Re: [PATCH] backends/ppc_attrs.c: Add PPC long double tags
Hi, On Tue, 2025-05-27 at 00:05 -0500, A. Wilcox wrote: > When an explicit type of long double is specified in the ELF > GNU_Power_ABI_FP attribute, elflint and friends were erroring out: > > section [36] '.gnu.attributes': offset 15: unrecognized GNU_Power_ABI_FP > attribute value 9 > > Add the different long double tags to fp_kinds so that these values > are correctly recognised and printed. This is probably correct, but do you happen to have a reference where these GNU_Power_ABI_FP attribute are defined? Then we can add that to the source as comment so we can easily look them up in the future. Cheers, Mark > Signed-off-by: A. Wilcox > --- > backends/ppc_attrs.c | 12 > 1 file changed, 12 insertions(+) > > diff --git a/backends/ppc_attrs.c b/backends/ppc_attrs.c > index 48d7129d..6b00bccd 100644 > --- a/backends/ppc_attrs.c > +++ b/backends/ppc_attrs.c > @@ -52,6 +52,18 @@ ppc_check_object_attribute (Ebl *ebl __attribute__ > ((unused)), > "Hard float", > "Soft float", > "Single-precision hard float", > + "Hard or soft float (IBM style long doubles)", > + "Hard float (IBM style long doubles)", > + "Soft float (IBM style long doubles)", > + "Single-precision hard float (IBM style long doubles)", > + "Hard or soft float (64-bit long doubles)", > + "Hard float (64-bit long doubles)", > + "Soft float (64-bit long doubles)", > + "Single-precision hard float (64-bit long doubles)", > + "Hard or soft float (IEEE 128-bit long doubles)", > + "Hard float (IEEE 128-bit long doubles)", > + "Soft float (IEEE 128-bit long doubles)", > + "Single-precision hard float (IEEE 128-bit long doubles)", > }; > if (value < sizeof fp_kinds / sizeof fp_kinds[0]) > *value_name = fp_kinds[value];
[PATCH 2/3 v3] src/readelf.c: Support concurrency for -w, --debug-dump
Implement concurrent execution of print_debug_* functions during handling
of -w, --debug-dump using libthread.a.
A new `-C, --concurrency=NUM` command line option controls the maximum
number of threads that may be used. This value defaults to the number of CPUs.
Job output is buffered and printed in the order that jobs were added to
the queue. This helps preserve the existing order of stdout output. Full
support for output buffering in print_debug_* functions is added in the
next patch in this series.
* src/readelf.c (default_concurrency): Function estimating the
maximum number of threads.
(parse_opt): Handle -C, --concurrency=NUM.
(do_job): Entry point function for threads.
(schedule_job): If thread safety is enabled, add job to the
job queue. Otherwise just run the job from the main thread.
(print_debug): Pass print_debug_* function pointers and
args to schedule_job. Also call run_jobs if thread safety
is enabled.
Signed-off-by: Aaron Merey
---
v3:
Replace assert before run_jobs with a conditional.
src/readelf.c | 153 --
1 file changed, 149 insertions(+), 4 deletions(-)
diff --git a/src/readelf.c b/src/readelf.c
index b7dba390..e3aece8b 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -57,6 +57,18 @@
#include "../libdw/known-dwarf.h"
+#ifdef USE_LOCKS
+#include "threadlib.h"
+#endif
+
+#ifdef HAVE_SCHED_H
+#include
+#endif
+
+#ifdef HAVE_SYS_RESOURCE_H
+#include
+#endif
+
#ifdef __linux__
#define CORE_SIGILL SIGILL
#define CORE_SIGBUS SIGBUS
@@ -150,6 +162,10 @@ static const struct argp_option options[] =
N_("Ignored for compatibility (lines always wide)"), 0 },
{ "decompress", 'z', NULL, 0,
N_("Show compression information for compressed sections (when used with
-S); decompress section before dumping data (when used with -p or -x)"), 0 },
+#ifdef USE_LOCKS
+ { "concurrency", 'C', "NUM", 0,
+N_("Set maximum number of threads. Defaults to the number of CPUs."), 0 },
+#endif
{ NULL, 0, NULL, 0, NULL, 0 }
};
@@ -249,6 +265,11 @@ static bool print_decompress = false;
/* True if we want to show split compile units for debug_info skeletons. */
static bool show_split_units = false;
+#if USE_LOCKS
+/* Maximum number of threads. */
+static int max_threads = -1;
+#endif
+
/* Select printing of debugging sections. */
static enum section_e
{
@@ -380,6 +401,43 @@ cleanup_list (struct section_argument *list)
}
}
+#ifdef USE_LOCKS
+/* Estimate the maximum number of threads. This is normally
+ #CPU. Return value is guaranteed to be at least 1. */
+static int
+default_concurrency (void)
+{
+ unsigned aff = 0;
+#ifdef HAVE_SCHED_GETAFFINITY
+ {
+int ret;
+cpu_set_t mask;
+CPU_ZERO (&mask);
+ret = sched_getaffinity (0, sizeof(mask), &mask);
+if (ret == 0)
+ aff = CPU_COUNT (&mask);
+ }
+#endif
+
+ unsigned fn = 0;
+#ifdef HAVE_GETRLIMIT
+ {
+struct rlimit rlim;
+int rc = getrlimit (RLIMIT_NOFILE, &rlim);
+if (rc == 0)
+ fn = MAX ((rlim_t) 1, (rlim.rlim_cur - 100) / 2);
+/* Conservatively estimate that at least 2 fds are used
+ by each thread. */
+ }
+#endif
+
+ unsigned d = MIN (MAX (aff, 2U),
+ MAX (fn, 2U));
+
+ return d;
+}
+#endif
+
int
main (int argc, char *argv[])
{
@@ -403,6 +461,12 @@ main (int argc, char *argv[])
/* Before we start tell the ELF library which version we are using. */
elf_version (EV_CURRENT);
+#ifdef USE_LOCKS
+ /* If concurrency wasn't set by argp_parse, then set a default value. */
+ if (max_threads == -1)
+max_threads = default_concurrency ();
+#endif
+
/* Now process all the files given at the command line. */
bool only_one = remaining + 1 == argc;
do
@@ -527,6 +591,16 @@ parse_opt (int key, char *arg,
case 'c':
print_archive_index = true;
break;
+#if USE_LOCKS
+case 'C':
+ if (arg != NULL)
+ {
+ max_threads = atoi (arg);
+ if (max_threads < 1)
+ error (1, 0, _("-C NUM minimum 1"));
+ }
+ break;
+#endif
case 'w':
if (arg == NULL)
{
@@ -5492,7 +5566,7 @@ listptr_base (struct listptr *p)
}
/* To store the name used in compare_listptr */
-static const char *sort_listptr_name;
+_Thread_local const char *sort_listptr_name;
static int
compare_listptr (const void *a, const void *b)
@@ -11950,6 +12024,65 @@ getone_dwflmod (Dwfl_Module *dwflmod,
return DWARF_CB_OK;
}
+typedef struct {
+ Dwfl_Module *dwflmod;
+ Ebl *ebl;
+ GElf_Ehdr *ehdr;
+ Elf_Scn scn;
+ GElf_Shdr shdr;
+ Dwarf *dbg;
+ FILE *out;
+ void (*fp) (Dwfl_Module *, Ebl *, GElf_Ehdr *,
+ Elf_Scn *, GElf_Shdr *, Dwarf *, FILE *);
+} job_data;
+
+#ifdef USE_LOCKS
+
+/* Thread entry point. */
+static void *
+do_job (void *data, FILE *out)
+{
+ job_data *d = (job_data *) data;
+ d->fp (d->dwflmod, d->ebl, d->ehdr, &d->scn, &d->
[Bug tools/33005] New: Dynamic Stack Buffer Overflow in eu-unstrip's new_shstrtab Function
https://sourceware.org/bugzilla/show_bug.cgi?id=33005 Bug ID: 33005 Summary: Dynamic Stack Buffer Overflow in eu-unstrip's new_shstrtab Function Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: tools Assignee: unassigned at sourceware dot org Reporter: xdcao.cs at gmail dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Summary Dynamic Stack Buffer Overflow in eu-unstrip's new_shstrtab Function Environment elfutils version: 0.192 OS: Ubuntu 22.04.5 LTS Steps to reproduce # export CFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address" # export CXXFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address" # ./configure --enable-maintainer-mode --disable-debuginfod # make -j64 & make install root@c6c01f72391e:# ./eu-unstrip -F POC/POC1 POC/POC2 = ==549005==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7ffd6ef87470 at pc 0x004dd808 bp 0x7ffd6ef87390 sp 0x7ffd6ef87388 WRITE of size 8 at 0x7ffd6ef87470 thread T0 #0 0x4dd807 in new_shstrtab /workspace/new-test/program/elfutils/src/unstrip.c:1380:50 #1 0x4d2183 in copy_elided_sections /workspace/new-test/program/elfutils/src/unstrip.c:1682:27 #2 0x4cfc2a in handle_file /workspace/new-test/program/elfutils/src/unstrip.c:2234:5 #3 0x4ce648 in handle_explicit_files /workspace/new-test/program/elfutils/src/unstrip.c:2331:3 #4 0x4ccf0e in main /workspace/new-test/program/elfutils/src/unstrip.c:2661:2 #5 0x7f11d46bdd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #6 0x7f11d46bde3f in __libc_start_main csu/../csu/libc-start.c:392:3 #7 0x420764 in _start (/workspace/new-test/fuzzdir/fz-elfutils/fz-eu-unstrip/eu-unstrip+0x420764) Address 0x7ffd6ef87470 is located in stack of thread T0 SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow /workspace/new-test/program/elfutils/src/unstrip.c:1380:50 in new_shstrtab Shadow bytes around the buggy address: 0x10002dde8e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10002dde8e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10002dde8e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10002dde8e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10002dde8e70: 00 00 00 00 ca ca ca ca 00 00 00 00 00 00 00 00 =>0x10002dde8e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[cb]cb 0x10002dde8e90: cb cb cb cb f1 f1 f1 f1 f8 f8 f8 f8 f8 f8 f8 f8 0x10002dde8ea0: f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f3 f3 f3 f3 0x10002dde8eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10002dde8ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10002dde8ed0: ca ca ca ca 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb Shadow gap: cc ==549005==ABORTING POC https://drive.google.com/file/d/1PIomLS8od5Rd0w_ru5HGr84d501OM5oa/view?usp=sharing Credit Xiaoguo Li (CUPL) Xudong Cao (UCAS) -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/33006] New: Stack Buffer Overflow in eu-objdump's riscv_disasm Function
https://sourceware.org/bugzilla/show_bug.cgi?id=33006 Bug ID: 33006 Summary: Stack Buffer Overflow in eu-objdump's riscv_disasm Function Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: tools Assignee: unassigned at sourceware dot org Reporter: xdcao.cs at gmail dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Summary Stack Buffer Overflow in eu-objdump's riscv_disasm Function Environment elfutils version: 0.192 OS: Ubuntu 22.04.5 LTS Steps to reproduce # export CFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address" # export CXXFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address" # ./configure --enable-maintainer-mode --disable-debuginfod # make -j64 & make install root@c6c01f72391e:# ./eu-objdump -d POC_elfutils_eu-objdump_stack-buffer-overflow POC_elfutils_eu-objdump_stack-buffer-overflow: elf64-elf_riscv Disassembly of section .text: 0:48 8d0x8d48 2:a4 24fld fs1,72(s1) 4:68 ffsd a0,248(a4) = ==712103==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff25e11902 at pc 0x0043e841 bp 0x7fff25e11580 sp 0x7fff25e10d18 WRITE of size 5 at 0x7fff25e11902 thread T0 #0 0x43e840 in vsnprintf (/workspace/new-test/fuzzdir/fz-elfutils/fz-eu-objdump/eu-objdump+0x43e840) #1 0x43fe66 in __snprintf_chk (/workspace/new-test/fuzzdir/fz-elfutils/fz-eu-objdump/eu-objdump+0x43fe66) #2 0x548c93 in riscv_disasm /workspace/new-test/program/elfutils/libcpu/riscv_disasm.c:1308:12 #3 0x7fa5aed94923 in disasm_cb /workspace/new-test/program/elfutils/libasm/disasm_cb.c:178:10 #4 0x4cefc4 in show_disasm /workspace/new-test/program/elfutils/src/objdump.c:736:4 #5 0x4cdd3c in handle_elf /workspace/new-test/program/elfutils/src/objdump.c:783:14 #6 0x4cccee in process_file /workspace/new-test/program/elfutils/src/objdump.c:250:17 #7 0x4cc998 in main /workspace/new-test/program/elfutils/src/objdump.c:163:12 #8 0x7fa5ae74bd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #9 0x7fa5ae74be3f in __libc_start_main csu/../csu/libc-start.c:392:3 #10 0x420734 in _start (/workspace/new-test/fuzzdir/fz-elfutils/fz-eu-objdump/eu-objdump+0x420734) Address 0x7fff25e11902 is located in stack of thread T0 at offset 642 in frame #0 0x54813f in riscv_disasm /workspace/new-test/program/elfutils/libcpu/riscv_disasm.c:117 This frame has 6 object(s): [32, 544) 'initbuf' (line 121) [608, 640) 'mnebuf' (line 167) <== Memory access at offset 642 overflows this variable [672, 712) 'op' (line 168) [752, 784) 'immbuf' (line 169) [816, 848) 'addrbuf' (line 172) [880, 896) 'key' (line 1258) HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow (/workspace/new-test/fuzzdir/fz-elfutils/fz-eu-objdump/eu-objdump+0x43e840) in vsnprintf Shadow bytes around the buggy address: 0x100064bba2d0: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00 0x100064bba2e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100064bba2f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100064bba300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100064bba310: 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 =>0x100064bba320:[f2]f2 f2 f2 00 00 00 00 00 f2 f2 f2 f2 f2 00 00 0x100064bba330: 00 00 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 f8 f8 0x100064bba340: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x100064bba350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100064bba360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100064bba370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb Shadow gap: cc ==712103==ABORTING POC https://drive.google.com/file/d/1YdviqwGYIv659lqkCrpGVA9QsfakD8_u/view?usp=sharing Credit Xiaoguo Li (CUPL) Xudong Cao (UCAS) -- You are receiving this mail because: You are on the CC list for the bug.
Re: [PATCH v2] libdw: Fix eu_search_tree TOCTOU bugs
Hi Aaron,
On Mon, May 19, 2025 at 03:10:30PM -0400, Aaron Merey wrote:
> eu_tfind is used to facilitate lazy loading throughout libdw.
> If a result is not found via eu_tfind, work is done to load
> the result and cache it in an eu_search_tree.
>
> Some calls to eu_tfind allow for TOCTOU bugs. Multiple threads
> might race to call eu_tfind on some result that hasn't yet been
> cached. Multiple threads may then attempt to load the result
> which may cause an unnecessary amount of memory may be allocated.
^ ^
One of these mays seems redundant.
> Additionally this memory may not get released when the associated
> libdw data structure is freed.
>
> Fix this by adding additional locking to ensure that only one
> thread performs lazy loading.
>
> One approach used in this patch is to preserve calls to eu_tfind
> without additional locking, but when the result isn't found then
> a lock is then used to synchronize access to the lazy loading code.
> An extra eu_tfind call has been added at the start of these critical
> section to synchronize verification that lazy loading should proceed.
>
> Another approach used is to simply synchronize entire calls to
> functions where lazy loading via eu_tfind might occur (__libdw_find_fde
> and __libdw_intern_expression). In this case, new _nolock variants of
> the eu_t* functions are used to avoid unnecessary double locking.
Nice.
> lib/
> * eu-search.c: Add eu_tsearch_nolock, eu_tfind_nolock and
> eu_tdelete_nolock functions.
> * eu-search.h: Ditto.
>
> libdw/
> * cfi.h (struct Dwarf_CFI_s): Declare new mutex.
> * dwarf_begin_elf.c (valid_p): Initialize all locks for fake CUs.
> * dwarf_cfi_addrframe.c (dwarf_cfi_addrframe): Place lock around
> __libdw_find_fde.
> * dwarf_end.c (cu_free): Deallocate all locks unconditionally,
> whether or not the CU is fake.
> * dwarf_frame_cfa.c (dwarf_frame_cfa): Place lock around
> __libdw_intern_expression.
> * dwarf_frame_register.c (dwarf_frame_register): Ditto.
> * dwarf_getcfi.c (dwarf_getcfi): Initialize cfi lock.
> * dwarf_getlocation.c (is_constant_offset): Synchronize access
> to lazy loading section.
> (getlocation): Place lock around __libdw_intern_expression.
> * dwarf_getmacros.c (cache_op_table): Synchronize access to lazy
> loading section.
> * frame-cache.c (__libdw_destroy_frame_cache): Free Dwarf_CFI
> mutex.
> * libdwP.h (struct Dwarf): Update macro_lock comment.
> (struct Dwarf_CU): Declare new mutex.
> libdw_findcu.c (__libdw_intern_next_unit): Initialize
> intern_lock.
> (__libdw_findcu): Adjust locking so that the first eu_tfind
> can be done without extra lock overhead.
>
> Signed-off-by: Aaron Merey
>
> ---
> v2:
>
> _nolock variants of eu_t* functions have been added to avoid double
> locking. _nolock functions are now used where appropriate.
>
> Clarified that __libdw_intern_expression should be called with a lock
> held by the owner of the search_tree passed to this function (typically
> a Dwarf_CFI_s or Dwarf_CU).
>
> lib/eu-search.c | 18 ++
> lib/eu-search.h | 12 +++
> libdw/cfi.h | 4 +++
> libdw/dwarf_begin_elf.c | 15
> libdw/dwarf_cfi_addrframe.c | 3 ++
> libdw/dwarf_end.c| 10 +++---
> libdw/dwarf_frame_cfa.c | 2 ++
> libdw/dwarf_frame_register.c | 16 +
> libdw/dwarf_getcfi.c | 1 +
> libdw/dwarf_getlocation.c| 69 ++--
> libdw/dwarf_getmacros.c | 20 +--
> libdw/fde.c | 6 ++--
> libdw/frame-cache.c | 1 +
> libdw/libdwP.h | 11 --
> libdw/libdw_findcu.c | 9 +++--
> 15 files changed, 150 insertions(+), 47 deletions(-)
>
> diff --git a/lib/eu-search.c b/lib/eu-search.c
> index fc31fe87..a49d8dd3 100644
> --- a/lib/eu-search.c
> +++ b/lib/eu-search.c
> @@ -62,6 +62,24 @@ void *eu_tdelete (const void *key, search_tree *tree,
>return ret;
> }
>
> +void *eu_tsearch_nolock (const void *key, search_tree *tree,
> + int (*compare)(const void *, const void *))
> +{
> + return tsearch (key, &tree->root, compare);
> +}
> +
> +void *eu_tfind_nolock (const void *key, search_tree *tree,
> +int (*compare)(const void *, const void *))
> +{
> + return tfind (key, &tree->root, compare);
> +}
> +
> +void *eu_tdelete_nolock (const void *key, search_tree *tree,
> + int (*compare)(const void *, const void *))
> +{
> + return tdelete (key, &tree->root, compare);
> +}
> +
> void eu_tdestroy (search_tree *tree, void (*free_node)(void *))
> {
>rwlock_wrlock (tree->lock);
>
> diff --git a/lib/eu-search.h b/lib/eu-search.h
> index 67b54c18..841a7f64 100644
> --- a/lib/eu-search.h
> +++ b/lib/eu-search.h
> @@ -52,6 +52,18
[Bug tools/33004] New: Stack Buffer Underflow in eu-unstrip's sections_match Function
https://sourceware.org/bugzilla/show_bug.cgi?id=33004 Bug ID: 33004 Summary: Stack Buffer Underflow in eu-unstrip's sections_match Function Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: tools Assignee: unassigned at sourceware dot org Reporter: xdcao.cs at gmail dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Summary Stack Buffer Underflow in eu-unstrip's sections_match Function Environment elfutils version: 0.192 OS: Ubuntu 22.04.5 LTS Steps to reproduce # export CFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address" # export CXXFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address" # ./configure --enable-maintainer-mode --disable-debuginfod # make -j64 & make install root@c6c01f72391e:# ./eu-unstrip -F POC/POC1 POC/POC2 = ==250432==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7ffc029cac50 at pc 0x004da24a bp 0x7ffc029cabb0 sp 0x7ffc029caba8 READ of size 8 at 0x7ffc029cac50 thread T0 #0 0x4da249 in sections_match /workspace/new-test/program/elfutils/src/unstrip.c:1024:50 #1 0x4d11ab in copy_elided_sections /workspace/new-test/program/elfutils/src/unstrip.c:1544:12 #2 0x4cfc2a in handle_file /workspace/new-test/program/elfutils/src/unstrip.c:2234:5 #3 0x4ce648 in handle_explicit_files /workspace/new-test/program/elfutils/src/unstrip.c:2331:3 #4 0x4ccf0e in main /workspace/new-test/program/elfutils/src/unstrip.c:2661:2 #5 0x7f6ab22ebd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #6 0x7f6ab22ebe3f in __libc_start_main csu/../csu/libc-start.c:392:3 #7 0x420764 in _start (/workspace/new-test/fuzzdir/fz-elfutils/fz-eu-unstrip/eu-unstrip+0x420764) Address 0x7ffc029cac50 is located in stack of thread T0 at offset 16 in frame #0 0x4d003f in copy_elided_sections /workspace/new-test/program/elfutils/src/unstrip.c:1429 This frame has 16 object(s): [32, 40) 'unstripped_shstrndx' (line 1430) <== Memory access at offset 16 underflows this variable [64, 72) 'stripped_shstrndx' (line 1434) [96, 104) 'unstripped_shnum' (line 1438) [128, 136) 'stripped_shnum' (line 1442) [160, 224) 'shdr_mem' (line 1509) [256, 320) 'shdr_mem551' (line 1701) [352, 376) 'sym_mem' (line 1785) [416, 420) 'shndx' (line 1786) [432, 496) 'shdr_mem993' (line 1852) [528, 592) 'mem' (line 1961) [624, 688) 'mem1280' (line 1988) [720, 744) 'sym1322' (line 2004) [784, 848) 'shdr_mem1499' (line 2104) [880, 944) 'ehdr_mem' (line 2134) [976, 984) 'phnum' (line 2152) [1008, 1064) 'phdr_mem' (line 2163) HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-underflow /workspace/new-test/program/elfutils/src/unstrip.c:1024:50 in sections_match Shadow bytes around the buggy address: 0x10531530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10531540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10531550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10531560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10531570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10531580: ca ca ca ca cb cb cb cb f1 f1[f1]f1 00 f2 f2 f2 0x10531590: 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 00 00 00 0x105315a0: 00 00 00 00 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 0x105315b0: f2 f2 f2 f2 f8 f8 f8 f2 f2 f2 f2 f2 f8 f2 f8 f8 0x105315c0: f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 0x105315d0: f8 f8 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb Shadow gap: cc ==250432==ABORTING POC https://drive.google.com/file/d/1NA5t6yC5patQ3SkM-hXxzTugal9Wz4mj/view?usp=sharing Credit Xiaoguo Li (CUPL) Xudong Cao (UCAS) -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/33003] New: Bus Error Vulnerability in eu-strip due to Invalid Memory Write
https://sourceware.org/bugzilla/show_bug.cgi?id=33003 Bug ID: 33003 Summary: Bus Error Vulnerability in eu-strip due to Invalid Memory Write Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: tools Assignee: unassigned at sourceware dot org Reporter: xdcao.cs at gmail dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Summary Bus Error Vulnerability in eu-strip due to Invalid Memory Write Environment elfutils version: 0.192 OS: Ubuntu 22.04.5 LTS Steps to reproduce # export CFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address" # export CXXFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address" # ./configure --enable-maintainer-mode --disable-debuginfod # make -j64 & make install root@c6c01f72391e:# ./eu-strip --output /var/tmp/stripped.out --reloc-debug-sections-only POC AddressSanitizer:DEADLYSIGNAL = ==3973325==ERROR: AddressSanitizer: BUS on unknown address (pc 0x7f923a6ca9fb bp 0x7fffe15f00f0 sp 0x7fffe15ef8a8 T0) ==3973325==The signal is caused by a WRITE memory access. ==3973325==Hint: this fault was caused by a dereference of a high value address (see register values below). Disassemble the provided pc to learn which register was used. #0 0x7f923a6ca9fb string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:429 #1 0x49ac51 in __asan_memcpy (/workspace/new-test/fuzzdir/fz-elfutils/fz-eu-strip/eu-strip+0x49ac51) #2 0x7f923ac20993 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29:10 #3 0x7f923ac20993 in __elf64_updatemmap /workspace/new-test/program/elfutils/libelf/./elf32_updatefile.c:451:3 #4 0x7f923ac0cfdb in write_file /workspace/new-test/program/elfutils/libelf/elf_update.c:123:7 #5 0x7f923ac0c73f in elf_update /workspace/new-test/program/elfutils/libelf/elf_update.c:231:9 #6 0x4d08b4 in handle_elf /workspace/new-test/program/elfutils/src/strip.c:2589:7 #7 0x4cd576 in process_file /workspace/new-test/program/elfutils/src/strip.c:807:16 #8 0x4ccddb in main /workspace/new-test/program/elfutils/src/strip.c:270:12 #9 0x7f923a62fd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #10 0x7f923a62fe3f in __libc_start_main csu/../csu/libc-start.c:392:3 #11 0x4208f4 in _start (/workspace/new-test/fuzzdir/fz-elfutils/fz-eu-strip/eu-strip+0x4208f4) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: BUS string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:429 ==3973325==ABORTING POC https://drive.google.com/file/d/1I7Ki0yKrITr_vOaMx4GQvrtLwfMVIOCJ/view?usp=sharing Credit Xiaoguo Li (CUPL) Xudong Cao (UCAS) -- You are receiving this mail because: You are on the CC list for the bug.
