[Bug binutils/15191] New: readelf invalid memory accesses

Sun, 24 Feb 2013 18:48:59 -0800 

http://sourceware.org/bugzilla/show_bug.cgi?id=15191

             Bug #: 15191
           Summary: readelf invalid memory accesses
           Product: binutils
           Version: 2.23
            Status: NEW
          Severity: normal
          Priority: P2
         Component: binutils
        AssignedTo: unassig...@sourceware.org
        ReportedBy: paul.marine...@imperial.ac.uk
    Classification: Unclassified


Created attachment 6892
  --> http://sourceware.org/bugzilla/attachment.cgi?id=6892
valgrind readelf -a bugtest.o

Valgrind shows various invalid memory accesses when running readelf on a
particular file (attached). I'm using binutils 2.23.52.20130219
>From the output, it seems that readelf detects an invalid sh_entsize, but it
nevertheless continues to parse the section.


==29101== Memcheck, a memory error detector
==29101== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==29101== Using Valgrind-3.6.1 and LibVEX; rerun with -h for copyright info
==29101== Command: /home/pdm110/binutils-pristine/binutils/readelf -a
tmpdir/bintest.o.test
==29101== 
ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              REL (Relocatable file)
  Machine:                           Advanced Micro Devices X86-64
  Version:                           0x1
  Entry point address:               0x0
  Start of program headers:          0 (bytes into file)
  Start of section headers:          152 (bytes into file)
  Flags:                             0x0
  Size of this header:               64 (bytes)
  Size of program headers:           0 (bytes)
  Number of program headers:         0
  Size of section headers:           64 (bytes)
  Number of section headers:         0 (2)
  Section header string table index: 7 <corrupt: out of range>
readelf: Error: Section 1 has invalid sh_entsize 200000000000004 (expected 4)

Section Headers:
  [Nr] Name              Type             Address           Offset
       Size              EntSize          Flags  Link  Info  Align
  [ 0] <no-name>         NOTE             0000000000000000  00000000
       0000000000000002  0000000000000000           0     0     0
  [ 1] <no-name>         GROUP            0000000000000000  00000040
       000000000000000c  0000000000000004           8     6     4
Key to Flags:
  W (write), A (alloc), X (execute), M (merge), S (strings), l (large)
  I (info), L (link order), G (group), T (TLS), E (exclude), x (unknown)
  O (extra OS processing required) o (OS specific), p (processor specific)
readelf: Error: Bad sh_link in group section `<no-name>'

There are no program headers in this file.

There are no relocations in this file.

The decoding of unwind sections for machine type Advanced Micro Devices X86-64
is not currently supported.

No version information found in this file.

Notes at offset 0x00000000 with length 0x00000002:
  Owner                 Data size    Description
==29101== Invalid read of size 1
==29101==    at 0x42EC10: byte_get_little_endian (elfcomm.c:143)
==29101==    by 0x417AF6: process_corefile_note_segment.part.13
(readelf.c:13363)
==29101==    by 0x41EB88: process_object (readelf.c:13341)
==29101==    by 0x420E9B: main (readelf.c:14078)
==29101==  Address 0x4c295c9 is 6 bytes after a block of size 3 alloc'd
==29101==    at 0x4A074CD: malloc (vg_replace_malloc.c:236)
==29101==    by 0x402C2C: get_data (readelf.c:325)
==29101==    by 0x417962: process_corefile_note_segment.part.13
(readelf.c:13344)
==29101==    by 0x41EB88: process_object (readelf.c:13341)
==29101==    by 0x420E9B: main (readelf.c:14078)
==29101== 
==29101== Invalid read of size 1
==29101==    at 0x42EC14: byte_get_little_endian (elfcomm.c:144)
==29101==    by 0x417AF6: process_corefile_note_segment.part.13
(readelf.c:13363)
==29101==    by 0x41EB88: process_object (readelf.c:13341)
==29101==    by 0x420E9B: main (readelf.c:14078)
==29101==  Address 0x4c295ca is 7 bytes after a block of size 3 alloc'd
==29101==    at 0x4A074CD: malloc (vg_replace_malloc.c:236)
==29101==    by 0x402C2C: get_data (readelf.c:325)
==29101==    by 0x417962: process_corefile_note_segment.part.13
(readelf.c:13344)
==29101==    by 0x41EB88: process_object (readelf.c:13341)
==29101==    by 0x420E9B: main (readelf.c:14078)
==29101== 
==29101== Invalid read of size 1
==29101==    at 0x42EC24: byte_get_little_endian (elfcomm.c:142)
==29101==    by 0x417AF6: process_corefile_note_segment.part.13
(readelf.c:13363)
==29101==    by 0x41EB88: process_object (readelf.c:13341)
==29101==    by 0x420E9B: main (readelf.c:14078)
==29101==  Address 0x4c295c8 is 5 bytes after a block of size 3 alloc'd
==29101==    at 0x4A074CD: malloc (vg_replace_malloc.c:236)
==29101==    by 0x402C2C: get_data (readelf.c:325)
==29101==    by 0x417962: process_corefile_note_segment.part.13
(readelf.c:13344)
==29101==    by 0x41EB88: process_object (readelf.c:13341)
==29101==    by 0x420E9B: main (readelf.c:14078)
==29101== 
==29101== Invalid read of size 1
==29101==    at 0x42EC2A: byte_get_little_endian (elfcomm.c:145)
==29101==    by 0x417AF6: process_corefile_note_segment.part.13
(readelf.c:13363)
==29101==    by 0x41EB88: process_object (readelf.c:13341)
==29101==    by 0x420E9B: main (readelf.c:14078)
==29101==  Address 0x4c295cb is 8 bytes after a block of size 3 alloc'd
==29101==    at 0x4A074CD: malloc (vg_replace_malloc.c:236)
==29101==    by 0x402C2C: get_data (readelf.c:325)
==29101==    by 0x417962: process_corefile_note_segment.part.13
(readelf.c:13344)
==29101==    by 0x41EB88: process_object (readelf.c:13341)
==29101==    by 0x420E9B: main (readelf.c:14078)
==29101== 
==29101== Invalid read of size 1
==29101==    at 0x42EC2A: byte_get_little_endian (elfcomm.c:145)
==29101==    by 0x417B07: process_corefile_note_segment.part.13
(readelf.c:13364)
==29101==    by 0x41EB88: process_object (readelf.c:13341)
==29101==    by 0x420E9B: main (readelf.c:14078)
==29101==  Address 0x4c295c3 is 0 bytes after a block of size 3 alloc'd
==29101==    at 0x4A074CD: malloc (vg_replace_malloc.c:236)
==29101==    by 0x402C2C: get_data (readelf.c:325)
==29101==    by 0x417962: process_corefile_note_segment.part.13
(readelf.c:13344)
==29101==    by 0x41EB88: process_object (readelf.c:13341)
==29101==    by 0x420E9B: main (readelf.c:14078)
==29101== 
==29101== Invalid read of size 1
==29101==    at 0x42EC10: byte_get_little_endian (elfcomm.c:143)
==29101==    by 0x417B1B: process_corefile_note_segment.part.13
(readelf.c:13366)
==29101==    by 0x41EB88: process_object (readelf.c:13341)
==29101==    by 0x420E9B: main (readelf.c:14078)
==29101==  Address 0x4c295c5 is 2 bytes after a block of size 3 alloc'd
==29101==    at 0x4A074CD: malloc (vg_replace_malloc.c:236)
==29101==    by 0x402C2C: get_data (readelf.c:325)
==29101==    by 0x417962: process_corefile_note_segment.part.13
(readelf.c:13344)
==29101==    by 0x41EB88: process_object (readelf.c:13341)
==29101==    by 0x420E9B: main (readelf.c:14078)
==29101== 
==29101== Invalid read of size 1
==29101==    at 0x42EC14: byte_get_little_endian (elfcomm.c:144)
==29101==    by 0x417B1B: process_corefile_note_segment.part.13
(readelf.c:13366)
==29101==    by 0x41EB88: process_object (readelf.c:13341)
==29101==    by 0x420E9B: main (readelf.c:14078)
==29101==  Address 0x4c295c6 is 3 bytes after a block of size 3 alloc'd
==29101==    at 0x4A074CD: malloc (vg_replace_malloc.c:236)
==29101==    by 0x402C2C: get_data (readelf.c:325)
==29101==    by 0x417962: process_corefile_note_segment.part.13
(readelf.c:13344)
==29101==    by 0x41EB88: process_object (readelf.c:13341)
==29101==    by 0x420E9B: main (readelf.c:14078)
==29101== 
==29101== Invalid read of size 1
==29101==    at 0x42EC24: byte_get_little_endian (elfcomm.c:142)
==29101==    by 0x417B1B: process_corefile_note_segment.part.13
(readelf.c:13366)
==29101==    by 0x41EB88: process_object (readelf.c:13341)
==29101==    by 0x420E9B: main (readelf.c:14078)
==29101==  Address 0x4c295c4 is 1 bytes after a block of size 3 alloc'd
==29101==    at 0x4A074CD: malloc (vg_replace_malloc.c:236)
==29101==    by 0x402C2C: get_data (readelf.c:325)
==29101==    by 0x417962: process_corefile_note_segment.part.13
(readelf.c:13344)
==29101==    by 0x41EB88: process_object (readelf.c:13341)
==29101==    by 0x420E9B: main (readelf.c:14078)
==29101== 
==29101== Invalid read of size 1
==29101==    at 0x42EC2A: byte_get_little_endian (elfcomm.c:145)
==29101==    by 0x417B1B: process_corefile_note_segment.part.13
(readelf.c:13366)
==29101==    by 0x41EB88: process_object (readelf.c:13341)
==29101==    by 0x420E9B: main (readelf.c:14078)
==29101==  Address 0x4c295c7 is 4 bytes after a block of size 3 alloc'd
==29101==    at 0x4A074CD: malloc (vg_replace_malloc.c:236)
==29101==    by 0x402C2C: get_data (readelf.c:325)
==29101==    by 0x417962: process_corefile_note_segment.part.13
(readelf.c:13344)
==29101==    by 0x41EB88: process_object (readelf.c:13341)
==29101==    by 0x420E9B: main (readelf.c:14078)
==29101== 
readelf: Warning: corrupt note found at offset 0 into core notes
readelf: Warning:  type: 0, namesize: 0000457f, descsize: 00000000
==29101== 
==29101== HEAP SUMMARY:
==29101==     in use at exit: 0 bytes in 0 blocks
==29101==   total heap usage: 115 allocs, 115 frees, 14,965 bytes allocated
==29101== 
==29101== All heap blocks were freed -- no leaks are possible
==29101== 
==29101== For counts of detected and suppressed errors, rerun with: -v
==29101== ERROR SUMMARY: 9 errors from 9 contexts (suppressed: 2 from 2)

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

Reply via email to