[Bug binutils/18879] New: general protection fault in readelf (byte_get_little_endian())
https://sourceware.org/bugzilla/show_bug.cgi?id=18879 Bug ID: 18879 Summary: general protection fault in readelf (byte_get_little_endian()) Product: binutils Version: 2.26 (HEAD) Status: NEW Severity: critical Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: brian.carpenter at gmail dot com Target Milestone: --- Created attachment 8559 --> https://sourceware.org/bugzilla/attachment.cgi?id=8559&action=edit crashing test case While fuzzing readelf (GNU readelf (GNU Binutils) 2.25.51.20150826) with American Fuzzy Lop (http://lcamtuf.coredump.cx/afl/), I found a malformed ELF object that causes a general protection fault. Command line: ./readelf -a test00-min Valgrind: ELF Header: Magic: 7f 45 4c 46 02 30 30 30 30 30 30 30 30 30 30 30 Class: ELF64 Data: Version: 48 OS/ABI: ABI Version: 48 Type: : 3030 Machine: Texas Instruments TMS320C6000 DSP family Version: 0x30303030 Entry point address: 0x3030303030303030 Start of program headers: 3472328296227680304 (bytes into file) Start of section headers: 2544 (bytes into file) Flags: 0x30303030 Size of this header: 12336 (bytes) Size of program headers: 12336 (bytes) Number of program headers: 12336 Size of section headers: 64 (bytes) Number of section headers: 48 Section header string table index: 26 readelf: Error: Section 9 has invalid sh_entsize of 3030303030303030 readelf: Error: (Using the expected size of 24 for the rest of this dump) readelf: Error: Section 27 has invalid sh_entsize of 3030303030303030 readelf: Error: (Using the expected size of 24 for the rest of this dump) Section Headers: [Nr] Name Type Address Offset Size EntSize Flags Link Info Align [ 0] 30303030: 30303030: 30303030: 30303030: 30303030: 30303030: 30303030: 30303030: 30303030: RELA 3030303030303030 0347 0430 0018 MSxxop 80846443211 3472328296227680304 [10] 30303030: C6000_UNWIND 3030303030303030 0030 0030 3030303030303030 MSxxop 808464432 808464432 3472328296227680304 [12] 30303030: 30303030: 30303030: 30303030: 30303030: 30303030: 30303030: 30303030: 30303030: 30303030: 30303030: 30303030: 30303030: 30303030: 30303030: SYMTAB 3030303030303030 1130 0600 0018 MSxxop 28 808464432 3472328296227680304 [28] 30303030: 00043030: 30303030: 30303030: 30303030: 30303030: 30303030: 30303030: 30303030: 30303030: 30303030: 30303030: 30303030: 30303030: 30303030: 30303030: 30303030: 30303030: 30303030: 30303030: ' at offset 0x347 contains 44 entries: Offset Info Type Sym. ValueSym. Name + Addend 0004 3030303030303030 unrecognized: 30303030 bad symbol index: 30303030 0020 3030303030303030 unrecognized: 30303030 bad symbol index: 30303030 0024 0019 R_C6000_PREL31 3030303030303030 3030303030303030 3030303030303030 unrecognized: 30303030 bad symbol index: 30303030 3030303030303030 3030303030303030 unrecognized: 30303030 bad symbol index: 30303030 3030303030303030 3030303030303030 unrecognized: 30303030 bad symbol index: 30303030 3030303030303030 3030303030303030 unrecognized: 30303030 bad symbol index: 30303030 3030303030303030 3030303030303030 unrecognized: 30303030 bad symbol index: 30303030 3030303030303030 3030303030303030 unrecognized: 30303030 bad symbol index: 30303030 3030303030303030 3030303030303030 unrecognized: 30303030 bad symbol index: 30303030 3030303030303030 3030303030303030 unrecognized: 30303030 bad symbol index: 30303030 3030303030303030 3030303030303030 unrecognized: 30303030 bad symbol index: 30303030 3030303030303030 3030303030303030 unrecognized: 30303030 bad symbol index: 30303030 3030303030303030 3030303030303030 unrecognized: 30303030 bad symbol index: 30303030 3030303030303030 3030303030303030 unrecognized: 30303030 bad symbol index: 30303030 3030303030303030 3030
[Bug binutils/18879] general protection fault in readelf (byte_get_little_endian(elfcomm.c:149))
https://sourceware.org/bugzilla/show_bug.cgi?id=18879 geeknik changed: What|Removed |Added Summary|general protection fault in |general protection fault in |readelf |readelf |(byte_get_little_endian()) |(byte_get_little_endian(elf ||comm.c:149)) -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/18895] New: segfault in cxxfilt in d_unqualified_name () at ./cp-demangle.c:1547
https://sourceware.org/bugzilla/show_bug.cgi?id=18895 Bug ID: 18895 Summary: segfault in cxxfilt in d_unqualified_name () at ./cp-demangle.c:1547 Product: binutils Version: 2.25 Status: NEW Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: brian.carpenter at gmail dot com Target Milestone: --- Created attachment 8564 --> https://sourceware.org/bugzilla/attachment.cgi?id=8564&action=edit crashing test case While fuzzing GNU c++filt (GNU Binutils) 2.25.51.20150826 with American Fuzzy Lop (http://lcamtuf.coredump.cx/afl/), I found a simple 12-byte file that causes cxxfilt to crash w/ the following command line: ./cxxfilt @test00-min Valgrind: ==35143== Invalid read of size 1 ==35143==at 0x80CDBF: d_unqualified_name (cp-demangle.c:1547) ==35143==by 0x813F87: d_name (cp-demangle.c:1391) ==35143==by 0x815BE7: d_encoding (cp-demangle.c:1257) ==35143==by 0x8189F4: cplus_demangle_mangled_name (cp-demangle.c:1172) ==35143==by 0x81AD60: d_demangle_callback (cp-demangle.c:5886) ==35143==by 0x81AD60: d_demangle (cp-demangle.c:5937) ==35143==by 0x81AD60: cplus_demangle_v3 (cp-demangle.c:6094) ==35143==by 0x783A73: cplus_demangle (cplus-dem.c:864) ==35143==by 0x408192: demangle_it (cxxfilt.c:62) ==35143==by 0x407618: main (cxxfilt.c:227) ==35143== Address 0x8ae0ae97 is not stack'd, malloc'd or (recently) free'd ==35143== ==35143== ==35143== Process terminating with default action of signal 11 (SIGSEGV) ==35143== Access not within mapped region at address 0x8AE0AE97 ==35143==at 0x80CDBF: d_unqualified_name (cp-demangle.c:1547) ==35143==by 0x813F87: d_name (cp-demangle.c:1391) ==35143==by 0x815BE7: d_encoding (cp-demangle.c:1257) ==35143==by 0x8189F4: cplus_demangle_mangled_name (cp-demangle.c:1172) ==35143==by 0x81AD60: d_demangle_callback (cp-demangle.c:5886) ==35143==by 0x81AD60: d_demangle (cp-demangle.c:5937) ==35143==by 0x81AD60: cplus_demangle_v3 (cp-demangle.c:6094) ==35143==by 0x783A73: cplus_demangle (cplus-dem.c:864) ==35143==by 0x408192: demangle_it (cxxfilt.c:62) ==35143==by 0x407618: main (cxxfilt.c:227) ==35143== If you believe this happened as a result of a stack ==35143== overflow in your program's main thread (unlikely but ==35143== possible), you can try to increase the size of the ==35143== main thread stack using the --main-stacksize= flag. ==35143== The main thread stack size used in this run was 8388608. Segmentation fault GDB: Program received signal SIGSEGV, Segmentation fault. 0x0080cdbf in d_unqualified_name () at ./cp-demangle.c:1547 1547ret = d_source_name (di); (gdb) bt #0 0x0080cdbf in d_unqualified_name () at ./cp-demangle.c:1547 #1 0x00813f88 in d_name () at ./cp-demangle.c:1391 #2 0x00815be8 in d_encoding () at ./cp-demangle.c:1257 #3 0x008189f5 in cplus_demangle_mangled_name () at ./cp-demangle.c:1172 #4 0x0081ad61 in cplus_demangle_v3 () at ./cp-demangle.c:5886 #5 0x00783a74 in cplus_demangle () #6 0x00408193 in demangle_it () at cxxfilt.c:62 #7 0x00407619 in main () at cxxfilt.c:227 (gdb) i r rax0x7fffde30 140737488346672 rbx0x7fffe0c0 140737488347328 rcx0xabe2e1 11264737 rdx0x0 0 rsi0x8a0fe4ec -1978669844 rdi0x0 0 rbp0x7fffde30 0x7fffde30 rsp0x7fffdcf0 0x7fffdcf0 r8 0xffd0 4294967248 r9 0x0 0 r100x8a0fe4ec -1978669844 r110x18 24 r120x1 1 r130x7fffe080 140737488347264 r140x10b267 r150xbc617592186043334 rip0x80cdbf 0x80cdbf eflags 0x10202 [ IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/18895] segfault in cxxfilt in d_unqualified_name () at ./cp-demangle.c:1547
https://sourceware.org/bugzilla/show_bug.cgi?id=18895 geeknik changed: What|Removed |Added Severity|normal |critical -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/18895] segfault in cxxfilt in d_unqualified_name () at ./cp-demangle.c:1547
https://sourceware.org/bugzilla/show_bug.cgi?id=18895 --- Comment #2 from geeknik --- Filed gcc bug: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67393 -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/21437] New: heap-buffer-overflow in byte_get_little_endian (binutils/elfcomm.c:148)
https://sourceware.org/bugzilla/show_bug.cgi?id=21437 Bug ID: 21437 Summary: heap-buffer-overflow in byte_get_little_endian (binutils/elfcomm.c:148) Product: binutils Version: 2.28 Status: UNCONFIRMED Severity: critical Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: brian.carpenter at gmail dot com Target Milestone: --- Created attachment 10023 --> https://sourceware.org/bugzilla/attachment.cgi?id=10023&action=edit testcase Triggered in 7a81a73 (27 April 2017). Compiled with afl-clang-fast on Debian 8 x64. ./readelf -a test000 ==19397==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb6102f5f at pc 0x08220aaa bp 0xbfc05a38 sp 0xbfc05a2c READ of size 1 at 0xb6102f5f thread T0 #0 0x8220aa9 in byte_get_little_endian /root/binutils2/binutils/elfcomm.c:148:33 #1 0x817da69 in process_version_sections /root/binutils2/binutils/readelf.c:10189:18 #2 0x817da69 in process_object /root/binutils2/binutils/readelf.c:17788 #3 0x8155cdd in process_file /root/binutils2/binutils/readelf.c:18183:13 #4 0x8155cdd in main /root/binutils2/binutils/readelf.c:18255 #5 0xb751b275 in __libc_start_main /build/glibc-4LXvX6/glibc-2.24/csu/../csu/libc-start.c:291 #6 0x8060ec7 in _start (/root/binutils2/binutils/readelf+0x8060ec7) 0xb6102f5f is located 1 bytes to the left of 49-byte region [0xb6102f60,0xb6102f91) allocated by thread T0 here: #0 0x811aa94 in __interceptor_malloc (/root/binutils2/binutils/readelf+0x811aa94) #1 0x8156dba in get_data /root/binutils2/binutils/readelf.c:392:9 SUMMARY: AddressSanitizer: heap-buffer-overflow /root/binutils2/binutils/elfcomm.c:148:33 in byte_get_little_endian -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/21439] New: heap-buffer-overflow in print_gnu_build_attribute_name (binutils/readelf.c:17059)
https://sourceware.org/bugzilla/show_bug.cgi?id=21439 Bug ID: 21439 Summary: heap-buffer-overflow in print_gnu_build_attribute_name (binutils/readelf.c:17059) Product: binutils Version: 2.29 (HEAD) Status: UNCONFIRMED Severity: critical Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: brian.carpenter at gmail dot com Target Milestone: --- Created attachment 10028 --> https://sourceware.org/bugzilla/attachment.cgi?id=10028&action=edit testcase Triggered in 7a81a73 (27 April 2017). Compiled with afl-clang-fast on Debian 8 x64. ./readelf -a test001 ==5875==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5d006b3 at pc 0x081c2d95 bp 0xbfa4d8a8 sp 0xbfa4d89c READ of size 2 at 0xb5d006b3 thread T0 #0 0x81c2d94 in print_gnu_build_attribute_name /root/binutils2/binutils/readelf.c:17059:28 #1 0x81c2d94 in process_note /root/binutils2/binutils/readelf.c:17187 #2 0x81c2d94 in process_notes_at /root/binutils2/binutils/readelf.c:17360 #3 0x81822ec in process_note_sections /root/binutils2/binutils/readelf.c:17494:10 #4 0x81822ec in process_notes /root/binutils2/binutils/readelf.c:17529 #5 0x81822ec in process_object /root/binutils2/binutils/readelf.c:17794 #6 0x8155cdd in process_file /root/binutils2/binutils/readelf.c:18183:13 #7 0x8155cdd in main /root/binutils2/binutils/readelf.c:18255 #8 0xb7530275 in __libc_start_main /build/glibc-4LXvX6/glibc-2.24/csu/../csu/libc-start.c:291 #9 0x8060ec7 in _start (/root/binutils2/binutils/readelf+0x8060ec7) 0xb5d006b3 is located 0 bytes to the right of 3-byte region [0xb5d006b0,0xb5d006b3) allocated by thread T0 here: #0 0x811aa94 in __interceptor_malloc (/root/binutils2/binutils/readelf+0x811aa94) #1 0x81bdbfb in process_notes_at /root/binutils2/binutils/readelf.c:17345:20 #2 0x81822ec in process_note_sections /root/binutils2/binutils/readelf.c:17494:10 #3 0x81822ec in process_notes /root/binutils2/binutils/readelf.c:17529 #4 0x81822ec in process_object /root/binutils2/binutils/readelf.c:17794 #5 0x8155cdd in process_file /root/binutils2/binutils/readelf.c:18183:13 #6 0x8155cdd in main /root/binutils2/binutils/readelf.c:18255 #7 0xb7530275 in __libc_start_main /build/glibc-4LXvX6/glibc-2.24/csu/../csu/libc-start.c:291 SUMMARY: AddressSanitizer: heap-buffer-overflow /root/binutils2/binutils/readelf.c:17059:28 in print_gnu_build_attribute_name -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/21437] heap-buffer-overflow in byte_get_little_endian (binutils/elfcomm.c:148)
https://sourceware.org/bugzilla/show_bug.cgi?id=21437 --- Comment #2 from Brian 'geeknik' Carpenter --- Built `da3d25a` with afl-gcc instead of afl-clang-fast. Same result. And I was mistaken in my original comment, this is Ubuntu 16.x, not Debian 8. gcc (Ubuntu 6.3.0-12ubuntu2) 6.3.0 20170406 od -tx1 ../test000 000 7f 45 4c 46 30 30 30 30 30 30 30 30 ff ff ff ff 020 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 040 54 00 00 00 30 30 30 30 30 30 30 30 30 30 28 00 060 04 00 30 30 30 30 30 30 30 30 30 30 30 30 30 30 100 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 * 200 fd ff ff 6f 30 30 30 30 30 30 30 30 00 00 00 00 220 30 00 00 00 30 30 30 30 30 30 30 30 30 30 30 30 240 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 * 360 30 30 30 30 364 binutils/readelf -a ../test000 ELF Header: Magic: 7f 45 4c 46 30 30 30 30 30 30 30 30 ff ff ff ff Class: Data: Version: 48 OS/ABI: ABI Version: 48 Type: : 3030 Machine: : 0x3030 Version: 0x30303030 Entry point address: 0x30303030 Start of program headers: 808464432 (bytes into file) Start of section headers: 84 (bytes into file) Flags: 0x30303030 Size of this header: 12336 (bytes) Size of program headers: 12336 (bytes) Number of program headers: 12336 Size of section headers: 40 (bytes) Number of section headers: 4 Section header string table index: 12336 readelf: Warning: Section 0 has an out of range sh_link value of 808464432 readelf: Warning: Section 1 has an out of range sh_link value of 808464432 readelf: Warning: Section 2 has an out of range sh_link value of 808464432 readelf: Warning: Section 3 has an out of range sh_link value of 808464432 Section Headers: [Nr] Name TypeAddr OffSize ES Flg Lk Inf Al readelf: Warning: [ 0]: Unexpected value (808464432) in info field. readelf: Warning: Size of section 0 is larger than the entire file! [ 0] 30303030: VERDEF 30303030 00 30 30303030 MSxxop 808464432 808464432 808464432 readelf: Warning: section 1: sh_link value of 808464432 is larger than the number of sections readelf: Warning: [ 2]: Unexpected value (808464432) in info field. readelf: Warning: Size of section 2 is larger than the entire file! [ 2] 30303030: 30303030: : 0x3030 is not currently supported. Version definition section '' contains 808464432 entries: Addr: 0x30303030 Offset: Link: 808464432 () = ==9065==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb540337f at pc 0x08165676 bp 0xbf9c14b8 sp 0xbf9c14a8 READ of size 4 at 0xb540337f thread T0 #0 0x8165675 in byte_get_little_endian /root/binutils/binutils/elfcomm.c:151 #1 0x806fed6 in process_version_sections /root/binutils/binutils/readelf.c:10189 #2 0x80d7740 in process_object /root/binutils/binutils/readelf.c:17788 #3 0x804b77a in process_file /root/binutils/binutils/readelf.c:18183 #4 0x804b77a in main /root/binutils/binutils/readelf.c:18255 #5 0xb7045275 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18275) #6 0x804c520 (/root/binutils/binutils/readelf+0x804c520) 0xb540337f is located 1 bytes to the left of 49-byte region [0xb5403380,0xb54033b1) allocated by thread T0 here: #0 0xb72aaaf4 in __interceptor_malloc (/usr/lib/i386-linux-gnu/libasan.so.3+0xc3af4) #1 0x8067762 in get_data /root/binutils/binutils/readelf.c:392 SUMMARY: AddressSanitizer: heap-buffer-overflow /root/binutils/binutils/elfcomm.c:151 in byte_get_little_endian Shadow bytes around the buggy address: 0x36a80610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a80620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a80630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a80640: fa fa fa fa fa fa fa fa fa fa fa fa fd fd fd fd 0x36a80650: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd =>0x36a80660: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa[fa] 0x36a80670: 00 00 00 00 00 00 01 fa fa fa fa fa fd fd fd fd 0x36a80680: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd 0x36a80690: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa 0x36a806a0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd 0x36a806b0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 St
[Bug binutils/21437] heap-buffer-overflow in byte_get_little_endian (binutils/elfcomm.c:148)
https://sourceware.org/bugzilla/show_bug.cgi?id=21437 --- Comment #3 from Brian 'geeknik' Carpenter --- Without AFL and ASan: valgrind -q binutils/readelf -a ../test000 ELF Header: Magic: 7f 45 4c 46 30 30 30 30 30 30 30 30 ff ff ff ff Class: Data: Version: 48 OS/ABI: ABI Version: 48 Type: : 3030 Machine: : 0x3030 Version: 0x30303030 Entry point address: 0x30303030 Start of program headers: 808464432 (bytes into file) Start of section headers: 84 (bytes into file) Flags: 0x30303030 Size of this header: 12336 (bytes) Size of program headers: 12336 (bytes) Number of program headers: 12336 Size of section headers: 40 (bytes) Number of section headers: 4 Section header string table index: 12336 readelf: Warning: Section 0 has an out of range sh_link value of 808464432 readelf: Warning: Section 1 has an out of range sh_link value of 808464432 readelf: Warning: Section 2 has an out of range sh_link value of 808464432 readelf: Warning: Section 3 has an out of range sh_link value of 808464432 Section Headers: [Nr] Name TypeAddr OffSize ES Flg Lk Inf Al readelf: Warning: [ 0]: Unexpected value (808464432) in info field. readelf: Warning: Size of section 0 is larger than the entire file! [ 0] 30303030: VERDEF 30303030 00 30 30303030 MSxxop 808464432 808464432 808464432 readelf: Warning: section 1: sh_link value of 808464432 is larger than the number of sections readelf: Warning: [ 2]: Unexpected value (808464432) in info field. readelf: Warning: Size of section 2 is larger than the entire file! [ 2] 30303030: 30303030: : 0x3030 is not currently supported. Version definition section '' contains 808464432 entries: Addr: 0x30303030 Offset: Link: 808464432 () ==4842== Invalid read of size 4 ==4842==at 0x8087AE0: byte_get_little_endian (elfcomm.c:151) ==4842==by 0x805843B: process_version_sections (readelf.c:10189) ==4842==by 0x806E441: process_object (readelf.c:17788) ==4842==by 0x8049A2F: process_file (readelf.c:18183) ==4842==by 0x8049A2F: main (readelf.c:18255) ==4842== Address 0x4208bd7 is 1 bytes before a block of size 49 alloc'd ==4842==at 0x402E23C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==4842==by 0x804D314: get_data (readelf.c:392) ==4842==by 0x80582DE: process_version_sections (readelf.c:10137) ==4842==by 0x806E441: process_object (readelf.c:17788) ==4842==by 0x8049A2F: process_file (readelf.c:18183) ==4842==by 0x8049A2F: main (readelf.c:18255) ==4842== 00: Rev: 17791 Flags: INFO | Index: 12336 Cnt: 12336 Name index: 1279622912 Version def aux past end of section Version definition past end of section readelf: Error: Too many program headers - 0x3030 - the file is not that big -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
