https://sourceware.org/bugzilla/show_bug.cgi?id=32650
Bug ID: 32650
Summary: eu-readelf SEGV (illegal read access) in
__libdw_thread_tail(libdw/libdw_alloc.c:112)
Product: elfutils
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: tools
Assignee: unassigned at sourceware dot org
Reporter: swj22 at mails dot tsinghua.edu.cn
CC: elfutils-devel at sourceware dot org
Target Milestone: ---
Created attachment 15923
--> https://sourceware.org/bugzilla/attachment.cgi?id=15923&action=edit
poc
**Description**
A segv can occur in eu-readelf when using the -w options with a specially
crafted input file. This issue leads to memory corruption (illegal memory read
access) and crashes.
**Affected Version**
elfutils 0.192
**Steps to Reproduce**
Build elfutils 0.192 with AddressSanitizer (e.g., CFLAGS="-g
-fsanitize=address" ./configure && make -j).
./elfutils-0.192/bins/bin/eu-readelf -w /tmp/poc
DWARF section [ 6] '.debug_info' at offset 0x5b8:
[Offset]
./elfutils-0.192/bins/bin/eu-readelf: cannot get next unit: invalid DWARF
DWARF section [ 8] '.debug_abbrev' at offset 0x6d7:
[ Code]
Abbreviation section at offset 0:
Abbreviation section at offset 1:
Abbreviation section at offset 2:
Abbreviation section at offset 3:
Abbreviation section at offset 4:
Abbreviation section at offset 5:
Abbreviation section at offset 6:
[ 2] offset: 6, children: no, tag: ??? (0xe0)
Abbreviation section at offset 13:
Abbreviation section at offset 14:
Abbreviation section at offset 15:
Abbreviation section at offset 16:
Abbreviation section at offset 17:
Abbreviation section at offset 18:
[ 3] offset: 18, children: no, tag: try_block
attr: sibling, form: ref1, offset: 0x12
attr: sibling, form: strx1, offset: 0x14
attr: ??? (0xe), form: ref4, offset: 0x16
attr: byte_size, form: block2, offset: 0x18
attr: ??? (0xe), form: addrx, offset: 0x1a
attr: ??? (0xe), form: ref1, offset: 0x1c
attr: sibling, form: ref2, offset: 0x1e
attr: ??? (0x7), form: ref_addr, offset: 0x20
attr: visibility, form: ??? (0), offset: 0x22
attr: ??? (0), form: ??? (0), offset: 0x24
attr: ??? (0x24), form: ??? (0x24), offset: 0x26
attr: byte_size, form: data1, offset: 0x28
attr: encoding, form: data1, offset: 0x2a
attr: name, form: strp, offset: 0x2c
[ 3] offset: 51, children: no, tag: base_type
attr: byte_size, form: data1, offset: 0x33
attr: encoding, form: data1, offset: 0x35
attr: name, form: string, offset: 0x37
[ 4] offset: 62, children: no, tag: pointer_type
attr: byte_size, form: data1, offset: 0x3e
[ 5] offset: 69, children: no, tag: typedef
attr: name, form: strp, offset: 0x45
attr: decl_file, form: data1, offset: 0x47
attr: decl_line, form: data1, offset: 0x49
attr: type, form: ref4, offset: 0x4b
[ 6] offset: 82, children: yes, tag: subprogram
attr: external, form: flag_present, offset: 0x52
attr: name, form: strp, offset: 0x54
attr: decl_file, form: data1, offset: 0x56
attr: decl_line, form: data1, offset: 0x58
attr: prototyped, form: flag_present, offset: 0x5a
attr: type, form: ref4, offset: 0x5c
attr: low_pc, form: addr, offset: 0x5e
attr: high_pc, form: data8, offset: 0x60
attr: frame_base, form: exprloc, offset: 0x62
attr: GNU_all_call_sites, form: flag_present, offset: 0x64
attr: sibling, form: ref4, offset: 0x67
[ 76] offset: 110, children: no, tag: base_type
attr: static_link, form: ??? (0xa0b), offset: 0x6e
attr: ??? (0x24), form: ??? (0x24), offset: 0x71
attr: ??? (0x1d20d), form: data2, offset: 0x73
attr: ??? (0), form: block2, offset: 0x77
attr: ??? (0xe), form: ??? (0xe), offset: 0x79
attr: byte_size, form: ??? (0x3b), offset: 0x7b
attr: byte_size, form: ??? (0x49), offset: 0x7d
attr: language, form: ??? (0x2), offset: 0x7f
attr: visibility, form: ??? (0), offset: 0x81
attr: ??? (0), form: string, offset: 0x83
attr: ??? (0x4109), form: addr, offset: 0x85
attr: low_pc, form: addr, offset: 0x89
attr: GNU_tail_call, form: flag_present, offset: 0x8b
attr: abstract_origin, form: ref4, offset: 0x8e
attr: sibling, form: ref4, offset: 0x90
[ 9] offset: 151, children: no, tag: GNU_call_site_parameter
attr: location, form: exprloc, offset: 0x97
attr: GNU_call_site_value, form: exprloc, offset: 0x99
[ 10] offset: 163, children: no, tag: GNU_call_site
attr: low_pc, form: addr, offset: 0xa3
attr: abstract_origin, form: ref4, offset: 0xa5
AddressSanitizer:DEADLYSIGNAL
=================================================================
==487445==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x7f055afb6682 bp 0x7fff83bcf0a0 sp 0x7fff83bcf070 T0)
==487445==The signal is caused by a READ memory access.
==487445==Hint: address points to the zero page.
#0 0x7f055afb6681 in __libdw_thread_tail
./elfutils-0.192/libdw/libdw_alloc.c:112
#1 0x7f055af679ae in __libdw_getabbrev
./elfutils-0.192/libdw/dwarf_getabbrev.c:104
#2 0x7f055afa4ded in dwarf_offabbrev
./elfutils-0.192/libdw/dwarf_offabbrev.c:44
#3 0x55e261c5cfca in print_debug_abbrev_section
./elfutils-0.192/src/readelf.c:5676
#4 0x55e261c8a3ee in print_debug ./elfutils-0.192/src/readelf.c:12145
#5 0x55e261c3d0af in process_elf_file ./elfutils-0.192/src/readelf.c:1084
#6 0x55e261c3bb5b in process_dwflmod ./elfutils-0.192/src/readelf.c:840
#7 0x7f055aff2708 in dwfl_getmodules
./elfutils-0.192/libdwfl/dwfl_getmodules.c:86
#8 0x55e261c3c5b9 in process_file ./elfutils-0.192/src/readelf.c:948
#9 0x55e261c3a1e6 in main ./elfutils-0.192/src/readelf.c:417
#10 0x7f055a267082 in __libc_start_main ../csu/libc-start.c:308
#11 0x55e261c37b2d in _start (./elfutils-0.192/bins/bin/eu-readelf+0x6bb2d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ./elfutils-0.192/libdw/libdw_alloc.c:112 in
__libdw_thread_tail
==487445==ABORTING
**Env**
Distributor ID: Ubuntu
Description: Ubuntu 20.04.6 LTS
Release: 20.04
Codename: focal
--
You are receiving this mail because:
You are on the CC list for the bug.
