From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 6711 invoked by alias); 28 Mar 2018 15:10:17 -0000 Mailing-List: contact elfutils-devel-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Subscribe: Sender: elfutils-devel-owner@sourceware.org Received: (qmail 6354 invoked by uid 48); 28 Mar 2018 15:10:12 -0000 From: "traceprobe at gmail dot com" To: elfutils-devel@sourceware.org Subject: [Bug tools/23011] New: Infinite loop in handle_sysv_hash (src/readelf.c) Date: Wed, 28 Mar 2018 15:10:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: elfutils X-Bugzilla-Component: tools X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: traceprobe at gmail dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2018-q1/txt/msg00116.txt.bz2 https://sourceware.org/bugzilla/show_bug.cgi?id=3D23011 Bug ID: 23011 Summary: Infinite loop in handle_sysv_hash (src/readelf.c) Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: tools Assignee: unassigned at sourceware dot org Reporter: traceprobe at gmail dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Created attachment 10920 --> https://sourceware.org/bugzilla/attachment.cgi?id=3D10920&action=3Ded= it poc for readelf In elfutils version 0.170 and commit afffdff29228db03e2131af577f58a22aec6c1= fe, there is an infinite loop in handle_sysv_hash function of src/readelf.c, wh= ich can be triggered by the POC below. The issue happens since when processing System V-style hash table, the loop value could be manipulated by input file. For instance in line 3150, if chain[1] =3D 1, the program falls in infinite loop. 3108 static void 3109 handle_sysv_hash (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr, size_t shstrndx) 3110 { ... 3141 for (Elf32_Word cnt =3D 0; cnt < nbucket; ++cnt) 3142 { 3143 Elf32_Word inner =3D bucket[cnt]; 3144 while (inner > 0 && inner < nchain) 3145 { 3146 ++nsyms; 3147 if (maxlength < ++lengths[cnt]) 3148 ++maxlength; 3149=20 3150 inner =3D chain[inner]; 3151 } 3152 } To reproduce the issue, run: ./eu-readelf -a $POC The full stack trace is: 0x000000000040d78f in handle_sysv_hash (ebl=3D0x639670, scn=3D0x639238, shdr=3D0x7fffffffdae0, shstrndx=3D256) at /home/test/test/./elfutils/master/src/src/readelf.c:3144 3144 while (inner > 0 && inner < nchain) (gdb) bt #0 0x000000000040d78f in handle_sysv_hash (ebl=3D0x639670, scn=3D0x639238, shdr=3D0x7fffffffdae0, shstrndx=3D256) at /home/test/test/./elfutils/master/src/src/readelf.c:3144 #1 0x000000000040e24c in handle_hash (ebl=3D0x639670) at /home/test/test/./elfutils/master/src/src/readelf.c:3360 #2 0x000000000040615d in process_elf_file (dwflmod=3D0x639340, fd=3D3) at /home/test/test/./elfutils/master/src/src/readelf.c:915 #3 0x0000000000405747 in process_dwflmod (dwflmod=3D0x639340, userdata=3D0= x639350, name=3D0x6394e0 "poc/id:000000,src:000294,op:flip1,pos:51.", base=3D0, arg=3D0x7fffffffdd50) at /home/test/test/./elfutils/master/src/src/readelf.c:707 #4 0x00007ffff7ba4c96 in dwfl_getmodules (dwfl=3D0x639000, callback=3D0x40= 56a9 , arg=3D0x7fffffffdd50, offset=3D0) at /home/test/test/./elfutils/master/src/libdwfl/dwfl_getmodules.c:86 #5 0x0000000000405c2d in process_file (fd=3D3, fname=3D0x7fffffffe2b9 "poc/id:000000,src:000294,op:flip1,pos:51.", only_one=3Dtrue) at /home/test/test/./elfutils/master/src/src/readelf.c:806 #6 0x000000000040461e in main (argc=3D3, argv=3D0x7fffffffdf88) at /home/test/test/./elfutils/master/src/src/readelf.c:322 --=20 You are receiving this mail because: You are on the CC list for the bug.