https://sourceware.org/bugzilla/show_bug.cgi?id=22361
Bug ID: 22361
Summary: Memory Allocation Error stemming from a Conditional
jump dependant on an uninitialized value in
process_archive (within readelf.c)
Product: binutils
Version: 2.29
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: kirit1193 at gmail dot com
Target Milestone: ---
Created attachment 10559
--> https://sourceware.org/bugzilla/attachment.cgi?id=10559&action=edit
Crashing file sample
Invoking readelf on a specially crafted file results in an attempt to allocate
a massive amount of memory, due to a conditional jump which depends on an
uninitialized variable. Running Memcheck gives the following output:
==28540== Conditional jump or move depends on uninitialised value(s)
==28540==at 0x4E7A21B: strtoul_l_internal (strtol_l.c:434)
==28540==by 0x159F6C: setup_archive (elfcomm.c:658)
==28540==by 0x1407C6: process_archive (readelf.c:18196)
==28540==by 0x10F5BC: process_file (readelf.c:18460)
==28540==by 0x10F5BC: main (readelf.c:18544)
==28540== Uninitialised value was created by a stack allocation
==28540==at 0x14070F: process_archive (readelf.c:18172)
The hexdump of the input file is:
000 3c21 7261 6863 0a3e 2f2f 2020 2020 2020
010 2020 2020 2020 2020 2030 2020 2020 2020
020 2020 2020 2030 2020 2020 2030 2020 2020
030 2030 2020 2020 2020 3731 3230 3232 3232
040 3232 3232 3232 3232 3232 3232 3232 3232
*
100 3232 4d32 3232 3232 3232 322d 3232 3232
110 3232 3232 3232 3232 3232 3232 3232 3232
120 3232 1032 4c74 6269 4c56 6269 3356 7453
130 7461 6f43 6e75 0074 6478 5f72 7547 7365
140 4c74 6269 3356 7954 6570 6449 0073 6478
150 5f72 6564 2072 6874 2065 6574 6d72 2073
160 666f 740a 6568 4720 554e 4720 6e65 7265
170 6c63 5020 6275 696c 2063 694c 6563 736e
180 2065 6576 7372 6f69 206e 2033 726f 2820
190 7461 7920 756f 2072 706f 6974 6e6f 2029
1a0 4761 6575 7473 694c 5662 5333 6174 0074
1b0 6478 5f72 7547 7365 7473 694c 4962 636f
1c0 6c74 6449 7800 7264 475f 6575 7473 694c
1d0 4962 636f 6c74 7441 6d6f 6369 7055 0064
1e0 0004 001c 0058
1f0 0004 1e00 03e8 e551 6474 0006
200 001c 0058
210 0004 03e8 e551 6474 fa06
220 00ff
230 000a 0100 2000
240 7469 7520 646e 7265 7420 6568 7420 7265
250 736d 6f20 0a66 6874 2065 4e47 2055 6547
260 656e 6172 206c 7550 6c62 6369 4c20 6369
270 6e65 6573 7620 7265 6973 6e6f 3320 6f20
280 2072 6128 2074 6f79 7275 6f20 7470 6f69
290 296e 6120 796e 6c20 7461 7265 7620 7265
2a0 6973 6e6f 0a2e 6854 7369 7020 6f72 7267
2b0 6d61 6820 7361 ff20 51ff 6c6f 7475 6c65
2c0 2079 6f6e e21f 0010 0300 1000
2d0
2e0 0300 1c00
2f0 b800 1000
300 0600 6600
310 0001 1600
320 0900 0001 1000
330 3200
340 1000 0500
350 0005 5800 1000
360 3e00
370 1000 0019
380 fc00 b200 0001 1000
390 0f00
3a0 1000
3b0 2d00 0010
*
3c3
Running with AddressSanitizer crashes with the following information:
==16021==ERROR: AddressSanitizer failed to allocate 0x27a2092000 (17031552)
bytes of LargeMmapAllocator (error code: 12)
==16021==Process memory map follows:
0x0040-0x006de000
/home/ksg/testbed/binutils-2.29/binutils/readelf
0x008de000-0x008df000
/home/ksg/testbed/binutils-2.29/binutils/readelf
0x008df000-0x0095c000
/home/ksg/testbed/binutils-2.29/binutils/readelf
==16021==AddressSanitizer CHECK failed:
/build/llvm-toolchain-3.9-BMQCTD/llvm-toolchain-3.9-3.9.1/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:120
"((0 && "unable to mmap")) != (0)" (0x0, 0x0)
#0 0x4d5785 in __asan::AsanCheckFailed(char const*, int, char const*,
unsigned long long, unsigned long long)
(/home/ksg/testbed/binutils-2.29/binutils/readelf+0x4d5785)
#1 0x4efe95 in __sanitizer::CheckFailed(char const*, int, char const*,
unsigned long long, unsigned long long)
(/home/ksg/testbed/binutils-2.29/binutils/readelf+0x4efe95)
#2 0x4df5c2 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char
const*, char const*, int, boo
