[Bug libctf/30432] New: readelf with option --ctf=1, received signal SIGSEGV when opening testcases generated from fuzz testing

xing_ruopeng at bupt dot edu.cn Tue, 09 May 2023 06:30:47 -0700

https://sourceware.org/bugzilla/show_bug.cgi?id=30432


            Bug ID: 30432
           Summary: readelf with option --ctf=1, received signal SIGSEGV
                    when opening testcases generated from fuzz testing
           Product: binutils
           Version: 2.39
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: libctf
          Assignee: unassigned at sourceware dot org
          Reporter: xing_ruopeng at bupt dot edu.cn
  Target Milestone: ---

Created attachment 14868
  --> https://sourceware.org/bugzilla/attachment.cgi?id=14868&action=edit
3 pocs generated by AFL plus plus

I tested readelf with AFL plus plus, then found this crash.

Opening testcases with readelf and option --ctf=1 can reproduce it.
There are 3 pocs in attachment. You can reproduce this crash with them.

There are outputs when I debuged with gdb:

Starting program: /home/xrp/aflpp/poc/readelf/readelf --ctf=1 ./poc1
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
readelf：警告： Section 1 has an out of range sh_link value of 1415536384
readelf：警告： Section 12 has an out of range sh_link value of 2130706432
readelf：警告： Section 27 has an out of range sh_link value of 1882092655
readelf：错误： Section 27 has invalid sh_entsize of 73622e00
readelf：错误： (Using the expected size of 10 for the rest of this dump)
readelf：错误： Reading 2019634795 bytes extends past end of file for section
contents

Program received signal SIGSEGV, Segmentation fault.
0x00005555555be58c in ctf_arc_bufopen (ctfsect=ctfsect@entry=0x7fffffffdbe0,
symsect=symsect@entry=0x7fffffffdc00, strsect=strsect@entry=0x7fffffffdc20,
errp=errp@entry=0x7fffffffdbc4) at ../../libctf/ctf-archive.c:427
427       if (ctfsect->cts_size > sizeof (uint64_t) &&
(gdb) info threads 
  Id   Target Id                                   Frame 
* 1    Thread 0x7ffff7fa3740 (LWP 76764) "readelf" 0x00005555555be58c in
ctf_arc_bufopen (ctfsect=ctfsect@entry=0x7fffffffdbe0, 
    symsect=symsect@entry=0x7fffffffdc00, strsect=strsect@entry=0x7fffffffdc20,
errp=errp@entry=0x7fffffffdbc4) at ../../libctf/ctf-archive.c:427
(gdb) bt
#0  0x00005555555be58c in ctf_arc_bufopen
(ctfsect=ctfsect@entry=0x7fffffffdbe0, symsect=symsect@entry=0x7fffffffdc00,
strsect=strsect@entry=0x7fffffffdc20, 
    errp=errp@entry=0x7fffffffdbc4) at ../../libctf/ctf-archive.c:427
#1  0x0000555555594533 in dump_section_as_ctf (filedata=0x5555556604b0,
section=0x555555663b60) at ../../binutils/readelf.c:15889
#2  process_section_contents (filedata=filedata@entry=0x5555556604b0) at
../../binutils/readelf.c:16477
#3  0x0000555555595a17 in process_section_contents (filedata=0x5555556604b0) at
../../binutils/readelf.c:6560
#4  process_object (filedata=filedata@entry=0x5555556604b0) at
../../binutils/readelf.c:22502
#5  0x00005555555604e6 in process_object (filedata=0x5555556604b0) at
../../binutils/readelf.c:22426
#6  process_file (file_name=<optimized out>) at ../../binutils/readelf.c:22925
#7  main (argc=<optimized out>, argv=<optimized out>) at
../../binutils/readelf.c:22996

I guess there may be a bug or bugs located in libctf/ctf-archive.c.

Binutils 2.40 Build on Ubuntu 22.04

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libctf/30432] New: readelf with option --ctf=1, received signal SIGSEGV when opening testcases generated from fuzz testing

Reply via email to