From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: multipart/mixed; boundary="===============5295559991136379947==" MIME-Version: 1.0 From: =?utf-8?q?Hanno_B=C3=B6ck_=3Channo_at_hboeck=2Ede=3E?= To: elfutils-devel@lists.fedorahosted.org Subject: Re: out-of-bounds read / crash in elfutils tools (readelf, nm, ...) with malformed file Date: Tue, 11 Nov 2014 14:40:14 +0100 Message-ID: <20141111144014.5cefa773@pc> In-Reply-To: 1415711731.4965.9.camel@bordewijk.wildebeest.org --===============5295559991136379947== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Am Tue, 11 Nov 2014 14:15:31 +0100 schrieb Mark Wielaard : > Replicated on Fedora 21 Beta i686. Fix pushed as attached. Thanks, tested an works. I still get a bunch of crashers with correct LD_LIBRARY_PATH on readelf -a with 32 bit compile (CFLAGS=3D"-m32 -g"): sig:11,hash:378b8b26 sig:11,hash:1aa8d351 sig:11,hash:872fe371 from attachment eu-readelf-crasher-hangs-2.tar.xz and id:000113,src:000000,op:flip32,pos:5474 id:000116,src:000000,op:flip32,pos:5554 from attachment = /tmp/elfutils-nm-crasher.tar.xz I can't seem to valgrind them because it'll throw an illegal opcode error before getting to the point where the non-valgrind-crash happens. (I assume this is a valgrind bug, will try to report it there) This is gdb: File id:000113,src:000000,op:flip32,pos:5474 Program received signal SIGSEGV, Segmentation fault. 0xf7ddc112 in vfprintf () from /lib32/libc.so.6 (gdb) bt #0 0xf7ddc112 in vfprintf () from /lib32/libc.so.6 #1 0xf7de25c8 in printf () from /lib32/libc.so.6 #2 0x0804dbca in print_shdr (ebl=3D0x8078a18, ehdr=3D0xffffcb3c) at readelf.c:1138 #3 0x0804ca16 in process_elf_file (dwflmod=3D0x80788a8, fd=3D3) at readelf.c:871 #4 0x0804c1f4 in process_dwflmod (dwflmod=3D0x80788a8, userdata=3D0x80788b0, name=3D0x80789b8 "./c/id:000113,src:000000,op:flip32,pos:5474", base=3D134512640, arg=3D0xffffcc8c) at readelf.c:691 #5 0xf7f7ebe4 in dwfl_getmodules () from /usr/lib32/libdw.so.1 #6 0x0804c66a in process_file (fd=3D3, = fname=3D0xffffcfdc "./c/id:000113,src:000000,op:flip32,pos:5474", = only_one=3Dtrue) at readelf.c:790 #7 0x0804b13f in main (argc=3D3, argv=3D0xffffce04) at readelf.c:296 000116,src:000000,op:flip32,pos:5554 Program received signal SIGSEGV, Segmentation fault. 0xf7ddc112 in vfprintf () from /lib32/libc.so.6 (gdb) bt #0 0xf7ddc112 in vfprintf () from /lib32/libc.so.6 #1 0xf7de25c8 in printf () from /lib32/libc.so.6 #2 0x0805163c in handle_symtab (ebl=3D0x8078a18, scn=3D0x8079888, shdr=3D0xffffca5c) at readelf.c:2245 #3 0x08050fbb in print_symtab (ebl=3D0x8078a18, type=3D2) at readelf.c:2139 #4 0x0804cb06 in process_elf_file (dwflmod=3D0x80788a8, fd=3D3) at readelf.c:887 #5 0x0804c1f4 in process_dwflmod (dwflmod=3D0x80788a8, userdata=3D0x80788b0, name=3D0x80789b8 "./c/id:000116,src:000000,op:flip32,pos:5554", base=3D134512640, arg=3D0xffffcc8c) at readelf.c:691 #6 0xf7f7ebe4 in dwfl_getmodules () from /usr/lib32/libdw.so.1 #7 0x0804c66a in process_file (fd=3D3, = fname=3D0xffffcfdc "./c/id:000116,src:000000,op:flip32,pos:5554", = only_one=3Dtrue) at readelf.c:790 #8 0x0804b13f in main (argc=3D3, argv=3D0xffffce04) at readelf.c:296 sig:11,hash:73ad0820: Program received signal SIGSEGV, Segmentation fault. 0xf7f584ab in gelf_getdyn () from /usr/lib32/libelf.so.1 (gdb) bt #0 0xf7f584ab in gelf_getdyn () from /usr/lib32/libelf.so.1 #1 0x0804f1ea in handle_dynamic (ebl=3D0x8078a08, scn=3D0x807955c, = shdr=3D0xffffca5c) at readelf.c:1603 #2 0x0804f8ac in print_dynamic (ebl=3D0x8078a08) at readelf.c:1713 #3 0x0804ca70 in process_elf_file (dwflmod=3D0x80788a8, fd=3D3) at readelf= .c:877 #4 0x0804c1f4 in process_dwflmod (dwflmod=3D0x80788a8, userdata=3D0x80788b= 0, = name=3D0x80789b8 "./b/crashes/sig:11,hash:73ad0820", base=3D4194304, = arg=3D0xffffcc8c) at readelf.c:691 #5 0xf7f7ebe4 in dwfl_getmodules () from /usr/lib32/libdw.so.1 #6 0x0804c66a in process_file (fd=3D3, = fname=3D0xffffcfe7 "./b/crashes/sig:11,hash:73ad0820", only_one=3Dtrue) at readelf.c:790 #7 0x0804b13f in main (argc=3D3, argv=3D0xffffce04) at readelf.c:296 sig:11,hash:872fe371 Program received signal SIGSEGV, Segmentation fault. 0xf7f589ce in gelf_getnote () from /usr/lib32/libelf.so.1 (gdb) bt #0 0xf7f589ce in gelf_getnote () from /usr/lib32/libelf.so.1 #1 0x08066f36 in handle_notes_data (ebl=3D0x8078a08, ehdr=3D0xffffcb3c, = start=3D652, data=3D0x8078d34) at readelf.c:8980 #2 0x08067143 in handle_notes (ebl=3D0x8078a08, ehdr=3D0xffffcb3c) at readelf.c:9071 #3 0x0804cbc8 in process_elf_file (dwflmod=3D0x80788a8, fd=3D3) at readelf.c:899 #4 0x0804c1f4 in process_dwflmod (dwflmod=3D0x80788a8, userdata=3D0x80788b0, name=3D0x80789b8 "b/crashes/sig:11,hash:872fe371", base=3D4194304, arg=3D0xffffcc8c) at readelf.c:691 #5 0xf7f7ebe4 in dwfl_getmodules () from /usr/lib32/libdw.so.1 #6 0x0804c66a in process_file (fd=3D3, = fname=3D0xffffcfe9 "b/crashes/sig:11,hash:872fe371", only_one=3Dtrue) at readelf.c:790 #7 0x0804b13f in main (argc=3D3, argv=3D0xffffce04) at readelf.c:296 sig:11,hash:378b8b26 Program received signal SIGSEGV, Segmentation fault. 0xf7f59088 in gelf_getsymshndx () from /usr/lib32/libelf.so.1 (gdb) bt #0 0xf7f59088 in gelf_getsymshndx () from /usr/lib32/libelf.so.1 #1 0x08051486 in handle_symtab (ebl=3D0x8078a08, scn=3D0x8078e1c, shdr=3D0= xffffca5c) at readelf.c:2236 #2 0x08050fbb in print_symtab (ebl=3D0x8078a08, type=3D11) at readelf.c:21= 39 #3 0x0804cacc in process_elf_file (dwflmod=3D0x80788a8, fd=3D3) at readelf= .c:883 #4 0x0804c1f4 in process_dwflmod (dwflmod=3D0x80788a8, userdata=3D0x80788b= 0, = name=3D0x80789b8 "b/crashes/sig:11,hash:378b8b26", base=3D4194304, = arg=3D0xffffcc8c) at readelf.c:691 #5 0xf7f7ebe4 in dwfl_getmodules () from /usr/lib32/libdw.so.1 #6 0x0804c66a in process_file (fd=3D3, = fname=3D0xffffcfe9 "b/crashes/sig:11,hash:378b8b26", only_one=3Dtrue) at readelf.c:790 #7 0x0804b13f in main (argc=3D3, argv=3D0xffffce04) at readelf.c:296 -- = Hanno B=C3=B6ck http://hboeck.de/ mail/jabber: hanno@hboeck.de GPG: BBB51E42 --===============5295559991136379947== Content-Type: application/pgp-signature MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjIKCmlRSWNCQUVC Q2dBR0JRSlVZaEcvQUFvSkVLV0lBSEs3dFI1Q0JBRVFBTDRVNUZxYjNhY1hxbUZPRVB3QmUxUlQK NUd5YUJaMlNzaU5vKzZYdC9yNDhuYmsrelp4SUIxNWZKcjEwdGlBY2o4TnVOSjhwTDk1KzFUQVQr Uk9vNEc2RgpzUXhBM3dPR2x4VEFTaVBBYjZpV1B1SmIybCtZMzhvcXVPdU9NZFZ3NlZmNHhXZTM5 LzQvdjl0RU14ekRta0FhClZkYy9WYTdNa281bEk4NmVFVm9CcmZrNHNicDVvSGd0RHA2YlROOEQv MXR5cGV0a3ZCMzdyNk42dTNLdmNpS00KY0lIemtIenVRWGhoNWZtT3J1ZGhoK3l2YWZqMjhnK2hE Sm9WNXhBU05LSEZNT2hCK1ZQTmJrUCtzL1UrdGR6UgozOXZmTjFpMFlObklpZ2VSREZNQlZMSzZW RlpsM2dicHBPMm9KVzZMUzRRL3lNOVRpazFmVUVlOHhkeDRORW41CmE4Q3VmdlVsU2hZRG15UFpK WHV0QjFyRWlZeStycTBSRmZlZDBFQUVFQUdyb0VMV0VLVEJSZ0V4UDVJVUhsYzYKd2xtTzBWa2tT N2Q3d3VDQnArRlRIbis1QkJQckRGOEV1TVpyVDVLbEl4QXQ4Y3hMT1lyMkhvVlhaZ0taaThTawo2 cE1EazZ2VjFtYVhKcVF0L3Ztc0NUc21jR1Vya0VBaDZMeHlWWWp3L3AxcHNTWXpxZC9hTHpuTndi YVZNRFduCnU3dE1LQXRxZ2xkSDNROUVpVlpoZUNQNU56TzhDQU9ncHMyS2hnVjZhbGhMZ1dLdUJC NWRyK1JpSmFKdHQxU0kKSUZpVXBhRzYzMGZqUkNnV3FJdHNOMldYSzFnM2lZMEFHR1hZSE1QS3Fy VmdsWnlxRjN2VCtwRXpOdjdIWUVVdAo3RXdIaUZneFhINStRa1M5L0p3Zwo9MytHSwotLS0tLUVO RCBQR1AgU0lHTkFUVVJFLS0tLS0K --===============5295559991136379947==--