readelf.c:13363)

swj22 at mails dot tsinghua.edu.cn Fri, 07 Feb 2025 01:31:08 -0800

https://sourceware.org/bugzilla/show_bug.cgi?id=32657


            Bug ID: 32657
           Summary: eu-readelf SEGV (buffer over read) in
                    print_string_section (src/readelf.c:13363)
           Product: elfutils
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: tools
          Assignee: unassigned at sourceware dot org
          Reporter: swj22 at mails dot tsinghua.edu.cn
                CC: elfutils-devel at sourceware dot org
  Target Milestone: ---

Created attachment 15928
  --> https://sourceware.org/bugzilla/attachment.cgi?id=15928&action=edit
poc

**Description**
A segv can occur in eu-readelf  when using the  -z and -p options with a
specially crafted input file. This issue leads to buffer-overflow

**Affected Version**
elfutils 0.192

**Steps to Reproduce**

Build elfutils 0.192 with AddressSanitizer (e.g., CFLAGS="-g
-fsanitize=address" ./configure && make -j).

/mnt/data/optfuzz/benchmark/elfutils-0.192/bins/bin/eu-readelf -z -p1 /tmp/poc
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2566871==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x7fa60ec194d0 bp 0x7ffc5632a850 sp 0x7ffc56329fb0 T0)
==2566871==The signal is caused by a READ memory access.
==2566871==Hint: address points to the zero page.
    #0 0x7fa60ec194cf in __interceptor_strncmp
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:449
    #1 0x56352eba5c4d in startswith ../lib/system.h:117
    #2 0x56352ec022be in print_string_section
/mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:13363
    #3 0x56352ec02ad5 in for_each_section_argument
/mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:13440
    #4 0x56352ec02ed4 in dump_strings
/mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:13476
    #5 0x56352ebab07d in process_elf_file
/mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:1082
    #6 0x56352eba9b5b in process_dwflmod
/mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:840
    #7 0x7fa60f6e3708 in dwfl_getmodules
/mnt/data/optfuzz/benchmark/elfutils-0.192/libdwfl/dwfl_getmodules.c:86
    #8 0x56352ebaa5b9 in process_file
/mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:948
    #9 0x56352eba81e6 in main
/mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:417
    #10 0x7fa60e958082 in __libc_start_main ../csu/libc-start.c:308
    #11 0x56352eba5b2d in _start
(/mnt/data/optfuzz/benchmark/elfutils-0.192/bins/bin/eu-readelf+0x6bb2d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:449
in __interceptor_strncmp
==2566871==ABORTING

**Env**
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.6 LTS
Release:        20.04
Codename:       focal

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug tools/32657] New: eu-readelf SEGV (buffer over read) in print_string_section (src/readelf.c:13363)

Reply via email to