[Bug tools/32673] eu-strip SEGV (illegal read access) in gelf_getsymshndx (libelf/gelf_getsymshndx.c:123)

[mark at klomp dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=32673

Mark Wielaard  changed:

   What|Removed |Added

   Assignee|unassigned at sourceware dot org   |mark at klomp dot org
 CC||mark at klomp dot org
   Last reconfirmed||2025-02-13
 Status|UNCONFIRMED |ASSIGNED
 Ever confirmed|0   |1

--- Comment #1 from Mark Wielaard  ---
The problem here is that the symscn is actually a (corrupt) NOBITS section, so
doesn't have any data.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug backends/32684] aarch64 linux 4 build failure: struct user_pac_mask not defined

[mark at klomp dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=32684

Mark Wielaard  changed:

   What|Removed |Added

 CC||mark at klomp dot org

--- Comment #1 from Mark Wielaard  ---
I think the best you can do is submit a patch to 4.19 upstream to include the
struct user_pac_mask. Or maybe a configure check for elfutils plus a patch so
the struct user_pac_mask is only used when available.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[PATCH] strip: Verify symbol table is a real symbol table

[Mark Wielaard]

We didn't check the symbol table referenced from the relocation table
was a real symbol table. This could cause a crash if that section
happened to be an SHT_NOBITS section without any data. Fix this by
adding an explicit check.

   * src/strip.c (INTERNAL_ERROR_MSG): New macro that takes a
   message string to display.
   (INTERNAL_ERROR): Use INTERNAL_ERROR_MSG with elf_errmsg (-1).
   (remove_debug_relocations): Check the sh_link referenced
   section is real and isn't a SHT_NOBITS section.

https://sourceware.org/bugzilla/show_bug.cgi?id=32673

Signed-off-by: Mark Wielaard 
---
 src/strip.c | 14 +++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/strip.c b/src/strip.c
index 3812fb17a3b8..8d2bb7a959f0 100644
--- a/src/strip.c
+++ b/src/strip.c
@@ -126,13 +126,14 @@ static char *tmp_debug_fname = NULL;
 /* Close debug file descriptor, if opened. And remove temporary debug file.  */
 static void cleanup_debug (void);
 
-#define INTERNAL_ERROR(fname) \
+#define INTERNAL_ERROR_MSG(fname, msg) \
   do { \
 cleanup_debug (); \
 error_exit (0, _("%s: INTERNAL ERROR %d (%s): %s"),
\
-   fname, __LINE__, PACKAGE_VERSION, elf_errmsg (-1)); \
+   fname, __LINE__, PACKAGE_VERSION, msg); \
   } while (0)
 
+#define INTERNAL_ERROR(fname) INTERNAL_ERROR_MSG(fname, elf_errmsg (-1))
 
 /* Name of the output file.  */
 static const char *output_fname;
@@ -631,7 +632,14 @@ remove_debug_relocations (Ebl *ebl, Elf *elf, GElf_Ehdr 
*ehdr,
 resolve relocation symbol indexes.  */
  Elf64_Word symt = shdr->sh_link;
  Elf_Data *symdata, *xndxdata;
- Elf_Scn * symscn = elf_getscn (elf, symt);
+ Elf_Scn *symscn = elf_getscn (elf, symt);
+ GElf_Shdr symshdr_mem;
+ GElf_Shdr *symshdr = gelf_getshdr (symscn, &symshdr_mem);
+ if (symshdr == NULL)
+   INTERNAL_ERROR (fname);
+ if (symshdr->sh_type == SHT_NOBITS)
+   INTERNAL_ERROR_MSG (fname, "NOBITS section");
+
  symdata = elf_getdata (symscn, NULL);
  xndxdata = get_xndxdata (elf, symscn);
  if (symdata == NULL)
-- 
2.48.1

[PATCH] scr: fix DEREF_OF_NULL.RET.STAT in ar.c

[Anton Moryakov]

Report of the static analyzer:
1. DEREF_OF_NULL.RET Pointer, returned from function 'elf_getarhdr' at 
ar.c:498, may be NULL and is dereferenced at ar.c:500.
2. DEREF_OF_NULL.RET Pointer, returned from function 'elf_getarhdr' at 
ar.c:940, may be NULL and is dereferenced at ar.c:943
3. DEREF_OF_NULL.RET Pointer, returned from function 'elf_getarhdr' at 
ar.c:1147, may be NULL and is dereferenced at ar.c:1150.
4. DEREF_OF_NULL.RET.STAT Return value of a function 'elf_rawfile' is 
dereferenced at ar.c:857 without checking for NULL, but it is usually checked 
for this function (4/5)

Corrections explained:
Added check if (arhdr == NULL) goto next;

Triggers found by static analyzer Svace.

Signed-off-by: Anton Moryakov 

---
 src/ar.c | 12 
 1 file changed, 12 insertions(+)

diff --git a/src/ar.c b/src/ar.c
index 9ace28b9..4b90115d 100644
--- a/src/ar.c
+++ b/src/ar.c
@@ -498,6 +498,9 @@ do_oper_extract (int oper, const char *arfname, char 
**argv, int argc,
   while ((subelf = elf_begin (fd, cmd, elf)) != NULL)
 {
   Elf_Arhdr *arhdr = elf_getarhdr (subelf);
+ 
+ if (arhdr == NULL)
+   goto next;
 
   if (strcmp (arhdr->ar_name, "/") == 0)
{
@@ -860,6 +863,9 @@ write_member (struct armem *memb, off_t *startp, off_t 
*lenp, Elf *elf,
 {
   /* In case of a long file name we assume the archive header
 changed and we write it here.  */
+
+ if (arhdr == NULL)
+   goto next;
   memcpy (&arhdr, elf_rawfile (elf, NULL) + *startp, sizeof (arhdr));
 
   snprintf (tmpbuf, sizeof (tmpbuf), "/%-*ld",
@@ -943,6 +949,9 @@ do_oper_delete (const char *arfname, char **argv, int argc,
   while ((subelf = elf_begin (fd, cmd, elf)) != NULL)
 {
   Elf_Arhdr *arhdr = elf_getarhdr (subelf);
+ 
+ if (arhdr == NULL)
+   goto next;
 
   /* Ignore the symbol table and the long file name table here.  */
   if (strcmp (arhdr->ar_name, "/") == 0
@@ -1152,6 +1161,9 @@ do_oper_insert (int oper, const char *arfname, char 
**argv, int argc,
   while ((subelf = elf_begin (fd, cmd, elf)) != NULL)
 {
   Elf_Arhdr *arhdr = elf_getarhdr (subelf);
+ 
+ if (arhdr == NULL)
+   goto next;
 
   /* Ignore the symbol table and the long file name table here.  */
   if (strcmp (arhdr->ar_name, "/") == 0
-- 
2.30.2

[PATCH] src: fix DEREF_OF_NULL.RET.STAT in readelf.c in

[Anton Moryakov]

Static analyzer reported:
Return value of a function 'gelf_getehdr' is dereferenced at readelf.c:12443
without checking for NULL, but it is usually checked for this function (53/54).

Corrections explained:
- Added a NULL check for the ehdr variable

Triggers found by static analyzer Svace.

Signed-off-by: Anton Moryakov 
---
 src/readelf.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/src/readelf.c b/src/readelf.c
index 6526db07..3bdfb391 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -12440,6 +12440,11 @@ handle_core_item (Elf *core, const Ebl_Core_Item 
*item, const void *desc,
 field went into the high half of USEC.  */
  GElf_Ehdr ehdr_mem;
  GElf_Ehdr *ehdr = gelf_getehdr (core, &ehdr_mem);
+ if (unlikely(ehdr == NULL))
+ {
+   fprintf(stderr, "Failed to get ELF header\n");
+   return;
+ }
  if (likely (ehdr->e_ident[EI_DATA] == ELFDATA2MSB))
usec >>= 32;
  else
-- 
2.30.2

[PATCH] src: fix DEREF_OF_NULL.RET.STAT in unstrip.c

[Anton Moryakov]

Static analyzer reported:
Return value of a function 'elf_getdata' is dereferenced at unstrip.c:1977
without checking for NULL, but it is usually checked for this function (97/101).

Corrections explained:
- Added a check for NULL for the symstrdata variable before calling 
dwelf_strtab_finalize.
- If symstrdata is NULL, the program exits with an error.

Triggers found by static analyzer Svace.

Signed-off-by: Anton Moryakov 
---
 src/unstrip.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/unstrip.c b/src/unstrip.c
index d70053de..35c04700 100644
--- a/src/unstrip.c
+++ b/src/unstrip.c
@@ -1974,6 +1974,9 @@ more sections in stripped file than debug file -- 
arguments reversed?"));
}
}
 
+  if (symstrdata == NULL)
+   error_exit (0, "Failed to get data from symbol string table");
+
   if (dwelf_strtab_finalize (symstrtab, symstrdata) == NULL)
error_exit (0, "Not enough memory to create symbol table");
 
-- 
2.30.2

Re: [PATCH] libdw: Simplify __libdw_getabbrev and fix dwarf_offabbrev issue

[Aaron Merey]

Hi Mark,

On Mon, Feb 10, 2025 at 10:49 AM Mark Wielaard  wrote:
>
> __libdw_getabbrev could crash on reading a bad abbrev by trying to
> deallocate memory it didn't allocate itself. This could happen because
> dwarf_offabbrev would supply its own memory when calling
> __libdw_getabbrev. No other caller did this.
>
> Simplify the __libdw_getabbrev common code by not taking external
> memory to put the abbrev result in (this would also not work correctly
> if the abbrev was already cached). And make dwarf_offabbrev explicitly
> copy the result (if there was no error or end of abbrev).
>
>  * libdw/dwarf_getabbrev.c (__libdw_getabbrev): Don't take
>  Dwarf_Abbrev result argument. Always just allocate abb when
>  abbrev not found in cache.
>  (dwarf_getabbrev): Don't pass NULL as last argument to
>  __libdw_getabbrev.
> * libdw/dwarf_tag.c (__libdw_findabbrev): Likewise.
> * libdw/dwarf_offabbrev.c (dwarf_offabbrev): Likewise. And copy
> abbrev into abbrevp on success.
> * libdw/libdw.h (dwarf_offabbrev): Document return values.
> * libdw/libdwP.h (__libdw_getabbrev): Don't take Dwarf_Abbrev
> result argument.
>
> https://sourceware.org/bugzilla/show_bug.cgi?id=32650
>
> Signed-off-by: Mark Wielaard 

LGTM.

Aaron

[PATCH] src: fix DEREF_OF_NULL.RET.STAT in readelf.c in

[Anton Moryakov]

Static analyzer reported:
Return value of a function 'elf_strptr' is dereferenced at readelf.c:7171
without checking for NULL, but it is usually checked for this function (71/74).

Corrections explained:
- Added a NULL check for the scnname variable, which contains the result of
  the elf_strptr call.
- The check is placed before the first use of scnname to prevent dereferencing
  a NULL pointer.

Triggers found by static analyzer Svace.

Signed-off-by: Anton Moryakov 
---
 src/readelf.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/src/readelf.c b/src/readelf.c
index 6526db07..86ab3d37 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -7168,6 +7168,11 @@ print_debug_frame_section (Dwfl_Module *dwflmod, Ebl 
*ebl, GElf_Ehdr *ehdr,
   return;
 }
 
+  if (scnname == NULL)
+{
+  error (0, 0, _("cannot get section name: %s"), elf_errmsg (-1));
+  return;
+}
   bool is_eh_frame = strcmp (scnname, ".eh_frame") == 0;
   Elf_Data *data;
   if (is_eh_frame)
-- 
2.30.2

Re: [PATCH] readelf: Handle NULL phdr in handle_dynamic_symtab

[Aaron Merey]

Hi Mark,

On Mon, Feb 10, 2025 at 1:32 PM Mark Wielaard  wrote:
>
> A corrupt ELF file can have broken program headers, in which case
> gelf_getphdr returns NULL. This could crash handle_dynamic_symtab
> while searching for the PT_DYNAMIC phdr. Fix this by checking whether
> gelf_phdr returns NULL.
>
>   * src/readelf.c (handle_dynamic_symtab): Check whether
>   gelf_getphdr returns NULL.
>
> https://sourceware.org/bugzilla/show_bug.cgi?id=32655
>
> Signed-off-by: Mark Wielaard 

LGTM.

Aaron

Re: [PATCH] readelf: Skip trying to uncompress sections without a name

[Aaron Merey]

Hi Mark,

On Mon, Feb 10, 2025 at 1:37 PM Mark Wielaard  wrote:
>
> When combining eu-readelf -z with -x or -p to dump the data or strings
> in an (corrupted ELF) unnamed numbered section eu-readelf could crash
> trying to check whether the section name starts with .zdebug. Fix this
> by skipping sections without a name.
>
>* src/readelf.c (dump_data_section): Don't try to gnu decompress a
>section without a name.
>(print_string_section): Likewise.
>
> https://sourceware.org/bugzilla/show_bug.cgi?id=32656
>
> Signed-off-by: Mark Wielaard 

LGTM.

Aaron

Re: [PATCH] libelf, readelf: Use validate_str also to check dynamic symstr data

[Aaron Merey]

Hi Mark,

On Mon, Feb 10, 2025 at 1:27 PM Mark Wielaard  wrote:
>
> When dynsym/str was read through eu-readelf --dynamic by readelf
> process_symtab the string data was not validated, possibly printing
> unallocated memory past the end of the symstr data. Fix this by
> truning the elf_strptr validate_str function into a generic
> lib/system.h helper function and use it in readelf to validate the
> strings before use.
>
> * libelf/elf_strptr.c (validate_str): Remove to...
> * lib/system.h (validate_str): ... here. Make inline, simplify
> check and document.
> * src/readelf.c (process_symtab): Use validate_str on symstr_data.
>
> https://sourceware.org/bugzilla/show_bug.cgi?id=32654
>
> Signed-off-by: Mark Wielaard 

In the commit message "truning" should be "turning". Besides that LGTM.

Aaron

[PATCH] src: fix DEREF_OF_NULL.RET in readelf.c

[Anton Moryakov]

Report of the static analyzer:
DEREF_OF_NULL.RET Pointer, returned from function 'elf_getarhdr' at 
readelf.c:13551, 
may be NULL and is dereferenced at readelf.c:13553.

Corrections explained:
- Added a NULL check for the pointer returned by `elf_getarhdr`.
- If the pointer is NULL, release resources with `elf_end` and skip
  the current iteration using `continue`.

Triggers found by static analyzer Svace.

Signed-off-by: Anton Moryakov 
---
 src/readelf.c | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/readelf.c b/src/readelf.c
index 6526db07..4c14fc21 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -13549,7 +13549,11 @@ dump_archive_index (Elf *elf, const char *fname)
  as_off, fname, elf_errmsg (-1));
 
  const Elf_Arhdr *h = elf_getarhdr (subelf);
-
+ if (h == NULL)
+   {
+   elf_end(subelf);
+   continue;
+   }
  printf (_("Archive member '%s' contains:\n"), h->ar_name);
 
  elf_end (subelf);
-- 
2.30.2

Re: [PATCH] libelf: Handle elf_strptr on section without any data

[Aaron Merey]

Hi Mark,

On Wed, Feb 12, 2025 at 6:16 PM Mark Wielaard  wrote:
>
> In the unlikely situation that elf_strptr was called on a section with
> sh_size already set, but that doesn't have any data yet we could crash
> trying to verify the string to return.
>
> This could happen for example when a new section was created with
> elf_newscn, but no data having been added yet.
>
> * libelf/elf_strptr.c (elf_strptr): Check strscn->rawdata_base
> is not NULL.
>
> https://sourceware.org/bugzilla/show_bug.cgi?id=32672
>
> Signed-off-by: Mark Wielaard 

LGTM.

Aaron

Re: [PATCH] strip: Verify symbol table is a real symbol table

[Aaron Merey]

Hi Mark,

On Thu, Feb 13, 2025 at 9:04 AM Mark Wielaard  wrote:
>
> We didn't check the symbol table referenced from the relocation table
> was a real symbol table. This could cause a crash if that section
> happened to be an SHT_NOBITS section without any data. Fix this by
> adding an explicit check.
>
>* src/strip.c (INTERNAL_ERROR_MSG): New macro that takes a
>message string to display.
>(INTERNAL_ERROR): Use INTERNAL_ERROR_MSG with elf_errmsg (-1).
>(remove_debug_relocations): Check the sh_link referenced
>section is real and isn't a SHT_NOBITS section.
>
> https://sourceware.org/bugzilla/show_bug.cgi?id=32673
>
> Signed-off-by: Mark Wielaard 

LGTM.

Aaron

[Bug libelf/32689] New: Robustify [g]elf functions that take (nobits) Elf_Data arguments

[mark at klomp dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=32689

Bug ID: 32689
   Summary: Robustify [g]elf functions that take (nobits) Elf_Data
arguments
   Product: elfutils
   Version: unspecified
Status: NEW
  Severity: normal
  Priority: P2
 Component: libelf
  Assignee: unassigned at sourceware dot org
  Reporter: mark at klomp dot org
CC: elfutils-devel at sourceware dot org
  Target Milestone: ---

The Elf_Data returned from a SHT_NOBITS section have their d_size set, but
d_buf will be NULL. In most (all?) cases calling an [g]elf function using such
Elf_Data is a user error. The function might crash by just using d_buf directly
without checking it is NULL. It would be better if the functions would simply
return an error. Most already return an error when provided with a NULL
Elf_Data.

Lets audit (and maybe add a test) for:

- elf32_xlatetom, elf64_xlatetom, gelf_xlatetom
- elf32_xlatetof, elf64_xlatetof, gelf_xlatetof
- gelf_getrel
- gelf_getrela
- gelf_update_rel
- gelf_update_rela
- gelf_getsym
- gelf_update_sym
- gelf_getsymshndx
- gelf_update_symshndx
- gelf_getsyminfo
- gelf_update_syminfo
- gelf_getdyn
- gelf_update_dyn
- gelf_getmove
- gelf_update_move
- gelf_getlib
- gelf_update_lib
- gelf_getversym
- gelf_update_versym
- gelf_getverneed
- gelf_update_verneed
- gelf_getvernaux
- gelf_update_vernaux
- gelf_getverdef
- gelf_update_verdef
- gelf_getverdaux
- gelf_update_verdaux
- gelf_getauxv
- gelf_update_auxv
- gelf_getnote

-- 
You are receiving this mail because:
You are on the CC list for the bug.