Re: out-of-bounds read / crash in elfutils tools (readelf, nm, ...) with malformed file -

public inbox for elfutils@sourceware.org
 help / color / mirror / Atom feed

To: elfutils-devel@lists.fedorahosted.org
Subject: Re: out-of-bounds read / crash in elfutils tools (readelf, nm, ...) with malformed file
Date: Tue, 11 Nov 2014 14:40:14 +0100	[thread overview]
Message-ID: <20141111144014.5cefa773@pc> (raw)
In-Reply-To: 1415711731.4965.9.camel@bordewijk.wildebeest.org

[-- Attachment #1: Type: text/plain, Size: 5499 bytes --]

Am Tue, 11 Nov 2014 14:15:31 +0100
schrieb Mark Wielaard <mjw@redhat.com>:

> Replicated on Fedora 21 Beta i686. Fix pushed as attached.

Thanks, tested an works.

I still get a bunch of crashers with correct LD_LIBRARY_PATH on
readelf -a with 32 bit compile (CFLAGS="-m32 -g"):
sig:11,hash:378b8b26
sig:11,hash:1aa8d351
sig:11,hash:872fe371
from attachment eu-readelf-crasher-hangs-2.tar.xz

and
id:000113,src:000000,op:flip32,pos:5474
id:000116,src:000000,op:flip32,pos:5554
from attachment 
/tmp/elfutils-nm-crasher.tar.xz

I can't seem to valgrind them because it'll throw an illegal opcode
error before getting to the point where the non-valgrind-crash happens.
(I assume this is a valgrind bug, will try to report it there)

This is gdb:

File id:000113,src:000000,op:flip32,pos:5474
Program received signal SIGSEGV, Segmentation fault.
0xf7ddc112 in vfprintf () from /lib32/libc.so.6
(gdb) bt
#0  0xf7ddc112 in vfprintf () from /lib32/libc.so.6
#1  0xf7de25c8 in printf () from /lib32/libc.so.6
#2  0x0804dbca in print_shdr (ebl=0x8078a18, ehdr=0xffffcb3c) at
readelf.c:1138 #3  0x0804ca16 in process_elf_file (dwflmod=0x80788a8,
fd=3) at readelf.c:871 #4  0x0804c1f4 in process_dwflmod
(dwflmod=0x80788a8, userdata=0x80788b0, name=0x80789b8
"./c/id:000113,src:000000,op:flip32,pos:5474", base=134512640,
arg=0xffffcc8c) at readelf.c:691 #5  0xf7f7ebe4 in dwfl_getmodules ()
from /usr/lib32/libdw.so.1 #6  0x0804c66a in process_file (fd=3, 
    fname=0xffffcfdc "./c/id:000113,src:000000,op:flip32,pos:5474", 
    only_one=true) at readelf.c:790
#7  0x0804b13f in main (argc=3, argv=0xffffce04) at readelf.c:296

000116,src:000000,op:flip32,pos:5554
Program received signal SIGSEGV, Segmentation fault.
0xf7ddc112 in vfprintf () from /lib32/libc.so.6
(gdb) bt
#0  0xf7ddc112 in vfprintf () from /lib32/libc.so.6
#1  0xf7de25c8 in printf () from /lib32/libc.so.6
#2  0x0805163c in handle_symtab (ebl=0x8078a18, scn=0x8079888,
shdr=0xffffca5c) at readelf.c:2245
#3  0x08050fbb in print_symtab (ebl=0x8078a18, type=2) at readelf.c:2139
#4  0x0804cb06 in process_elf_file (dwflmod=0x80788a8, fd=3) at
readelf.c:887 #5  0x0804c1f4 in process_dwflmod (dwflmod=0x80788a8,
userdata=0x80788b0, name=0x80789b8
"./c/id:000116,src:000000,op:flip32,pos:5554", base=134512640,
arg=0xffffcc8c) at readelf.c:691 #6  0xf7f7ebe4 in dwfl_getmodules ()
from /usr/lib32/libdw.so.1 #7  0x0804c66a in process_file (fd=3, 
    fname=0xffffcfdc "./c/id:000116,src:000000,op:flip32,pos:5554", 
    only_one=true) at readelf.c:790
#8  0x0804b13f in main (argc=3, argv=0xffffce04) at readelf.c:296

sig:11,hash:73ad0820:
Program received signal SIGSEGV, Segmentation fault.
0xf7f584ab in gelf_getdyn () from /usr/lib32/libelf.so.1
(gdb) bt
#0  0xf7f584ab in gelf_getdyn () from /usr/lib32/libelf.so.1
#1  0x0804f1ea in handle_dynamic (ebl=0x8078a08, scn=0x807955c, 
    shdr=0xffffca5c) at readelf.c:1603
#2  0x0804f8ac in print_dynamic (ebl=0x8078a08) at readelf.c:1713
#3  0x0804ca70 in process_elf_file (dwflmod=0x80788a8, fd=3) at readelf.c:877
#4  0x0804c1f4 in process_dwflmod (dwflmod=0x80788a8, userdata=0x80788b0, 
    name=0x80789b8 "./b/crashes/sig:11,hash:73ad0820", base=4194304, 
    arg=0xffffcc8c) at readelf.c:691
#5  0xf7f7ebe4 in dwfl_getmodules () from /usr/lib32/libdw.so.1
#6  0x0804c66a in process_file (fd=3, 
    fname=0xffffcfe7 "./b/crashes/sig:11,hash:73ad0820", only_one=true)
    at readelf.c:790
#7  0x0804b13f in main (argc=3, argv=0xffffce04) at readelf.c:296

sig:11,hash:872fe371
Program received signal SIGSEGV, Segmentation fault.
0xf7f589ce in gelf_getnote () from /usr/lib32/libelf.so.1
(gdb) bt
#0  0xf7f589ce in gelf_getnote () from /usr/lib32/libelf.so.1
#1  0x08066f36 in handle_notes_data (ebl=0x8078a08, ehdr=0xffffcb3c, 
    start=652, data=0x8078d34) at readelf.c:8980
#2  0x08067143 in handle_notes (ebl=0x8078a08, ehdr=0xffffcb3c)
    at readelf.c:9071
#3  0x0804cbc8 in process_elf_file (dwflmod=0x80788a8, fd=3) at
readelf.c:899 #4  0x0804c1f4 in process_dwflmod (dwflmod=0x80788a8,
userdata=0x80788b0, name=0x80789b8 "b/crashes/sig:11,hash:872fe371",
base=4194304, arg=0xffffcc8c) at readelf.c:691
#5  0xf7f7ebe4 in dwfl_getmodules () from /usr/lib32/libdw.so.1
#6  0x0804c66a in process_file (fd=3, 
    fname=0xffffcfe9 "b/crashes/sig:11,hash:872fe371", only_one=true)
    at readelf.c:790
#7  0x0804b13f in main (argc=3, argv=0xffffce04) at readelf.c:296

sig:11,hash:378b8b26
Program received signal SIGSEGV, Segmentation fault.
0xf7f59088 in gelf_getsymshndx () from /usr/lib32/libelf.so.1
(gdb) bt
#0  0xf7f59088 in gelf_getsymshndx () from /usr/lib32/libelf.so.1
#1  0x08051486 in handle_symtab (ebl=0x8078a08, scn=0x8078e1c, shdr=0xffffca5c)
    at readelf.c:2236
#2  0x08050fbb in print_symtab (ebl=0x8078a08, type=11) at readelf.c:2139
#3  0x0804cacc in process_elf_file (dwflmod=0x80788a8, fd=3) at readelf.c:883
#4  0x0804c1f4 in process_dwflmod (dwflmod=0x80788a8, userdata=0x80788b0, 
    name=0x80789b8 "b/crashes/sig:11,hash:378b8b26", base=4194304, 
    arg=0xffffcc8c) at readelf.c:691
#5  0xf7f7ebe4 in dwfl_getmodules () from /usr/lib32/libdw.so.1
#6  0x0804c66a in process_file (fd=3, 
    fname=0xffffcfe9 "b/crashes/sig:11,hash:378b8b26", only_one=true)
    at readelf.c:790
#7  0x0804b13f in main (argc=3, argv=0xffffce04) at readelf.c:296


-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: BBB51E42

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

next             reply	other threads:[~2014-11-11 13:40 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-11-11 13:40  [this message]
  -- strict thread matches above, loose matches on Subject: below --
2014-11-13 21:55 
2014-11-13 21:51 Mark Wielaard
2014-11-13 19:39 
2014-11-13 14:45 Mark Wielaard
2014-11-11 16:57 Mark Wielaard
2014-11-11 13:57 
2014-11-11 13:53 Mark Wielaard
2014-11-11 13:49 Petr Machata
2014-11-11 13:30 Petr Machata
2014-11-11 13:15 Mark Wielaard
2014-11-11 10:31 
2014-11-10 20:58 Mark Wielaard
2014-11-09 21:59 
2014-11-09 16:57 Mark Wielaard
2014-11-08 16:10 
2014-11-08 15:32 Mark Wielaard
2014-11-08 14:04 Mark Wielaard
2014-11-07 16:13 
2014-11-07 15:45 Mark Wielaard
2014-11-07 15:32 
2014-11-07 11:58 Mark Wielaard
2014-11-07 11:51 Mark Wielaard
2014-11-07  0:27 
2014-11-06 18:25 Roland McGrath
2014-11-06 16:05 Mark Wielaard
2014-11-06 15:11 Mark Wielaard
2014-10-31 16:13

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20141111144014.5cefa773@pc \
    --to=elfutils-devel@lists.fedorahosted.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).