[Bug binutils/21995] New: Hang in process_mips_specific (readelf.c)

Wed, 23 Aug 2017 08:17:20 -0700 

https://sourceware.org/bugzilla/show_bug.cgi?id=21995

            Bug ID: 21995
           Summary: Hang in process_mips_specific (readelf.c)
           Product: binutils
           Version: 2.29
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: Imdb95 at gmail dot com
  Target Milestone: ---

Created attachment 10361
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10361&action=edit
Crafted elf file used to trigger the bug

Hello,
I found this bug when fuzzing readelf with afl-fuzz.
==========Reproduce==========
Trigger the bug:
manh@manh-VirtualBox:~/Fuzzing/afl/binutils$
./build-binutils-2.29-ggdb/bin/readelf -a readelf_hang_slave_id03.elf
==========Actual Result==========
The program readelf hangs for a very long time, printing repeated outputs.
manh@manh-VirtualBox:~/Fuzzing/afl/binutils$
./build-binutils-2.29-ggdb/bin/readelf -a readelf_hang_slave_id03.elf
ELF Header:
  Magic:   7f 45 4c 46 02 14 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF64
.....................
  00000000008028f8                   <unknown>
  0000000000802900                   <unknown>
  0000000000802908                   <unknown>
  0000000000802910                   <unknown>
  0000000000802918                   <unknown>
.....................
==========Build Date & Hardware==========
Version: binutils 2.29 (https://ftp.gnu.org/gnu/binutils/binutils-2.29.tar.gz)
Compilation on Ubuntu 16.04:
manh@manh-VirtualBox:~/Fuzzing/afl/binutils/binutils-2.29$ uname -a
Linux manh-VirtualBox 4.4.0-91-generic #114-Ubuntu SMP Tue Aug 8 11:56:56 UTC
2017 x86_64 x86_64 x86_64 GNU/Linux
manh@manh-VirtualBox:~/Fuzzing/afl/binutils/binutils-2.29$ sudo ./configure
--prefix=`pwd`/../build-binutils-2.29-ggdb CC="gcc" CXX="g++" CFLAGS="-ldl
-Wno-error -ggdb -O0" CXXFLAGS="-ldl -Wno-error -ggdb -O0" && sudo make && sudo
make install
==========Additional Information==========
Detailed analysis of the bug:
The while loop at line readelf.c:15835 breaks if ent < local_end. With the
crafted elf readelf_hang_slave_id03.elf, local_end = 0x400007f0000, ent starts
at 0x7f0010. The function print_mips_got_entry makes ent increase by 8 each
iteration, so the while loop would run for very long time.
Cheers,
  Manh

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

Reply via email to