https://sourceware.org/bugzilla/show_bug.cgi?id=32655
Bug ID: 32655
Summary: eu-readelf SEGV (buffer over read) in
handle_dynamic_symtab (src/readelf.c:2903)
Product: elfutils
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: tools
Assignee: unassigned at sourceware dot org
Reporter: swj22 at mails dot tsinghua.edu.cn
CC: elfutils-devel at sourceware dot org
Target Milestone: ---
Created attachment 15926
--> https://sourceware.org/bugzilla/attachment.cgi?id=15926&action=edit
poc
**Description**
A segv can occur in eu-readelf when using the -D and -a options with a
specially crafted input file. This issue leads to buffer-overflow
**Affected Version**
elfutils 0.192
**Steps to Reproduce**
Build elfutils 0.192 with AddressSanitizer (e.g., CFLAGS="-g
-fsanitize=address" ./configure && make -j).
/mnt/data/optfuzz/benchmark/elfutils-0.192/bins/bin/eu-readelf -a -D /tmp/poc
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2's complement, little endian
Ident Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: REL (Relocatable file)
Machine: SPARC v9
Version: 1 (current)
Entry point address: 0xde00000000000000
Start of program headers: 1143 (bytes into file)
Start of section headers: 274877906944 (bytes into file)
Flags: 0x400000
Size of this header: 16 (bytes)
Size of program header entries: 13 (bytes)
Number of program headers entries: 54
Size of section header entries: 0 (bytes)
Number of section headers entries: 4
Section header string table index: 0
Section Headers:
[Nr] Name Type Addr Off Size ES
Flags Lk Inf Al
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz
Flg Align
???
???
???
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2738438==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x557b7b003aa3 bp 0x7ffc944cabd0 sp 0x7ffc944ca8a0 T0)
==2738438==The signal is caused by a READ memory access.
==2738438==Hint: address points to the zero page.
#0 0x557b7b003aa2 in handle_dynamic_symtab
/mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:2903
#1 0x557b7b001104 in print_symtab
/mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:2582
#2 0x557b7aff5f39 in process_elf_file
/mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:1064
#3 0x557b7aff4b5b in process_dwflmod
/mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:840
#4 0x7f9401a24708 in dwfl_getmodules
/mnt/data/optfuzz/benchmark/elfutils-0.192/libdwfl/dwfl_getmodules.c:86
#5 0x557b7aff55b9 in process_file
/mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:948
#6 0x557b7aff31e6 in main
/mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:417
#7 0x7f9400c99082 in __libc_start_main ../csu/libc-start.c:308
#8 0x557b7aff0b2d in _start
(/mnt/data/optfuzz/benchmark/elfutils-0.192/bins/bin/eu-readelf+0x6bb2d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:2903 in
handle_dynamic_symtab
==2738438==ABORTING
**Env**
Distributor ID: Ubuntu
Description: Ubuntu 20.04.6 LTS
Release: 20.04
Codename: focal
--
You are receiving this mail because:
You are on the CC list for the bug.
