From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: multipart/mixed; boundary="===============1201544401143810192==" MIME-Version: 1.0 From: =?utf-8?q?Hanno_B=C3=B6ck_=3Channo_at_hboeck=2Ede=3E?= To: elfutils-devel@lists.fedorahosted.org Subject: Re: out-of-bounds read / crash in elfutils tools (readelf, nm, ...) with malformed file Date: Sun, 09 Nov 2014 22:59:46 +0100 Message-ID: <20141109225946.43440e09@pc> In-Reply-To: 1415552277.19702.38.camel@bordewijk.wildebeest.org --===============1201544401143810192== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Am Sun, 09 Nov 2014 17:57:57 +0100 schrieb Mark Wielaard : > > , however here are three more in > > nm. Seems they only crash on 32 bit. > = > I cannot get these to crash on either a fedora 20 x86_64 setup, nor > on a fedora 21-beta i686 setup. Could you run under gdb and provide a > backtrace? Backtrace 1, id:000010,src:000000,op:flip1,pos:5556: Program received signal SIGSEGV, Segmentation fault. 0x0804be85 in sort_by_name (p1=3D0xffffc310, p2=3D0xffffc330) at nm.c:1146 1146 const char *n1 =3D sort_by_name_strtab->d_buf + s1->sym.st_name; (gdb) bt #0 0x0804be85 in sort_by_name (p1=3D0xffffc310, p2=3D0xffffc330) at nm.c:1= 146 #1 0xf7cce30d in msort_with_tmp.part () from /lib32/libc.so.6 #2 0xf7cce217 in msort_with_tmp.part () from /lib32/libc.so.6 #3 0xf7cce200 in msort_with_tmp.part () from /lib32/libc.so.6 #4 0xf7cce200 in msort_with_tmp.part () from /lib32/libc.so.6 #5 0xf7cce200 in msort_with_tmp.part () from /lib32/libc.so.6 #6 0xf7cce200 in msort_with_tmp.part () from /lib32/libc.so.6 #7 0xf7cce787 in qsort_r () from /lib32/libc.so.6 #8 0xf7cce85a in qsort () from /lib32/libc.so.6 #9 0x0804ca6b in show_symbols (ebl=3D0x8055690, ehdr=3D0xffffcc3c, scn=3D0= x8055580, xndxscn=3D0x0, shdr=3D0xffffcc7c, = prefix=3D0x0, fname=3D0xffffd056 "id:000010,src:000000,op:flip1,pos:555= 6", = fullname=3D0xffffcb70 "id:000010,src:000000,op:flip1,pos:5556") at nm.c= :1360 #10 0x0804d19a in handle_elf (elf=3D0x8054898, prefix=3D0x0, fname=3D0xffff= d056 "id:000010,src:000000,op:flip1,pos:5556", = suffix=3D0x0) at nm.c:1485 #11 0x08049f06 in process_file (fname=3D0xffffd056 "id:000010,src:000000,op= :flip1,pos:5556", more_than_one=3Dfalse) at nm.c:391 #12 0x08049b31 in main (argc=3D2, argv=3D0xffffcea4) at nm.c:252 Backtrace 2, id:000113,src:000000,op:flip32,pos:5474: Program received signal SIGSEGV, Segmentation fault. 0xf7dce3ab in __strcmp_ssse3 () from /lib32/libc.so.6 (gdb) bt #0 0xf7dce3ab in __strcmp_ssse3 () from /lib32/libc.so.6 #1 0xf7f6686d in ?? () from /usr/lib32/libdw.so.1 #2 0xf7f66d80 in dwarf_begin_elf () from /usr/lib32/libdw.so.1 #3 0x0804c14c in show_symbols (ebl=3D0x8055690, ehdr=3D0xffffcc3c, scn=3D0= x8055580, xndxscn=3D0x0, shdr=3D0xffffcc7c, = prefix=3D0x0, fname=3D0xffffd055 "id:000113,src:000000,op:flip32,pos:54= 74", = fullname=3D0xffffcb70 "id:000113,src:000000,op:flip32,pos:5474") at nm.= c:1194 #4 0x0804d19a in handle_elf (elf=3D0x8054898, prefix=3D0x0, fname=3D0xffff= d055 "id:000113,src:000000,op:flip32,pos:5474", = suffix=3D0x0) at nm.c:1485 #5 0x08049f06 in process_file (fname=3D0xffffd055 "id:000113,src:000000,op= :flip32,pos:5474", more_than_one=3Dfalse) at nm.c:391 #6 0x08049b31 in main (argc=3D2, argv=3D0xffffcea4) at nm.c:252 Backtrace 3, id:000116,src:000000,op:flip32,pos:5554 Program received signal SIGSEGV, Segmentation fault. 0xf7d20a72 in __strlen_sse2_bsf () from /lib32/libc.so.6 (gdb) bt #0 0xf7d20a72 in __strlen_sse2_bsf () from /lib32/libc.so.6 #1 0x0804c4d8 in show_symbols (ebl=3D0x8055690, ehdr=3D0xffffcc3c, scn=3D0= x8055580, xndxscn=3D0x0, shdr=3D0xffffcc7c, = prefix=3D0x0, fname=3D0xffffd055 "id:000116,src:000000,op:flip32,pos:55= 54", = fullname=3D0xffffcb70 "id:000116,src:000000,op:flip32,pos:5554") at nm.= c:1264 #2 0x0804d19a in handle_elf (elf=3D0x8054898, prefix=3D0x0, fname=3D0xffff= d055 "id:000116,src:000000,op:flip32,pos:5554", = suffix=3D0x0) at nm.c:1485 #3 0x08049f06 in process_file (fname=3D0xffffd055 "id:000116,src:000000,op= :flip32,pos:5554", more_than_one=3Dfalse) at nm.c:391 #4 0x08049b31 in main (argc=3D2, argv=3D0xffffcea4) at nm.c:252 I compiled elfutils git head with ./configure --enable-maintainer-mode CFLAGS=3D"-m32 -ggdb" ; make -- = Hanno B=C3=B6ck http://hboeck.de/ mail/jabber: hanno@hboeck.de GPG: BBB51E42 --===============1201544401143810192== Content-Type: application/pgp-signature MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjIKCmlRSWNCQUVC Q2dBR0JRSlVYK1BTQUFvSkVLV0lBSEs3dFI1Qzh2SVFBSmVIdjQyRWJoMzZqZ0Vhd3c4dDFyUWQK NG05RmJCTTVrU0xZRmQrR3JNNU5SRUNIZFhpOVhIbDBXSFpUZmlkQWVGbUExc3BNSkJ3NUlXYkxD U1JRcTlXcQpuWU5wWmI2Uk1MZjNHVW9vMHhzMHl0RFpaVkFRU2tNRmRzMm9GdXZZbWN4d2FpSVVO aXA3aWZkS0lEWlJ2NFlUCmFMZXF4aEZRQVV1YWdIUDZaem5JUU9EbkJIRlRHSFRhVS9oejkxanc4 RGIyNGZBYmRXdWtJYVo4UmhnQmI5SHEKcTdYRnZUeTB4VlpyZE04WkNsZ2lNU2d2WVNvcEhNU3FM M0d5WGl6a1ZneiszQU04TkNXY1EwN3kyY1lyZ2p5Nwo1dkZtMk42VWkvUUVXTkNuMkE0UjZKVGR4 d0w2YXJ6SzNHck9mV2hwV3p4L1ZDR0NDbDJHbFpqdFR2UytSUlUrCm4yTlV6OGE0bVBKeEhPWDc1 V3lWcTlBS0dkekN6NU5TOHI0R1RQR2JscFlKaTJNbG5SZEdaZU11VUZBL2dNTE8KRm9RRFMyVW5L MllUY0VzR0V1U3ZGeGRMOWRhMVlhdjRsZUl1dzB5cTVJYXpmbGwrUG1ZYVp6OEhEeFpVUHRaUQp5 Vy9rZEQzZ3RkRlRWemQ5MVdrQzZ0OCtXaEV3MXBoL0MwSHVRcldBbkd1OHNlNnVHUDJDRm5VUjVy bVhJUjd1CkQ2Y1drZTZqVytNblY1SitHQTlPd0l6a0hiOVFURUNEUTQvVXh5ZFcxdHlpUFpwYWtF Tjd2Wk1iUmpIRDhXOW4KbG1EbnMyalhBd0o4U3lQRktEM0FKeVBWVnpMeHZGSmpkempQa3NuWDdO enhoazFJWlJPWFRqa29Ha1pGZ2d1MQpYRU1yM2RDV2ZwcW1LOWVNdkZhaQo9TFBQegotLS0tLUVO RCBQR1AgU0lHTkFUVVJFLS0tLS0K --===============1201544401143810192==--