https://sourceware.org/bugzilla/show_bug.cgi?id=33591
--- Comment #4 from Ziad Salah <zeyadsalah686 at gmail dot com> --- (In reply to Mark Wielaard from comment #3) > Could you just show the supposed crash backtrace when running under e.g. gdb? okay i will show ┌─[ziad@parrot]─[~/Downloads/elfutils-0.194] └──╼ $./poc PoC file 'crash-poc.elf' created successfully. To prove the bug, run: ./src/elfcmp crash-poc.elf crash-poc.elf This will cause a segmentation fault. ┌─[ziad@parrot]─[~/Downloads/elfutils-0.194] └──╼ $gdb --args ./src/elfcmp crash-poc.elf crash-poc.elf GNU gdb (Debian 13.1-3) 13.1 Copyright (C) 2023 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <https://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... pwndbg: loaded 214 pwndbg commands. Type pwndbg [filter] for a list. pwndbg: created 13 GDB functions (can be used with print/break). Type help function to see them. Reading symbols from ./src/elfcmp... ------- tip of the day (disable with set show-tips off) ------- Use the killall command to kill all specified threads (via their ids) pwndbg> r Starting program: /home/ziad/Downloads/elfutils-0.194/src/elfcmp crash-poc.elf crash-poc.elf [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x0000555555566f6a in openbackend (elf=elf@entry=0x5555555b17d0, emulation=emulation@entry=0x0, machine=62) at eblopenbackend.c:330 330 result->machine = elf->state.elf32.ehdr->e_machine; LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA ──────────────────────────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]─────────────────────────────────────────────────────────────────────────────── RAX 0xc RBX 0 RCX 0xa RDX 0x5555555b17d0 —▸ 0x7ffff7fc1000 ◂— 0x10101464c457f RDI 0x555555566e30 (default_return_value_location) ◂— mov eax, 0xfffffffe RSI 0x5555555acd00 (machines) —▸ 0x5555555674a0 (i386_init) ◂— lea rcx, [rip - 0x77] R8 0x34 R9 8 R10 0x7ffff7d0ab20 ◂— 0x10002200005f36 /* '6_' */ R11 0x1e0 R12 0x5555555b18e0 —▸ 0x555555581a88 ◂— 'elf_x86_64' R13 0x3e R14 3 R15 0x5555555acd80 (machines+128) —▸ 0x555555581a88 ◂— 'elf_x86_64' RBP 0x555555581a88 ◂— 'elf_x86_64' RSP 0x7fffffffd8a0 —▸ 0x5555555b17d0 —▸ 0x7ffff7fc1000 ◂— 0x10101464c457f RIP 0x555555566f6a (openbackend+234) ◂— movzx edi, word ptr [rcx + 0x12] ───────────────────────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]──────────────────────────────────────────────────────────────────────────────────────── ► 0x555555566f6a <openbackend+234> movzx edi, word ptr [rcx + 0x12] <Cannot dereference [0x1c]> 0x555555566f6e <openbackend+238> mov qword ptr [r12 + 8], rdi 0x555555566f73 <openbackend+243> movzx edi, byte ptr [rcx + 4] <Cannot dereference [0xe]> 0x555555566f77 <openbackend+247> mov byte ptr [r12 + 0x10], dil 0x555555566f7c <openbackend+252> movzx ecx, byte ptr [rcx + 5] <Cannot dereference [0xf]> 0x555555566f80 <openbackend+256> add rax, r14 RAX => 0xc + 0x3 0x555555566f83 <openbackend+259> mov byte ptr [r12 + 0x11], cl 0x555555566f88 <openbackend+264> mov rax, qword ptr [rsi + rax*8] 0x555555566f8c <openbackend+268> test rax, rax 0x555555566f8f <openbackend+271> je openbackend+366 <openbackend+366> 0x555555566f91 <openbackend+273> mov rbx, qword ptr [rsp] ─────────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]───────────────────────────────────────────────────────────────────────────────────────────────── In file: /home/ziad/Downloads/elfutils-0.194/libebl/eblopenbackend.c:330 325 result->class = machines[cnt].class; 326 result->data = machines[cnt].data; 327 } 328 else 329 { ► 330 result->machine = elf->state.elf32.ehdr->e_machine; 331 result->class = elf->state.elf32.ehdr->e_ident[EI_CLASS]; 332 result->data = elf->state.elf32.ehdr->e_ident[EI_DATA]; 333 } 334 335 if (machines[cnt].init && ─────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────────────────────────────────────────────────────────── 00:0000│ rsp 0x7fffffffd8a0 —▸ 0x5555555b17d0 —▸ 0x7ffff7fc1000 ◂— 0x10101464c457f 01:0008│ 0x7fffffffd8a8 ◂— 0x3e6905cf4f 02:0010│ 0x7fffffffd8b0 ◂— 0x176ee096 03:0018│ 0x7fffffffd8b8 —▸ 0x5555555b17d0 —▸ 0x7ffff7fc1000 ◂— 0x10101464c457f 04:0020│ 0x7fffffffd8c0 —▸ 0x5555555b17d0 —▸ 0x7ffff7fc1000 ◂— 0x10101464c457f 05:0028│ 0x7fffffffd8c8 —▸ 0x7fffffffe0e4 ◂— 'crash-poc.elf' 06:0030│ 0x7fffffffd8d0 —▸ 0x7fffffffda40 ◂— 0 07:0038│ 0x7fffffffd8d8 —▸ 0x7fffffffda38 ◂— 0 ───────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────────────────────────────────────────────────────────── ► 0 0x555555566f6a openbackend+234 1 0x555555567203 ebl_openbackend+35 2 0x55555556672f open_file+63 3 0x5555555645dc main+188 4 0x7ffff7d1b24a __libc_start_call_main+122 5 0x7ffff7d1b305 __libc_start_main+133 6 0x5555555664b1 _start+33 ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── pwndbg> -- You are receiving this mail because: You are on the CC list for the bug.
