* [Bug general/24385] New: Regression lead to Invalid Address Deference, in handle_elf function in /src/strip.c
@ 2019-03-26 7:19 wcventure at 126 dot com
2019-03-26 7:19 ` [Bug general/24385] " wcventure at 126 dot com
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: wcventure at 126 dot com @ 2019-03-26 7:19 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=24385
Bug ID: 24385
Summary: Regression lead to Invalid Address Deference, in
handle_elf function in /src/strip.c
Product: elfutils
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: general
Assignee: unassigned at sourceware dot org
Reporter: wcventure at 126 dot com
CC: elfutils-devel at sourceware dot org
Target Milestone: ---
Created attachment 11698
--> https://sourceware.org/bugzilla/attachment.cgi?id=11698&action=edit
POC1
Hi,
I found some a regression bug.
This is anInvalid Address Deference bug, in handle_elf function in
/src/strip.c.
This problem exists in elfutils-0.176, but cannot reproduce in elfutils-0.175.
Thus this is a regression bug. elfutils 0.175 is right.
Here are the POC files. Please use " ./eu-strip $POC " to reproduce this
ASAN bt:
> ASAN:SIGSEGV
> =================================================================
> ==10044==ERROR: AddressSanitizer: SEGV on unknown address 0x7ffce19d97b0 (pc 0x00000041339d bp 0x7ffce1978410 sp 0x7ffce1976750 T0)
> #0 0x41339c in handle_elf elfutils-0.176/src/strip.c:1978
> #1 0x41a2d1 in process_file elfutils-0.176/src/strip.c:769
> #2 0x403b4b in main elfutils-0.176/src/strip.c:272
> #3 0x7f505ec0382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
> #4 0x4046d8 in _start (elfutils-0.176_ASAN/build/bin/eu-strip+0x4046d8)
>
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV elfutils-0.176/src/strip.c:1978 handle_elf
> ==10044==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug general/24385] Regression lead to Invalid Address Deference, in handle_elf function in /src/strip.c
2019-03-26 7:19 [Bug general/24385] New: Regression lead to Invalid Address Deference, in handle_elf function in /src/strip.c wcventure at 126 dot com
@ 2019-03-26 7:19 ` wcventure at 126 dot com
2019-03-27 21:02 ` mark at klomp dot org
2019-03-27 21:04 ` [Bug general/24385] Check symbols only refer to existing sections in eu-strip handle_elf mark at klomp dot org
2 siblings, 0 replies; 4+ messages in thread
From: wcventure at 126 dot com @ 2019-03-26 7:19 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=24385
--- Comment #1 from wcventure <wcventure at 126 dot com> ---
Created attachment 11699
--> https://sourceware.org/bugzilla/attachment.cgi?id=11699&action=edit
POC2
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug general/24385] Regression lead to Invalid Address Deference, in handle_elf function in /src/strip.c
2019-03-26 7:19 [Bug general/24385] New: Regression lead to Invalid Address Deference, in handle_elf function in /src/strip.c wcventure at 126 dot com
2019-03-26 7:19 ` [Bug general/24385] " wcventure at 126 dot com
@ 2019-03-27 21:02 ` mark at klomp dot org
2019-03-27 21:04 ` [Bug general/24385] Check symbols only refer to existing sections in eu-strip handle_elf mark at klomp dot org
2 siblings, 0 replies; 4+ messages in thread
From: mark at klomp dot org @ 2019-03-27 21:02 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=24385
Mark Wielaard <mark at klomp dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
CC| |mark at klomp dot org
Resolution|--- |FIXED
--- Comment #2 from Mark Wielaard <mark at klomp dot org> ---
This code is only triggered when stripping into a new file with -o. With that
it can be replicated under valgrind:
==1008== Command: src/strip -o POC1.stripped ./POC1
==1008==
==1008== Invalid read of size 4
==1008== at 0x804EB0A: handle_elf.constprop.2 (strip.c:1978)
==1008== by 0x804F2F7: process_file (strip.c:769)
==1008== by 0x8049AFF: main (strip.c:272)
==1008== Address 0xfec3c840 is not stack'd, malloc'd or (recently) free'd
==1008==
==1008==
==1008== Process terminating with default action of signal 11 (SIGSEGV)
==1008== Access not within mapped region at address 0xFEC3C840
The file is obviously illformed because the symbol refers to a non-existing
section. The fix is simple:
diff --git a/src/strip.c b/src/strip.c
index a73009d..4cd8750 100644
--- a/src/strip.c
+++ b/src/strip.c
@@ -1975,6 +1975,7 @@ handle_elf (int fd, Elf *elf, const char *prefix, const
ch
&& shndxdata->d_buf != NULL);
size_t sidx = (sym->st_shndx != SHN_XINDEX
? sym->st_shndx : xshndx);
+ elf_assert (sidx < shnum);
sec = shdr_info[sidx].idx;
if (sec != 0)
commit f03ac75239e0981deaf4aa18f66f423bcc5ce051
Author: Mark Wielaard <mark@klomp.org>
Date: Wed Mar 27 21:54:06 2019 +0100
strip: Files with symbols referring to non-existing sections are illformed
The check added in commit 4540ea98c "strip: Fix check test for SHN_XINDEX
symbol" was not complete. The (extended) section index should also exist.
If it doesn't exist, mark the file as illformed.
https://sourceware.org/bugzilla/show_bug.cgi?id=24385
Signed-off-by: Mark Wielaard <mark@klomp.org>
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug general/24385] Check symbols only refer to existing sections in eu-strip handle_elf
2019-03-26 7:19 [Bug general/24385] New: Regression lead to Invalid Address Deference, in handle_elf function in /src/strip.c wcventure at 126 dot com
2019-03-26 7:19 ` [Bug general/24385] " wcventure at 126 dot com
2019-03-27 21:02 ` mark at klomp dot org
@ 2019-03-27 21:04 ` mark at klomp dot org
2 siblings, 0 replies; 4+ messages in thread
From: mark at klomp dot org @ 2019-03-27 21:04 UTC (permalink / raw)
To: elfutils-devel
https://sourceware.org/bugzilla/show_bug.cgi?id=24385
Mark Wielaard <mark at klomp dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|Regression lead to Invalid |Check symbols only refer to
|Address Deference, in |existing sections in
|handle_elf function in |eu-strip handle_elf
|/src/strip.c |
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-03-27 21:04 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-26 7:19 [Bug general/24385] New: Regression lead to Invalid Address Deference, in handle_elf function in /src/strip.c wcventure at 126 dot com
2019-03-26 7:19 ` [Bug general/24385] " wcventure at 126 dot com
2019-03-27 21:02 ` mark at klomp dot org
2019-03-27 21:04 ` [Bug general/24385] Check symbols only refer to existing sections in eu-strip handle_elf mark at klomp dot org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).