgNyBpbnNlcnRpb25zKCspCgpkaWZm
IC0tZ2l0IGEvc3JjL0NoYW5nZUxvZyBiL3NyYy9DaGFuZ2VMb2cKaW5kZXggM2ZmM2UzMS4uNmQz
ZTk1MSAxMDA2NDQKLS0tIGEvc3JjL0NoYW5nZUxvZworKysgYi9zcmMvQ2hhbmdlTG9nCkBAIC0x
LDMgKzEsOCBAQAorMjAxNC0xMS0wOCAgTWFyayBXaWVsYWFyZCAgPG1qd0ByZWRoYXQuY29tPgor
CisJKiByZWFkZWxmLmMgKGhhbmRsZV92ZXJzeW0pOiBJbml0aWFsaXplIHZlcm5hbWUgYW5kIGZp
bGVuYW1lIGFycmF5CisJZWxlbWVudHMuCisKIDIwMTQtMTEtMDcgIE1hcmsgV2llbGFhcmQgIDxt
andAcmVkaGF0LmNvbT4KIAogCSogcmVhZGVsZi5jIChoYW5kbGVfc3lzdl9oYXNoKTogU2FuaXR5
IGNoZWNrIHNlY3Rpb24gY29udGVudHMuCmRpZmYgLS1naXQgYS9zcmMvcmVhZGVsZi5jIGIvc3Jj
L3JlYWRlbGYuYwppbmRleCBlMDNhNzcxLi4wMWM2NDRmIDEwMDY0NAotLS0gYS9zcmMvcmVhZGVs
Zi5jCisrKyBiL3NyYy9yZWFkZWxmLmMKQEAgLTI3MTYsNyArMjcxNiw5IEBAIGhhbmRsZV92ZXJz
eW0gKEVibCAqZWJsLCBFbGZfU2NuICpzY24sIEdFbGZfU2hkciAqc2hkcikKIAogICAgICAgLyog
QWxsb2NhdGUgdGhlIGFycmF5LiAgKi8KICAgICAgIHZlcm5hbWUgPSAoY29uc3QgY2hhciAqKikg
YWxsb2NhIChudmVybmFtZSAqIHNpemVvZiAoY29uc3QgY2hhciAqKSk7CisgICAgICBtZW1zZXQo
dmVybmFtZSwgMCwgbnZlcm5hbWUgKiBzaXplb2YgKGNvbnN0IGNoYXIgKikpOwogICAgICAgZmls
ZW5hbWUgPSAoY29uc3QgY2hhciAqKikgYWxsb2NhIChudmVybmFtZSAqIHNpemVvZiAoY29uc3Qg
Y2hhciAqKSk7CisgICAgICBtZW1zZXQoZmlsZW5hbWUsIDAsIG52ZXJuYW1lICogc2l6ZW9mIChj
b25zdCBjaGFyICopKTsKIAogICAgICAgLyogUnVuIHRocm91Z2ggdGhlIGRhdGEgc3RydWN0dXJl
cyBhZ2FpbiBhbmQgY29sbGVjdCB0aGUgc3RyaW5ncy4gICovCiAgICAgICBpZiAoZGVmc2NuICE9
IE5VTEwpCi0tIAoxLjkuMwoK

--===============4040946310212610630==--