[Bug libdw/23752] Invalid Address Read problem in dwfl_segment_report_module.c when executing ./eu-stack --core=$POC
https://sourceware.org/bugzilla/show_bug.cgi?id=23752 Mark Wielaard changed: What|Removed |Added Status|UNCONFIRMED |ASSIGNED Last reconfirmed||2018-10-14 CC||mark at klomp dot org Ever confirmed|0 |1 --- Comment #1 from Mark Wielaard --- Replicated under valgrind: ==13295== Invalid read of size 4 ==13295==at 0x50825BD: consider_notes (dwfl_segment_report_module.c:486) ==13295==by 0x50825BD: consider_phdr (dwfl_segment_report_module.c:529) ==13295==by 0x50825BD: dwfl_segment_report_module (dwfl_segment_report_module.c:590) ==13295==by 0x5086149: dwfl_core_file_report@@ELFUTILS_0.158 (core-file.c:541) ==13295==by 0x4026AB: parse_opt (stack.c:590) ==13295==by 0x58B4EB3: group_parse (argp-parse.c:256) ==13295==by 0x58B4EB3: parser_finalize (argp-parse.c:603) ==13295==by 0x58B4EB3: argp_parse (argp-parse.c:921) ==13295==by 0x401C89: main (stack.c:690) ==13295== Address 0x40b4114 is not stack'd, malloc'd or (recently) free'd -- You are receiving this mail because: You are on the CC list for the bug.
[PATCH] libdwfl: Sanity check partial core file data reads.
There were two issues when reading note data from a core file.
We didn't check if the data we already had in a buffer was big
enough. And if we did get the data, we should check if we got
everything, or just a part of the data.
https://sourceware.org/bugzilla/show_bug.cgi?id=23752
Signed-off-by: Mark Wielaard
---
libdwfl/ChangeLog| 7 +++
libdwfl/dwfl_segment_report_module.c | 13 +++--
2 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/libdwfl/ChangeLog b/libdwfl/ChangeLog
index c5ea563..2e7efd4 100644
--- a/libdwfl/ChangeLog
+++ b/libdwfl/ChangeLog
@@ -1,3 +1,10 @@
+2018-10-14 Mark Wielaard
+
+ * dwfl_segment_report_module.c (read_portion): Check requested
+ filesz isn't larger than buffer_available.
+ (dwfl_segment_report_module): Check data_size vs filesz after
+ read_portion call.
+
2018-10-02 Andreas Schwab
* relocate.c (relocate): Handle ADD/SUB relocations.
diff --git a/libdwfl/dwfl_segment_report_module.c
b/libdwfl/dwfl_segment_report_module.c
index 36e5c82..8749884 100644
--- a/libdwfl/dwfl_segment_report_module.c
+++ b/libdwfl/dwfl_segment_report_module.c
@@ -1,5 +1,5 @@
/* Sniff out modules from ELF headers visible in memory segments.
- Copyright (C) 2008-2012, 2014, 2015 Red Hat, Inc.
+ Copyright (C) 2008-2012, 2014, 2015, 2018 Red Hat, Inc.
This file is part of elfutils.
This file is free software; you can redistribute it and/or modify
@@ -301,7 +301,10 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const
char *name,
inline bool read_portion (void **data, size_t *data_size,
GElf_Addr vaddr, size_t filesz)
{
-if (vaddr - start + filesz > buffer_available
+/* Check whether we will have to read the segment data, or if it
+ can be returned from the existing buffer. */
+if (filesz > buffer_available
+ || vaddr - start > buffer_available - filesz
/* If we're in string mode, then don't consider the buffer we have
sufficient unless it contains the terminator of the string. */
|| (filesz == 0 && memchr (vaddr - start + buffer, '\0',
@@ -459,6 +462,12 @@ dwfl_segment_report_module (Dwfl *dwfl, int ndx, const
char *name,
if (read_portion (&data, &data_size, vaddr, filesz))
return;
+/* data_size will be zero if we got everything from the initial
+ buffer, otherwise it will be the size of the new buffer that
+ could be read. */
+if (data_size != 0)
+ filesz = data_size;
+
assert (sizeof (Elf32_Nhdr) == sizeof (Elf64_Nhdr));
void *notes;
--
1.8.3.1
[Bug libdw/23752] Invalid Address Read problem in dwfl_segment_report_module.c when executing ./eu-stack --core=$POC
https://sourceware.org/bugzilla/show_bug.cgi?id=23752 --- Comment #2 from Mark Wielaard --- Proposed patch: https://sourceware.org/ml/elfutils-devel/2018-q4/msg00022.html -- You are receiving this mail because: You are on the CC list for the bug.
[PATCH] findtextrel: Check that sh_entsize isn't zero.
A bogus ELF file could have sh_entsize as zero. Don't divide by zero,
but just assume there are no entries in the section.
https://sourceware.org/bugzilla/show_bug.cgi?id=23755
Signed-off-by: Mark Wielaard
---
src/ChangeLog | 4
src/findtextrel.c | 23 +--
2 files changed, 17 insertions(+), 10 deletions(-)
diff --git a/src/ChangeLog b/src/ChangeLog
index 7b59ed6..b260044 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,7 @@
+2018-10-14 Mark Wielaard
+
+ * findtextrel.c (process_file): Check that sh_entsize is not zero.
+
2018-10-02 Andreas Schwab
* strip.c (handle_elf): Handle ADD/SUB relocation.
diff --git a/src/findtextrel.c b/src/findtextrel.c
index 4973159..f48752e 100644
--- a/src/findtextrel.c
+++ b/src/findtextrel.c
@@ -1,5 +1,5 @@
/* Locate source files or functions which caused text relocations.
- Copyright (C) 2005-2010, 2012, 2014 Red Hat, Inc.
+ Copyright (C) 2005-2010, 2012, 2014, 2018 Red Hat, Inc.
This file is part of elfutils.
Written by Ulrich Drepper , 2005.
@@ -263,9 +263,10 @@ process_file (const char *fname, bool more_than_one)
seen_dynamic = true;
Elf_Data *data = elf_getdata (scn, NULL);
+ size_t entries = (shdr->sh_entsize == 0
+ ? 0 : shdr->sh_size / shdr->sh_entsize);
- for (size_t cnt = 0; cnt < shdr->sh_size / shdr->sh_entsize;
- ++cnt)
+ for (size_t cnt = 0; cnt < entries; ++cnt)
{
GElf_Dyn dynmem;
GElf_Dyn *dyn;
@@ -413,10 +414,11 @@ cannot get symbol table section %zu in '%s': %s"),
if (shdr->sh_type == SHT_REL)
{
Elf_Data *data = elf_getdata (scn, NULL);
+ size_t entries = (shdr->sh_entsize == 0
+ ? 0 : shdr->sh_size / shdr->sh_entsize);
for (int cnt = 0;
- (size_t) cnt < shdr->sh_size / shdr->sh_entsize;
- ++cnt)
+ (size_t) cnt < entries; ++cnt)
{
GElf_Rel rel_mem;
GElf_Rel *rel = gelf_getrel (data, cnt, &rel_mem);
@@ -436,10 +438,10 @@ cannot get relocation at index %d in section %zu in '%s':
%s"),
else if (shdr->sh_type == SHT_RELA)
{
Elf_Data *data = elf_getdata (scn, NULL);
+ size_t entries = (shdr->sh_entsize == 0
+ ? 0 : shdr->sh_size / shdr->sh_entsize);
- for (int cnt = 0;
- (size_t) cnt < shdr->sh_size / shdr->sh_entsize;
- ++cnt)
+ for (int cnt = 0; (size_t) cnt < entries; ++cnt)
{
GElf_Rela rela_mem;
GElf_Rela *rela = gelf_getrela (data, cnt, &rela_mem);
@@ -531,9 +533,10 @@ check_rel (size_t nsegments, struct segments
segments[nsegments],
int highidx = -1;
GElf_Sym sym_mem;
GElf_Sym *sym;
+ size_t entries = (shdr->sh_entsize == 0
+ ? 0 : shdr->sh_size / shdr->sh_entsize);
- for (int i = 0; (size_t) i < shdr->sh_size / shdr->sh_entsize;
-++i)
+ for (int i = 0; (size_t) i < entries; ++i)
{
sym = gelf_getsym (symdata, i, &sym_mem);
if (sym == NULL)
--
1.8.3.1
[Bug tools/23755] Multiple floating point exception in findtextrel.c in eu-findtextrel biniary of elfutils-v.0174.
https://sourceware.org/bugzilla/show_bug.cgi?id=23755 Mark Wielaard changed: What|Removed |Added Status|UNCONFIRMED |ASSIGNED Last reconfirmed||2018-10-14 CC||mark at klomp dot org Ever confirmed|0 |1 --- Comment #4 from Mark Wielaard --- Yeah, divide by zero is bad. Proposed fix: https://sourceware.org/ml/elfutils-devel/2018-q4/msg00024.html -- You are receiving this mail because: You are on the CC list for the bug.
[Bug libdw/23753] Invalid Address Read problem in dwfl_segment_report_module.c when executing ./eu-stack --core=$POC
https://sourceware.org/bugzilla/show_bug.cgi?id=23753 Mark Wielaard changed: What|Removed |Added Status|UNCONFIRMED |RESOLVED CC||mark at klomp dot org Resolution|--- |DUPLICATE --- Comment #2 from Mark Wielaard --- Same as bug #23752. *** This bug has been marked as a duplicate of bug 23752 *** -- You are receiving this mail because: You are on the CC list for the bug.
[Bug libdw/23752] Invalid Address Read problem in dwfl_segment_report_module.c when executing ./eu-stack --core=$POC
https://sourceware.org/bugzilla/show_bug.cgi?id=23752 --- Comment #3 from Mark Wielaard --- *** Bug 23753 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are on the CC list for the bug.
[PATCH] ar: Assume epoch if ar_date is bogus.
If the ar header contains a bogus ar_date then in verbose mode we would
get a NULL pointer from localtime. Just assume the entry was created
during the epoch.
https://sourceware.org/bugzilla/show_bug.cgi?id=23754
Signed-off-by: Mark Wielaard
---
src/ChangeLog | 4
src/ar.c | 10 --
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/src/ChangeLog b/src/ChangeLog
index b260044..8fb3deb 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,5 +1,9 @@
2018-10-14 Mark Wielaard
+ * ar.c (do_oper_extract): Assume epoch if ar_date is bogus.
+
+2018-10-14 Mark Wielaard
+
* findtextrel.c (process_file): Check that sh_entsize is not zero.
2018-10-02 Andreas Schwab
diff --git a/src/ar.c b/src/ar.c
index 6f98f75..d70f1f4 100644
--- a/src/ar.c
+++ b/src/ar.c
@@ -539,8 +539,14 @@ do_oper_extract (int oper, const char *arfname, char
**argv, int argc,
else if (oper == oper_list)
{
char datestr[100];
- strftime (datestr, sizeof (datestr), "%b %e %H:%M %Y",
- localtime (&arhdr->ar_date));
+ struct tm *tp = localtime (&arhdr->ar_date);
+ if (tp == NULL)
+ {
+ time_t time = 0;
+ tp = localtime (&time);
+ }
+
+ strftime (datestr, sizeof (datestr), "%b %e %H:%M %Y", tp);
printf ("%c%c%c%c%c%c%c%c%c %u/%u %6ju %s %s\n",
(arhdr->ar_mode & S_IRUSR) ? 'r' : '-',
--
1.8.3.1
[Bug tools/23754] NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries
https://sourceware.org/bugzilla/show_bug.cgi?id=23754 Mark Wielaard changed: What|Removed |Added Status|UNCONFIRMED |ASSIGNED Last reconfirmed||2018-10-14 CC||mark at klomp dot org Ever confirmed|0 |1 --- Comment #3 from Mark Wielaard --- localtime could return NULL when the ar_date was bogus. Proposed workaround: https://sourceware.org/ml/elfutils-devel/2018-q4/msg00028.html -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/23755] Multiple floating point exception in findtextrel.c in eu-findtextrel biniary of elfutils-v.0174.
https://sourceware.org/bugzilla/show_bug.cgi?id=23755 --- Comment #5 from wcventure --- Thanks for paying attention to this problem and proposing to fix it in time. This bug was discovered by NTU Cyber-Security-Lab, for fuzzing research work. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug libdw/23753] Invalid Address Read problem in dwfl_segment_report_module.c when executing ./eu-stack --core=$POC
https://sourceware.org/bugzilla/show_bug.cgi?id=23753 --- Comment #3 from wcventure --- Thanks for paying attention to this problem and proposing to fix it in time. This bug was discovered by NTU Cyber-Security-Lab, for fuzzing research work. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/23754] NULL-Pointer dereference problem in function do_oper_extract in the eu-ar binaries
https://sourceware.org/bugzilla/show_bug.cgi?id=23754 --- Comment #4 from wcventure --- Thanks for paying attention to this problem and proposing to fix it in time. This bug was discovered by NTU Cyber-Security-Lab, for fuzzing research work. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug libdw/23752] Invalid Address Read problem in dwfl_segment_report_module.c when executing ./eu-stack --core=$POC
https://sourceware.org/bugzilla/show_bug.cgi?id=23752 --- Comment #4 from wcventure --- Thanks for paying attention to this problem and proposing to fix it in time. This bug was discovered by NTU Cyber-Security-Lab, for fuzzing research work. -- You are receiving this mail because: You are on the CC list for the bug.
