From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 55688 invoked by alias); 10 Oct 2018 12:10:45 -0000 Mailing-List: contact elfutils-devel-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Subscribe: Sender: elfutils-devel-owner@sourceware.org Received: (qmail 55547 invoked by uid 48); 10 Oct 2018 12:10:37 -0000 From: "wcventure at 126 dot com" To: elfutils-devel@sourceware.org Subject: [Bug tools/23754] New: NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries Date: Wed, 10 Oct 2018 12:10:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: elfutils X-Bugzilla-Component: tools X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: wcventure at 126 dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2018-q4/txt/msg00008.txt.bz2 https://sourceware.org/bugzilla/show_bug.cgi?id=3D23754 Bug ID: 23754 Summary: NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: tools Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Hi, Our fuzzer caught NULL-Pointer dereference problems in eu-ar.c in the latest elfutils(v0.174) code base, those inputs will cause the signal SIGSEGV, Segmentation fault. I have confirmed them with address sanitizer.=20 Please use the =E2=80=9C ./eu-ar -tv $POC =E2=80=9D to reproduce the bug. I= f you have any questions, please let me know. Thank you. The ASAN dumps the stack trace as follows: ASAN:DEADLYSIGNAL =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D24906=3D=3DERROR: AddressSanitizer: SEGV on unknown address 0x0000000= 00030 (pc 0x7fb225ed3071 bp 0x7fffdbcb2a50 sp 0x7fffdbcb2370 T0) =3D=3D24906=3D=3DThe signal is caused by a READ memory access. =3D=3D24906=3D=3DHint: address points to the zero page. #0 0x7fb225ed3070 (/lib/x86_64-linux-gnu/libc.so.6+0xc3070) #1 0x7fb225ed50a5 in __strftime_l (/lib/x86_64-linux-gnu/libc.so.6+0xc5= 0a5) #2 0x404574 in do_oper_extract /mnt/c/wcventure/Fuzzing_Object/elfutils-0.174/src/ar.c:542 #3 0x403203 in main /mnt/c/wcventure/Fuzzing_Object/elfutils-0.174/src/ar.c:252 #4 0x7fb225e3082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #5 0x402428 in _start (/mnt/c/wcventure/Fuzzing_Object/elfutils-0.174/build/bin/eu-ar+0x402428) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0xc3070) =3D=3D24906=3D=3DABORTING --=20 You are receiving this mail because: You are on the CC list for the bug.