[Bug libdw/23752] New: Invalid Address Read problem in dwfl_segment_report_module.c when executing ./eu-stack --core=$POC
https://sourceware.org/bugzilla/show_bug.cgi?id=23752 Bug ID: 23752 Summary: Invalid Address Read problem in dwfl_segment_report_module.c when executing ./eu-stack --core=$POC Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: libdw Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Created attachment 11306 --> https://sourceware.org/bugzilla/attachment.cgi?id=11306&action=edit POC-stack Hi there, Our fuzzer caught Invalid Address Read problem in eu-stack of the latest elfutils-0.174 code base, this inputs will cause the segment faults and I have confirmed them with address sanitizer too. Please use the "./eu-stack --core=$POC" or "./eu-stack --core=$POC -abdilmsv" to reproduce the bug. If you have any questions, please let me know. The ASAN dumps the stack trace as follows: ASAN:DEADLYSIGNAL = ==9753==ERROR: AddressSanitizer: SEGV on unknown address 0x7f6afb9ac114 (pc 0x7f6afa17a7dc bp 0x7fffc8bb1900 sp 0x7fffc8bb17f0 T0) ==9753==The signal is caused by a READ memory access. #0 0x7f6afa17a7db in consider_notes /elfutils-0.174/libdwfl/dwfl_segment_report_module.c:486 #1 0x7f6afa17accc in consider_phdr /elfutils-0.174/libdwfl/dwfl_segment_report_module.c:529 #2 0x7f6afa176fa2 in dwfl_segment_report_module /elfutils-0.174/libdwfl/dwfl_segment_report_module.c:590 #3 0x7f6afa185ce0 in dwfl_core_file_report /elfutils-0.174/libdwfl/core-file.c:541 #4 0x405106 in parse_opt /elfutils-0.174/src/stack.c:590 #5 0x7f6af9a64847 in argp_parse (/lib/x86_64-linux-gnu/libc.so.6+0x114847) #6 0x4056a7 in main /elfutils-0.174/src/stack.c:690 #7 0x7f6af997082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #8 0x402308 in _start (/elfutils-0.174/build/bin/eu-stack+0x402308) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /elfutils-0.174/libdwfl/dwfl_segment_report_module.c:486 in consider_notes ==9753==ABORTING -- You are receiving this mail because: You are on the CC list for the bug.
[Bug libdw/23753] New: Invalid Address Read problem in dwfl_segment_report_module.c when executing ./eu-stack --core=$POC
https://sourceware.org/bugzilla/show_bug.cgi?id=23753 Bug ID: 23753 Summary: Invalid Address Read problem in dwfl_segment_report_module.c when executing ./eu-stack --core=$POC Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: libdw Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Hi there, Our fuzzer caught Invalid Address Read problem in eu-stack of the latest elfutils-0.174 code base, this inputs will cause the segment faults and I have confirmed them with address sanitizer too. Please use the "./eu-stack --core=$POC" or "./eu-stack --core=$POC -abdilmsv" to reproduce the bug. If you have any questions, please let me know. The ASAN dumps the stack trace as follows: ASAN:DEADLYSIGNAL = ==9753==ERROR: AddressSanitizer: SEGV on unknown address 0x7f6afb9ac114 (pc 0x7f6afa17a7dc bp 0x7fffc8bb1900 sp 0x7fffc8bb17f0 T0) ==9753==The signal is caused by a READ memory access. #0 0x7f6afa17a7db in consider_notes /elfutils-0.174/libdwfl/dwfl_segment_report_module.c:486 #1 0x7f6afa17accc in consider_phdr /elfutils-0.174/libdwfl/dwfl_segment_report_module.c:529 #2 0x7f6afa176fa2 in dwfl_segment_report_module /elfutils-0.174/libdwfl/dwfl_segment_report_module.c:590 #3 0x7f6afa185ce0 in dwfl_core_file_report /elfutils-0.174/libdwfl/core-file.c:541 #4 0x405106 in parse_opt /elfutils-0.174/src/stack.c:590 #5 0x7f6af9a64847 in argp_parse (/lib/x86_64-linux-gnu/libc.so.6+0x114847) #6 0x4056a7 in main /elfutils-0.174/src/stack.c:690 #7 0x7f6af997082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #8 0x402308 in _start (/elfutils-0.174/build/bin/eu-stack+0x402308) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /elfutils-0.174/libdwfl/dwfl_segment_report_module.c:486 in consider_notes ==9753==ABORTING -- You are receiving this mail because: You are on the CC list for the bug.
[Bug libdw/23753] Invalid Address Read problem in dwfl_segment_report_module.c when executing ./eu-stack --core=$POC
https://sourceware.org/bugzilla/show_bug.cgi?id=23753 --- Comment #1 from wcventure --- Created attachment 11307 --> https://sourceware.org/bugzilla/attachment.cgi?id=11307&action=edit POC-stack ./eu-stack --core=$POC -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/23754] New: NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries
https://sourceware.org/bugzilla/show_bug.cgi?id=23754 Bug ID: 23754 Summary: NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: tools Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Hi, Our fuzzer caught NULL-Pointer dereference problems in eu-ar.c in the latest elfutils(v0.174) code base, those inputs will cause the signal SIGSEGV, Segmentation fault. I have confirmed them with address sanitizer. Please use the “ ./eu-ar -tv $POC ” to reproduce the bug. If you have any questions, please let me know. Thank you. The ASAN dumps the stack trace as follows: ASAN:DEADLYSIGNAL = ==24906==ERROR: AddressSanitizer: SEGV on unknown address 0x0030 (pc 0x7fb225ed3071 bp 0x7fffdbcb2a50 sp 0x7fffdbcb2370 T0) ==24906==The signal is caused by a READ memory access. ==24906==Hint: address points to the zero page. #0 0x7fb225ed3070 (/lib/x86_64-linux-gnu/libc.so.6+0xc3070) #1 0x7fb225ed50a5 in __strftime_l (/lib/x86_64-linux-gnu/libc.so.6+0xc50a5) #2 0x404574 in do_oper_extract /mnt/c/wcventure/Fuzzing_Object/elfutils-0.174/src/ar.c:542 #3 0x403203 in main /mnt/c/wcventure/Fuzzing_Object/elfutils-0.174/src/ar.c:252 #4 0x7fb225e3082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #5 0x402428 in _start (/mnt/c/wcventure/Fuzzing_Object/elfutils-0.174/build/bin/eu-ar+0x402428) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0xc3070) ==24906==ABORTING -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/23754] NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries
https://sourceware.org/bugzilla/show_bug.cgi?id=23754 --- Comment #1 from wcventure --- Created attachment 11309 --> https://sourceware.org/bugzilla/attachment.cgi?id=11309&action=edit POC1-ar -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/23754] NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries
https://sourceware.org/bugzilla/show_bug.cgi?id=23754 --- Comment #2 from wcventure --- Created attachment 11310 --> https://sourceware.org/bugzilla/attachment.cgi?id=11310&action=edit POC2-ar Please use the "./eu-ar -tv $POC" to reproduce the bug. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/23755] New: Multiple floating point exception in findtextrel.c in eu-findtextrel biniary of elfutils-v.0174.
https://sourceware.org/bugzilla/show_bug.cgi?id=23755
Bug ID: 23755
Summary: Multiple floating point exception in findtextrel.c in
eu-findtextrel biniary of elfutils-v.0174.
Product: elfutils
Version: unspecified
Status: UNCONFIRMED
Severity: critical
Priority: P2
Component: tools
Assignee: unassigned at sourceware dot org
Reporter: wcventure at 126 dot com
CC: elfutils-devel at sourceware dot org
Target Milestone: ---
Created attachment 11311
--> https://sourceware.org/bugzilla/attachment.cgi?id=11311&action=edit
POC
Hi,
I found some floating point exception in findtextrel.c in eu-findtextrel of the
latest elfutils-0.174 code base. I have confirmed them with GDB and address
sanitizer.
Here are the POC files. I'll also show you the debugging process. It seems that
this is caused by the divide-by-zero problem.
> gdb --args ./eu-findtextrel POC3-findtextrel
> GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
> ...
> Reading symbols from ./eu-findtextrel...done.
> (gdb) b 418
> Breakpoint 1 at 0x40379c: file findtextrel.c, line 418.
> (gdb) start
> Temporary breakpoint 2, main (argc=2, argv=0x7ffedfc8) at
> findtextrel.c:107
> 107 {
> (gdb) c
> Continuing.
> Breakpoint 1, process_file (fname=0x7ffee247 "POC3-findtextrel",
> more_than_one=false) at findtextrel.c:418
> 418(size_t) cnt < shdr->sh_size / shdr->sh_entsize;
> (gdb) p shdr->sh_entsize
> $2 = 0
> (gdb) n
>
> Program received signal SIGFPE, Arithmetic exception.
> 0x00403810 in process_file (fname=0x7ffee247 "POC3-findtextrel",
> more_than_one=false) at findtextrel.c:418
> 418(size_t) cnt < shdr->sh_size / shdr->sh_entsize;
--
You are receiving this mail because:
You are on the CC list for the bug.
[Bug tools/23755] Multiple floating point exception in findtextrel.c in eu-findtextrel biniary of elfutils-v.0174.
https://sourceware.org/bugzilla/show_bug.cgi?id=23755 --- Comment #1 from wcventure --- Created attachment 11312 --> https://sourceware.org/bugzilla/attachment.cgi?id=11312&action=edit POC2 Here is the POC2. Please use " ./eu-findtextrel $POC " to reproduce this bug. If you have any questions, please let me know. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/23755] Multiple floating point exception in findtextrel.c in eu-findtextrel biniary of elfutils-v.0174.
https://sourceware.org/bugzilla/show_bug.cgi?id=23755 --- Comment #2 from wcventure --- Created attachment 11313 --> https://sourceware.org/bugzilla/attachment.cgi?id=11313&action=edit POC3 Here is the POC3. Please use " ./eu-findtextrel $POC " to reproduce this bug. If you have any questions, please let me know. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/23755] Multiple floating point exception in findtextrel.c in eu-findtextrel biniary of elfutils-v.0174.
https://sourceware.org/bugzilla/show_bug.cgi?id=23755 --- Comment #3 from wcventure --- I have also confirmed them with address sanitizer. For example, The ASAN dumps the stack trace as follows: ASAN:DEADLYSIGNAL = ==8794==ERROR: AddressSanitizer: FPE on unknown address 0x00403810 (pc 0x00403810 bp 0x7fffca34e600 sp 0x7fffca34e050 T0) #0 0x40380f in process_file /elfutils-0.174/src/findtextrel.c:418 #1 0x401c24 in main /elfutils-0.174/src/findtextrel.c:147 #2 0x7f74edb0082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #3 0x401958 in _start (/elfutils-0.174/build/bin/eu-findtextrel+0x401958) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: FPE /mnt/c/wcventure/Fuzzing_Object/elfutils-0.174/src/findtextrel.c:418 in process_file ==8794==ABORTING -- You are receiving this mail because: You are on the CC list for the bug.
