eu-elflint -

wcventure at 126 dot com Thu, 10 Jan 2019 22:08:46 -0800

https://sourceware.org/bugzilla/show_bug.cgi?id=24084


            Bug ID: 24084
           Summary: Negative-size-param when when calling memcpy function
                    in elf_cvt_note function in libelf the latest
                    elfutils-0.174 code base, this inputs will cause the
                    segment faults and I have confirmed them with address
                    sanitizer too.   Please use the ".//eu-elflint -
           Product: elfutils
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: backends
          Assignee: unassigned at sourceware dot org
          Reporter: wcventure at 126 dot com
                CC: elfutils-devel at sourceware dot org
  Target Milestone: ---

Created attachment 11530
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11530&action=edit
POC

Hi there,

Negative-size-param when calling memcpy function in elf_cvt_note function in
libelf the latest elfutils-0.174 code base, this inputs will cause the segment
faults and I have confirmed them with address sanitizer too. 

Please use the ".//eu-elflint -d $POC"to reproduce the bug. If you have any
questions, please let me know.

git log

> commit 1dabad36ee28aa76b8cf14b6426b379cabee6def
> Author: Jim Wilson <[email protected]>
> Date:   Thu Dec 27 15:25:49 2018 -0800
> 
>     RISC-V: Improve riscv64 core file support.
> 
>     This fixes two problems.  The offset for x1 is changed from 1 to 8 because
>     this is a byte offset not a register skip count.  Support for reading the
>     PC value is added.  This requires changing the testsuite to match the new
>     readelf output for coredumps.
> 
>     Signed-off-by: Jim Wilson <[email protected]>

The ASAN dumps the stack trace as follows:

> =================================================================
> ==24780==ERROR: AddressSanitizer: negative-size-param: (size=-4)
>     #0 0x7f23f4234853  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79853)
>     #1 0x7f23f3edaa2c in memcpy 
> /usr/include/x86_64-linux-gnu/bits/string3.h:53
>     #2 0x7f23f3edaa2c in elf_cvt_note /elfutils/libelf/note_xlate.h:63
>     #3 0x7f23f3edaa2c in elf_cvt_note4 /elfutils/libelf/note_xlate.h:79
>     #4 0x7f23f3f2ed30 in convert_data /elfutils/libelf/elf_getdata.c:204
>     #5 0x7f23f3f2ed30 in __libelf_set_data_list_rdlock 
> /elfutils/libelf/elf_getdata.c:447
>     #6 0x7f23f3f301bf in __elf_getdata_rdlock 
> /elfutils/libelf/elf_getdata.c:554
>     #7 0x469a22 in check_note_section /elfutils/src/elflint.c:4428
>     #8 0x469a22 in check_sections /elfutils/src/elflint.c:4182
>     #9 0x47a222 in process_elf_file /elfutils/src/elflint.c:4774
>     #10 0x47a222 in process_file /elfutils/src/elflint.c:242
>     #11 0x4030d5 in main /elfutils/src/elflint.c:175
>     #12 0x7f23f38d182f in __libc_start_main 
> (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
>     #13 0x404718 in _start (/elfutils/build/bin/eu-elflint+0x404718)
> 
> Address 0x7f23f52b3b30 is a wild pointer.
> SUMMARY: AddressSanitizer: negative-size-param 
> (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79853)
> ==24780==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug backends/24084] New: Negative-size-param when when calling memcpy function in elf_cvt_note function in libelf the latest elfutils-0.174 code base, this inputs will cause the segment faults and I have confirmed them with address sanitizer too. Please use the ".//eu-elflint -

Reply via email to