[Bug backends/33591] Crash in ebl_openbackend with crafted ELF header (Type Confusion)

[zeyadsalah686 at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=33591

--- Comment #10 from Ziad Salah <zeyadsalah686 at gmail dot com> ---
(In reply to Mark Wielaard from comment #5)
> Sorry, I cannot replicate this and the description really doesn't make sense.
> There is nothing really wrong with having "unmatched" e_machine,
> e_ident[EI_CLASS|DATA].
> It would be surprising if after all these years such things would confuse
> elfutils.
> 
> Are you able to reproduce this crash with your distro package "eu-elfcmp"
> binary?
> 
> If you still believe you have found a bug then try rebuilding your elfutils
> with CFLAGS="-g -O0" so you might get better debug results. Please show your
> configure line and CFLAG used. Your backtrace really should show the
> files/lines callchain that caused your crash. Also please show the
> structures that result, elf and elf->state.elf32.ehdr variables point to.

My system does not have a pre-installed elfutils package, so I was unable to
test against a distro binary. The tests were performed on a version compiled
directly from the elfutils-0.194 source tarball installed from
https://sourceware.org/elfutils/ftp/0.194/. I have performed a make clean and
then rebuilt the project using the exact flags you recommended:
./configure CFLAGS="-g -O0"
make -j$(nproc)
The crash is 100% reproducible with this new binary.

┌─[ziad@parrot]─[~/Downloads/elfutils-0.194]
└──╼ $gdb --args ./src/elfcmp crash-poc.elf crash-poc.elf
GNU gdb (Debian 13.1-3) 13.1
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
pwndbg: loaded 214 pwndbg commands. Type pwndbg [filter] for a list.
pwndbg: created 13 GDB functions (can be used with print/break). Type help
function to see them.
Reading symbols from ./src/elfcmp...
------- tip of the day (disable with set show-tips off) -------
Calling functions like call (void)puts("hello world") will run all other target
threads for the time the function runs. Use set scheduler-locking on to lock
the execution to current thread when calling functions
pwndbg> r
Starting program: /home/ziad/Downloads/elfutils-0.194/src/elfcmp crash-poc.elf
crash-poc.elf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
openbackend (elf=0x5555555c17d0, emulation=0x0, machine=62) at
eblopenbackend.c:330
330                 result->machine = elf->state.elf32.ehdr->e_machine;
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
──────────────────────────────────────────────────────────────────────────────[
REGISTERS / show-flags off / show-compact-regs off
]───────────────────────────────────────────────────────────────────────────────
 RAX  0xa
 RBX  0x7fffffffdd18 —▸ 0x7fffffffe0b5 ◂—
'/home/ziad/Downloads/elfutils-0.194/src/elfcmp'
 RCX  0x5555555c18d0 ◂— 0
 RDX  0x5555555908ec ◂— 'elf_x86_64'
 RDI  0x5555555c18e0 —▸ 0x5555555908ec ◂— 'elf_x86_64'
 RSI  0
 R8   0x34
 R9   8
 R10  0x7ffff7d0ab20 ◂— 0x10002200005f36 /* '6_' */
 R11  0x1e0
 R12  0
 R13  0x7fffffffdd38 —▸ 0x7fffffffe100 ◂— 'SHELL=/bin/bash'
 R14  0x5555555b6a38 (__do_global_dtors_aux_fini_array_entry) —▸ 0x5555555635a0
(__do_global_dtors_aux) ◂— endbr64 
 R15  0x7ffff7ffd020 (_rtld_global) —▸ 0x7ffff7ffe2e0 —▸ 0x555555554000 ◂—
0x10102464c457f
 RBP  0x7fffffffd520 —▸ 0x7fffffffd590 —▸ 0x7fffffffd620 —▸ 0x7fffffffdc00 ◂— 3
 RSP  0x7fffffffd4f0 ◂— 0x34 /* '4' */
 RIP  0x55555556778e (openbackend+373) ◂— movzx eax, word ptr [rax + 0x12]
───────────────────────────────────────────────────────────────────────────────────────[
DISASM / x86-64 / set emulate on
]────────────────────────────────────────────────────────────────────────────────────────
 ► 0x55555556778e <openbackend+373>    movzx  eax, word ptr [rax + 0x12]     
<Cannot dereference [0x1c]>
   0x555555567792 <openbackend+377>    movzx  edx, ax
   0x555555567795 <openbackend+380>    mov    rax, qword ptr [rbp - 0x10]    
RAX, [0x7fffffffd510]
   0x555555567799 <openbackend+384>    mov    qword ptr [rax + 8], rdx
   0x55555556779d <openbackend+388>    mov    rax, qword ptr [rbp - 0x18]    
RAX, [0x7fffffffd508]
   0x5555555677a1 <openbackend+392>    mov    rax, qword ptr [rax + 0x78]
   0x5555555677a5 <openbackend+396>    movzx  edx, byte ptr [rax + 4]
   0x5555555677a9 <openbackend+400>    mov    rax, qword ptr [rbp - 0x10]    
RAX, [0x7fffffffd510]
   0x5555555677ad <openbackend+404>    mov    byte ptr [rax + 0x10], dl
   0x5555555677b0 <openbackend+407>    mov    rax, qword ptr [rbp - 0x18]    
RAX, [0x7fffffffd508]
   0x5555555677b4 <openbackend+411>    mov    rax, qword ptr [rax + 0x78]
─────────────────────────────────────────────────────────────────────────────────────────────────[
SOURCE (CODE)
]─────────────────────────────────────────────────────────────────────────────────────────────────
In file: /home/ziad/Downloads/elfutils-0.194/libebl/eblopenbackend.c:330
   325             result->class = machines[cnt].class;
   326             result->data = machines[cnt].data;
   327           }
   328         else
   329           {
 ► 330             result->machine = elf->state.elf32.ehdr->e_machine;
   331             result->class = elf->state.elf32.ehdr->e_ident[EI_CLASS];
   332             result->data = elf->state.elf32.ehdr->e_ident[EI_DATA];
   333           }
   334 
   335         if (machines[cnt].init &&
─────────────────────────────────────────────────────────────────────────────────────────────────────[
STACK
]─────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffd4f0 ◂— 0x34 /* '4' */
01:0008│-028 0x7fffffffd4f8 ◂— 0x3e00001000
02:0010│-020 0x7fffffffd500 ◂— 0
03:0018│-018 0x7fffffffd508 —▸ 0x5555555c17d0 —▸ 0x7ffff7fc1000 ◂—
0x10101464c457f
04:0020│-010 0x7fffffffd510 —▸ 0x5555555c18e0 —▸ 0x5555555908ec ◂— 'elf_x86_64'
05:0028│-008 0x7fffffffd518 ◂— 3
06:0030│ rbp 0x7fffffffd520 —▸ 0x7fffffffd590 —▸ 0x7fffffffd620 —▸
0x7fffffffdc00 ◂— 3
07:0038│+008 0x7fffffffd528 —▸ 0x555555567916 (ebl_openbackend+77) ◂— leave 
───────────────────────────────────────────────────────────────────────────────────────────────────[
BACKTRACE
]───────────────────────────────────────────────────────────────────────────────────────────────────
 ► 0   0x55555556778e openbackend+373
   1   0x555555567916 ebl_openbackend+77
   2   0x5555555662f0 open_file+266
   3   0x555555563751 main+360
   4   0x7ffff7d1b24a __libc_start_call_main+122
   5   0x7ffff7d1b305 __libc_start_main+133
   6   0x555555563521 _start+33
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg>

-- 
You are receiving this mail because:
You are on the CC list for the bug.