[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/21994] New: Hang in process_version_sections with ent.vd_n
|
From: |
Imdb95 at gmail dot com |
|
Subject: |
[Bug binutils/21994] New: Hang in process_version_sections with ent.vd_next = 0 and aux.vda_next = 0 |
|
Date: |
Wed, 23 Aug 2017 14:47:00 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=21994
Bug ID: 21994
Summary: Hang in process_version_sections with ent.vd_next = 0
and aux.vda_next = 0
Product: binutils
Version: 2.29
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: Imdb95 at gmail dot com
Target Milestone: ---
Created attachment 10360
--> https://sourceware.org/bugzilla/attachment.cgi?id=10360&action=edit
Crafted elf file used to trigger the bug
Hello,
I found this bug when fuzzing readelf with afl-fuzz.
==========Reproduce==========
Trigger the bug:
address@hidden:~/Fuzzing/afl/binutils$
./build-binutils-2.29-ggdb/bin/readelf -a readelf_hang.elf
==========Actual Result==========
The program readelf hangs for a very long time, printing repeated outputs.
address@hidden:~/Fuzzing/afl/binutils$
./build-binutils-2.29-ggdb/bin/readelf -a readelf_hang_slave_id00.elf
ELF Header:
Magic: 7f 45 4c 46 02 01 01 04 00 00 00 00 00 00 00 00
Class: ELF64
......................
0x0070: Parent 19320, name index: 0
0x0070: Parent 19321, name index: 0
0x0070: Parent 19322, name index: 0
0x0070: Parent 19323, name index: 0
0x0070: Parent 19324, name index: 0
0x0070: Parent 19325, name index: 0
0x0070: Parent 19326, name index: 0
0x0070: Parent 19327, name index: 0
0x0070: Parent 19328, name index: 0
......................
==========Build Date & Hardware==========
Version: binutils 2.29 (https://ftp.gnu.org/gnu/binutils/binutils-2.29.tar.gz)
Compilation on Ubuntu 16.04:
address@hidden:~/Fuzzing/afl/binutils/binutils-2.29$ uname -a
Linux manh-VirtualBox 4.4.0-91-generic #114-Ubuntu SMP Tue Aug 8 11:56:56 UTC
2017 x86_64 x86_64 x86_64 GNU/Linux
address@hidden:~/Fuzzing/afl/binutils/binutils-2.29$ sudo ./configure
--prefix=`pwd`/../build-binutils-2.29-ggdb CC="gcc" CXX="g++" CFLAGS="-ldl
-Wno-error -ggdb -O0" CXXFLAGS="-ldl -Wno-error -ggdb -O0" && sudo make && sudo
make install
==========Additional Information==========
Detailed analysis of the bug:
Within the loop starting at readelf.c:10236, if aux.vda_next = 0, the loop
iterates (ent.vd_cnt-1) times. And within the outter loop (starting at
readelf.c:10183), ent.vn_next can be zero, so idx never increases (idx +=
ent.vd_next), and the loop iterates cnt times. So the complexity of the two
nested loops if O(cnt*ent.vd_cnt), which makes the program hangs.
==========Suggestion for Patching==========
Just check if aux.vda_next = 0 and if ent.vn_next = 0.
Cheers,
Manh
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/21994] New: Hang in process_version_sections with ent.vd_next = 0 and aux.vda_next = 0,
Imdb95 at gmail dot com <=