* [Bug tools/23754] New: NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries @ 2018-10-10 12:10 wcventure at 126 dot com 2018-10-10 12:11 ` [Bug tools/23754] " wcventure at 126 dot com ` (4 more replies) 0 siblings, 5 replies; 6+ messages in thread From: wcventure at 126 dot com @ 2018-10-10 12:10 UTC (permalink / raw) To: elfutils-devel https://sourceware.org/bugzilla/show_bug.cgi?id=23754 Bug ID: 23754 Summary: NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: tools Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Hi, Our fuzzer caught NULL-Pointer dereference problems in eu-ar.c in the latest elfutils(v0.174) code base, those inputs will cause the signal SIGSEGV, Segmentation fault. I have confirmed them with address sanitizer. Please use the “ ./eu-ar -tv $POC ” to reproduce the bug. If you have any questions, please let me know. Thank you. The ASAN dumps the stack trace as follows: ASAN:DEADLYSIGNAL ================================================================= ==24906==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x7fb225ed3071 bp 0x7fffdbcb2a50 sp 0x7fffdbcb2370 T0) ==24906==The signal is caused by a READ memory access. ==24906==Hint: address points to the zero page. #0 0x7fb225ed3070 (/lib/x86_64-linux-gnu/libc.so.6+0xc3070) #1 0x7fb225ed50a5 in __strftime_l (/lib/x86_64-linux-gnu/libc.so.6+0xc50a5) #2 0x404574 in do_oper_extract /mnt/c/wcventure/Fuzzing_Object/elfutils-0.174/src/ar.c:542 #3 0x403203 in main /mnt/c/wcventure/Fuzzing_Object/elfutils-0.174/src/ar.c:252 #4 0x7fb225e3082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #5 0x402428 in _start (/mnt/c/wcventure/Fuzzing_Object/elfutils-0.174/build/bin/eu-ar+0x402428) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0xc3070) ==24906==ABORTING -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug tools/23754] NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries 2018-10-10 12:10 [Bug tools/23754] New: NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries wcventure at 126 dot com @ 2018-10-10 12:11 ` wcventure at 126 dot com 2018-10-10 12:12 ` wcventure at 126 dot com ` (3 subsequent siblings) 4 siblings, 0 replies; 6+ messages in thread From: wcventure at 126 dot com @ 2018-10-10 12:11 UTC (permalink / raw) To: elfutils-devel https://sourceware.org/bugzilla/show_bug.cgi?id=23754 --- Comment #1 from wcventure <wcventure at 126 dot com> --- Created attachment 11309 --> https://sourceware.org/bugzilla/attachment.cgi?id=11309&action=edit POC1-ar -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug tools/23754] NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries 2018-10-10 12:10 [Bug tools/23754] New: NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries wcventure at 126 dot com 2018-10-10 12:11 ` [Bug tools/23754] " wcventure at 126 dot com @ 2018-10-10 12:12 ` wcventure at 126 dot com 2018-10-14 15:32 ` mark at klomp dot org ` (2 subsequent siblings) 4 siblings, 0 replies; 6+ messages in thread From: wcventure at 126 dot com @ 2018-10-10 12:12 UTC (permalink / raw) To: elfutils-devel https://sourceware.org/bugzilla/show_bug.cgi?id=23754 --- Comment #2 from wcventure <wcventure at 126 dot com> --- Created attachment 11310 --> https://sourceware.org/bugzilla/attachment.cgi?id=11310&action=edit POC2-ar Please use the "./eu-ar -tv $POC" to reproduce the bug. -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug tools/23754] NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries 2018-10-10 12:10 [Bug tools/23754] New: NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries wcventure at 126 dot com 2018-10-10 12:11 ` [Bug tools/23754] " wcventure at 126 dot com 2018-10-10 12:12 ` wcventure at 126 dot com @ 2018-10-14 15:32 ` mark at klomp dot org 2018-10-14 16:22 ` wcventure at 126 dot com 2018-10-19 22:28 ` mark at klomp dot org 4 siblings, 0 replies; 6+ messages in thread From: mark at klomp dot org @ 2018-10-14 15:32 UTC (permalink / raw) To: elfutils-devel https://sourceware.org/bugzilla/show_bug.cgi?id=23754 Mark Wielaard <mark at klomp dot org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |ASSIGNED Last reconfirmed| |2018-10-14 CC| |mark at klomp dot org Ever confirmed|0 |1 --- Comment #3 from Mark Wielaard <mark at klomp dot org> --- localtime could return NULL when the ar_date was bogus. Proposed workaround: https://sourceware.org/ml/elfutils-devel/2018-q4/msg00028.html -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug tools/23754] NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries 2018-10-10 12:10 [Bug tools/23754] New: NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries wcventure at 126 dot com ` (2 preceding siblings ...) 2018-10-14 15:32 ` mark at klomp dot org @ 2018-10-14 16:22 ` wcventure at 126 dot com 2018-10-19 22:28 ` mark at klomp dot org 4 siblings, 0 replies; 6+ messages in thread From: wcventure at 126 dot com @ 2018-10-14 16:22 UTC (permalink / raw) To: elfutils-devel https://sourceware.org/bugzilla/show_bug.cgi?id=23754 --- Comment #4 from wcventure <wcventure at 126 dot com> --- Thanks for paying attention to this problem and proposing to fix it in time. This bug was discovered by NTU Cyber-Security-Lab, for fuzzing research work. -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug tools/23754] NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries 2018-10-10 12:10 [Bug tools/23754] New: NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries wcventure at 126 dot com ` (3 preceding siblings ...) 2018-10-14 16:22 ` wcventure at 126 dot com @ 2018-10-19 22:28 ` mark at klomp dot org 4 siblings, 0 replies; 6+ messages in thread From: mark at klomp dot org @ 2018-10-19 22:28 UTC (permalink / raw) To: elfutils-devel https://sourceware.org/bugzilla/show_bug.cgi?id=23754 Mark Wielaard <mark at klomp dot org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution|--- |FIXED --- Comment #5 from Mark Wielaard <mark at klomp dot org> --- commit 4cdb0fd0d3b4255a9994ce302d6df76d251f7b75 Author: Mark Wielaard <mark@klomp.org> Date: Sun Oct 14 17:29:51 2018 +0200 ar: Assume epoch if ar_date is bogus. If the ar header contains a bogus ar_date then in verbose mode we would get a NULL pointer from localtime. Just assume the entry was created during the epoch. https://sourceware.org/bugzilla/show_bug.cgi?id=23754 Signed-off-by: Mark Wielaard <mark@klomp.org> -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2018-10-19 22:28 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2018-10-10 12:10 [Bug tools/23754] New: NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries wcventure at 126 dot com 2018-10-10 12:11 ` [Bug tools/23754] " wcventure at 126 dot com 2018-10-10 12:12 ` wcventure at 126 dot com 2018-10-14 15:32 ` mark at klomp dot org 2018-10-14 16:22 ` wcventure at 126 dot com 2018-10-19 22:28 ` mark at klomp dot org
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).