readelf.c:13312)

swj22 at mails dot tsinghua.edu.cn Fri, 07 Feb 2025 01:26:16 -0800

https://sourceware.org/bugzilla/show_bug.cgi?id=32656


            Bug ID: 32656
           Summary: eu-readelf SEGV (buffer over read) in
                    dump_data_section (src/readelf.c:13312)
           Product: elfutils
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: tools
          Assignee: unassigned at sourceware dot org
          Reporter: swj22 at mails dot tsinghua.edu.cn
                CC: elfutils-devel at sourceware dot org
  Target Milestone: ---

Created attachment 15927
  --> https://sourceware.org/bugzilla/attachment.cgi?id=15927&action=edit
poc

**Description**
A segv can occur in eu-readelf  when using the  -z and -x options with a
specially crafted input file. This issue leads to buffer-overflow

**Affected Version**
elfutils 0.192

**Steps to Reproduce**

Build elfutils 0.192 with AddressSanitizer (e.g., CFLAGS="-g
-fsanitize=address" ./configure && make -j).

/mnt/data/optfuzz/benchmark/elfutils-0.192/bins/bin/eu-readelf -z -x 6 /tmp/poc
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1889020==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x7fc3af0914d0 bp 0x7ffda19688b0 sp 0x7ffda1968010 T0)
==1889020==The signal is caused by a READ memory access.
==1889020==Hint: address points to the zero page.
    #0 0x7fc3af0914cf in __interceptor_strncmp
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:449
    #1 0x56189b286c4d in startswith ../lib/system.h:117
    #2 0x56189b2e2e47 in dump_data_section
/mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:13312
    #3 0x56189b2e3ad5 in for_each_section_argument
/mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:13440
    #4 0x56189b2e3e7b in dump_data
/mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:13470
    #5 0x56189b28c062 in process_elf_file
/mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:1080
    #6 0x56189b28ab5b in process_dwflmod
/mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:840
    #7 0x7fc3afb5b708 in dwfl_getmodules
/mnt/data/optfuzz/benchmark/elfutils-0.192/libdwfl/dwfl_getmodules.c:86
    #8 0x56189b28b5b9 in process_file
/mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:948
    #9 0x56189b2891e6 in main
/mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:417
    #10 0x7fc3aedd0082 in __libc_start_main ../csu/libc-start.c:308
    #11 0x56189b286b2d in _start
(/mnt/data/optfuzz/benchmark/elfutils-0.192/bins/bin/eu-readelf+0x6bb2d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:449
in __interceptor_strncmp
==1889020==ABORTING

**Env**
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.6 LTS
Release:        20.04
Codename:       focal

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug tools/32656] New: eu-readelf SEGV (buffer over read) in dump_data_section (src/readelf.c:13312)

Reply via email to