[Bug backends/33591] Crash in ebl_openbackend with crafted ELF header (Type Confusion)

Sat, 01 Nov 2025 14:48:36 -0700 

https://sourceware.org/bugzilla/show_bug.cgi?id=33591

--- Comment #15 from Ziad Salah <zeyadsalah686 at gmail dot com> ---
I uploaded my make configration in screenshot.
And about gdb vanilla, yes it crashed there

┌─[ziad@parrot]─[~/Downloads/elfutils-0.194]
└──╼ $./poc
PoC file 'crash-poc.elf' created successfully.

To prove the bug, run:
  ./src/elfcmp crash-poc.elf crash-poc.elf

This will cause a segmentation fault.
┌─[ziad@parrot]─[~/Downloads/elfutils-0.194]
└──╼ $gdb -nx --batch \
    -ex "r" \
    -ex "echo \n\n---[ Full Backtrace (bt full) ]---\n" \
    -ex "bt full" \
    -ex "echo \n\n---[ Printing '*elf' as requested ]---\n" \
    -ex "p *elf" \
    -ex "echo \n\n---[ Attempting to print '*elf->state.elf32.ehdr' as
requested ]---\n" \
    -ex "p *elf->state.elf32.ehdr" \
    --args ./src/elfcmp crash-poc.elf crash-poc.elf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
openbackend (elf=0x5555555c17d0, emulation=0x0, machine=62) at
eblopenbackend.c:330
330                 result->machine = elf->state.elf32.ehdr->e_machine;


---[ Full Backtrace (bt full) ]---
#0  openbackend (elf=0x5555555c17d0, emulation=0x0, machine=62) at
eblopenbackend.c:330
        result = 0x5555555c18e0
        cnt = 3
        __PRETTY_FUNCTION__ = "openbackend"
#1  0x0000555555567916 in ebl_openbackend (elf=0x5555555c17d0) at
eblopenbackend.c:377
        ehdr_mem = {e_ident =
"\177ELF\001\001\001\000\000\000\000\000\000\000\000", e_type = 2, e_machine =
62, e_version = 1, e_entry = 0, e_phoff = 0, e_shoff = 0, e_flags = 0, e_ehsize
= 0, e_phentsize = 0, e_phnum = 0, e_shentsize = 0, e_shnum = 0, e_shstrndx =
0}
        ehdr = 0x7fffffffd540
#2  0x00005555555662f0 in open_file (fname=0x7fffffffe0e4 "crash-poc.elf",
fdp=0x7fffffffd850, eblp=0x7fffffffd848) at elfcmp.c:739
        fd = 3
        elf = 0x5555555c17d0
        ebl = 0x7fffffffdd18
#3  0x0000555555563751 in main (argc=3, argv=0x7fffffffdd18) at elfcmp.c:161
        remaining = 1
        result = 0
        fname1 = 0x7fffffffe0e4 "crash-poc.elf"
        fd1 = -8904
        ebl1 = 0x7ffff7ec7198 <[email protected]>
        elf1 = 0x0
        fname2 = 0x0
        fd2 = 0
        ebl2 = 0x7ffff7fc2be0
        elf2 = 0x0
        ehdr1_mem = {e_ident =
"\000\000\000\000\000\000\000\000\377\377\377\377\000\000\000", e_type = 43128,
e_machine = 63484, e_version = 32767, e_entry = 140737354128080, e_phoff = 0,
e_shoff = 0, e_flags = 0, e_ehsize = 0, e_phentsize = 0, e_phnum = 0,
e_shentsize = 0, e_shnum = 0, e_shstrndx = 0}
        ehdr1 = 0x0
        ehdr2_mem = {e_ident =
"\370\327\377\377\377\177\000\000\000\330\377\377\377\177\000", e_type = 12136,
e_machine = 63484, e_version = 32767, e_entry = 0, e_phoff = 0, e_shoff = 0,
e_flags = 0, e_ehsize = 0, e_phentsize = 0, e_phnum = 1, e_shentsize = 0,
e_shnum = 0, e_shstrndx = 0}
        ehdr2 = 0x0
        shnum1 = 140737353886688
        shnum2 = 1
        phnum1 = 0
        phnum2 = 1
        shstrndx1 = 140737350043808
        shstrndx2 = 8
        scn1 = 0x0
        scn2 = 0x0
        regions = 0x0
        nregions = 0
        __PRETTY_FUNCTION__ = "main"
        ehdr_region = {from = 140737353886688, to = 3167716, next =
0x7fffffffd880}
        phdr_region = {from = 0, to = 140737351074119, next = 0x7ffff7fc2f68}
        raw1 = 0x0
        size1 = 0
        raw2 = 0x0
        size2 = 0
        regionsarr = 0x0


---[ Printing '*elf' as requested ]---
$1 = {map_address = 0x7ffff7fc1000, parent = 0x0, next = 0x0, kind = ELF_K_ELF,
cmd = ELF_C_READ_MMAP, class = 1, fildes = 3, start_offset = 0, maximum_size =
52, flags = 64, ref_count = 1, elf_ar_hdr = {ar_name = 0x0, ar_date =
140737353879552, ar_uid = 0, ar_gid = 0, ar_mode = 0, ar_size = 93824992680096,
ar_rawname = 0x0}, lock = 0, state = {elf = {ehdr = 0xa, shdr = 0x0, phdr =
0x0, scns_last = 0x0, rawchunk_tree = {root = 0x0, lock = 0}, scnincr = 0,
ehdr_flags = 0, phdr_flags = 0, shdr_malloced = 0, sizestr_offset = 0}, elf32 =
{ehdr = 0xa, shdr = 0x0, phdr = 0x0, scns_last = 0x0, rawchunk_tree = {root =
0x0, lock = 0}, scnincr = 0, ehdr_flags = 0, phdr_flags = 0, shdr_malloced = 0,
sizestr_offset = 0, ehdr_mem = {e_ident = '\000' <repeats 15 times>, e_type =
0, e_machine = 0, e_version = 0, e_entry = 0, e_phoff = 0, e_shoff = 0, e_flags
= 0, e_ehsize = 0, e_phentsize = 0, e_phnum = 0, e_shentsize = 0, e_shnum = 0,
e_shstrndx = 0}, __e32scnspad = '\000' <repeats 11 times>, scns = {cnt = 0, max
= 0, next = 0x1e1, data = 0x5555555c18e0}}, elf64 = {ehdr = 0xa, shdr = 0x0,
phdr = 0x0, scns_last = 0x0, rawchunk_tree = {root = 0x0, lock = 0}, scnincr =
0, ehdr_flags = 0, phdr_flags = 0, shdr_malloced = 0, sizestr_offset = 0,
ehdr_mem = {e_ident = '\000' <repeats 15 times>, e_type = 0, e_machine = 0,
e_version = 0, e_entry = 0, e_phoff = 0, e_shoff = 0, e_flags = 0, e_ehsize =
0, e_phentsize = 0, e_phnum = 0, e_shentsize = 0, e_shnum = 0, e_shstrndx = 0},
scns = {cnt = 0, max = 0, next = 0x1e1, data = 0x5555555c18e0}}, ar = {children
= 0xa, ar_sym = 0x0, ar_sym_num = 0, long_names = 0x0, long_names_len = 0,
offset = 0, cur_ar_hdr = {ar_name = 0x0, ar_date = 0, ar_uid = 0, ar_gid = 0,
ar_mode = 0, ar_size = 0, ar_rawname = 0x0}, ar_hdr = {ar_name = '\000'
<repeats 15 times>, ar_date = '\000' <repeats 11 times>, ar_uid =
"\000\000\000\000\000", ar_gid = "\000\000\000\000\000", ar_mode =
"\000\000\000\000\000\000\000", ar_size =
"\341\001\000\000\000\000\000\000\354\b", ar_fmag = "YU"}, ar_name = "UU",
'\000' <repeats 13 times>, raw_name = '\000' <repeats 12 times>, "ayVUU"}}}


---[ Attempting to print '*elf->state.elf32.ehdr' as requested ]---
Cannot access memory at address 0xa
┌─[✗]─[ziad@parrot]─[~/Downloads/elfutils-0.194]
└──╼ $

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Reply via email to