* [Bug tools/23754] New: NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries
@ 2018-10-10 12:10 wcventure at 126 dot com
2018-10-10 12:11 ` [Bug tools/23754] " wcventure at 126 dot com
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: wcventure at 126 dot com @ 2018-10-10 12:10 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=23754
Bug ID: 23754
Summary: NULL-Pointer dereference problem in function
do_oper_extract in the eu-ar binaries
Product: elfutils
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: tools
Assignee: unassigned at sourceware dot org
Reporter: wcventure at 126 dot com
CC: elfutils-devel at sourceware dot org
Target Milestone: ---
Hi,
Our fuzzer caught NULL-Pointer dereference problems in eu-ar.c in the latest
elfutils(v0.174) code base, those inputs will cause the signal SIGSEGV,
Segmentation fault. I have confirmed them with address sanitizer.
Please use the “ ./eu-ar -tv $POC ” to reproduce the bug. If you have any
questions, please let me know. Thank you.
The ASAN dumps the stack trace as follows:
ASAN:DEADLYSIGNAL
=================================================================
==24906==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc
0x7fb225ed3071 bp 0x7fffdbcb2a50 sp 0x7fffdbcb2370 T0)
==24906==The signal is caused by a READ memory access.
==24906==Hint: address points to the zero page.
#0 0x7fb225ed3070 (/lib/x86_64-linux-gnu/libc.so.6+0xc3070)
#1 0x7fb225ed50a5 in __strftime_l (/lib/x86_64-linux-gnu/libc.so.6+0xc50a5)
#2 0x404574 in do_oper_extract
/mnt/c/wcventure/Fuzzing_Object/elfutils-0.174/src/ar.c:542
#3 0x403203 in main
/mnt/c/wcventure/Fuzzing_Object/elfutils-0.174/src/ar.c:252
#4 0x7fb225e3082f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#5 0x402428 in _start
(/mnt/c/wcventure/Fuzzing_Object/elfutils-0.174/build/bin/eu-ar+0x402428)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0xc3070)
==24906==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread* [Bug tools/23754] NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries 2018-10-10 12:10 [Bug tools/23754] New: NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries wcventure at 126 dot com @ 2018-10-10 12:11 ` wcventure at 126 dot com 2018-10-10 12:12 ` wcventure at 126 dot com ` (3 subsequent siblings) 4 siblings, 0 replies; 6+ messages in thread From: wcventure at 126 dot com @ 2018-10-10 12:11 UTC (permalink / raw) To: elfutils-devel https://sourceware.org/bugzilla/show_bug.cgi?id=23754 --- Comment #1 from wcventure <wcventure at 126 dot com> --- Created attachment 11309 --> https://sourceware.org/bugzilla/attachment.cgi?id=11309&action=edit POC1-ar -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug tools/23754] NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries 2018-10-10 12:10 [Bug tools/23754] New: NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries wcventure at 126 dot com 2018-10-10 12:11 ` [Bug tools/23754] " wcventure at 126 dot com @ 2018-10-10 12:12 ` wcventure at 126 dot com 2018-10-14 15:32 ` mark at klomp dot org ` (2 subsequent siblings) 4 siblings, 0 replies; 6+ messages in thread From: wcventure at 126 dot com @ 2018-10-10 12:12 UTC (permalink / raw) To: elfutils-devel https://sourceware.org/bugzilla/show_bug.cgi?id=23754 --- Comment #2 from wcventure <wcventure at 126 dot com> --- Created attachment 11310 --> https://sourceware.org/bugzilla/attachment.cgi?id=11310&action=edit POC2-ar Please use the "./eu-ar -tv $POC" to reproduce the bug. -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug tools/23754] NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries 2018-10-10 12:10 [Bug tools/23754] New: NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries wcventure at 126 dot com 2018-10-10 12:11 ` [Bug tools/23754] " wcventure at 126 dot com 2018-10-10 12:12 ` wcventure at 126 dot com @ 2018-10-14 15:32 ` mark at klomp dot org 2018-10-14 16:22 ` wcventure at 126 dot com 2018-10-19 22:28 ` mark at klomp dot org 4 siblings, 0 replies; 6+ messages in thread From: mark at klomp dot org @ 2018-10-14 15:32 UTC (permalink / raw) To: elfutils-devel https://sourceware.org/bugzilla/show_bug.cgi?id=23754 Mark Wielaard <mark at klomp dot org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |ASSIGNED Last reconfirmed| |2018-10-14 CC| |mark at klomp dot org Ever confirmed|0 |1 --- Comment #3 from Mark Wielaard <mark at klomp dot org> --- localtime could return NULL when the ar_date was bogus. Proposed workaround: https://sourceware.org/ml/elfutils-devel/2018-q4/msg00028.html -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug tools/23754] NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries 2018-10-10 12:10 [Bug tools/23754] New: NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries wcventure at 126 dot com ` (2 preceding siblings ...) 2018-10-14 15:32 ` mark at klomp dot org @ 2018-10-14 16:22 ` wcventure at 126 dot com 2018-10-19 22:28 ` mark at klomp dot org 4 siblings, 0 replies; 6+ messages in thread From: wcventure at 126 dot com @ 2018-10-14 16:22 UTC (permalink / raw) To: elfutils-devel https://sourceware.org/bugzilla/show_bug.cgi?id=23754 --- Comment #4 from wcventure <wcventure at 126 dot com> --- Thanks for paying attention to this problem and proposing to fix it in time. This bug was discovered by NTU Cyber-Security-Lab, for fuzzing research work. -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug tools/23754] NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries 2018-10-10 12:10 [Bug tools/23754] New: NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries wcventure at 126 dot com ` (3 preceding siblings ...) 2018-10-14 16:22 ` wcventure at 126 dot com @ 2018-10-19 22:28 ` mark at klomp dot org 4 siblings, 0 replies; 6+ messages in thread From: mark at klomp dot org @ 2018-10-19 22:28 UTC (permalink / raw) To: elfutils-devel https://sourceware.org/bugzilla/show_bug.cgi?id=23754 Mark Wielaard <mark at klomp dot org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution|--- |FIXED --- Comment #5 from Mark Wielaard <mark at klomp dot org> --- commit 4cdb0fd0d3b4255a9994ce302d6df76d251f7b75 Author: Mark Wielaard <mark@klomp.org> Date: Sun Oct 14 17:29:51 2018 +0200 ar: Assume epoch if ar_date is bogus. If the ar header contains a bogus ar_date then in verbose mode we would get a NULL pointer from localtime. Just assume the entry was created during the epoch. https://sourceware.org/bugzilla/show_bug.cgi?id=23754 Signed-off-by: Mark Wielaard <mark@klomp.org> -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2018-10-19 22:28 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2018-10-10 12:10 [Bug tools/23754] New: NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries wcventure at 126 dot com 2018-10-10 12:11 ` [Bug tools/23754] " wcventure at 126 dot com 2018-10-10 12:12 ` wcventure at 126 dot com 2018-10-14 15:32 ` mark at klomp dot org 2018-10-14 16:22 ` wcventure at 126 dot com 2018-10-19 22:28 ` mark at klomp dot org
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).