[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/24098] New: readelf gets SegFault on crafted input that ma

From: PeterRong96 at gmail dot com
Subject: [Bug binutils/24098] New: readelf gets SegFault on crafted input that may cause DoS
Date: Wed, 16 Jan 2019 07:26:47 +0000


            Bug ID: 24098
           Summary: readelf gets SegFault on crafted input that may cause
           Product: binutils
           Version: 2.31
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: PeterRong96 at gmail dot com
  Target Milestone: ---

Created attachment 11541
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11541&action=edit
3 files that led to crash.

By fuzzing readelf, we have crafted three files that produce SegFaults, and it
might cause DoS vulnerabilities.

Crash site: 
      8024: relname = elf_hppa_reloc_type (get_reloc_type (
                filedata, rp->r_info));
      8028: if (! const_strneq (relname, "R_PARISC_SEGREL"))
  In line 8024 relname become NULL when feeded with crafted data. Doing strncmp 
  later on line 8028 on a NULL pointer it is invalid.

Crash cause: 
  According to definition in include/hppa.h:110-496 and 
  include/reloc-marcos.h:95-127, when given "the relocation is not recognised, 
  NULL is returned."(citing comment from include/reloc-marcos.h:97).

Below is a stack printed using gdb.

#0  __strncmp_avx2 () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:101
No locals.
#1  0x00005555556336f2 in slurp_hppa_unwind_table (filedata=<optimized out>,
sec=<optimized out>, 
    aux=<optimized out>) at readelf.c:8028
        nentries = <optimized out>
        size = <optimized out>
        seg = <optimized out>
        table = <optimized out>
        tp = <optimized out>
        relsec = <optimized out>
        nrelas = <optimized out>
        rela = <optimized out>
        relname = 0x0
        sym = <optimized out>
        i = <optimized out>
        rp = <optimized out>
        tep = <optimized out>
        tmp1 = <optimized out>
        tmp2 = <optimized out>
#2  hppa_process_unwind (filedata=<optimized out>) at readelf.c:8115
        num_unwind = <optimized out>
        res = 0
        i = <optimized out>
        sec = <optimized out>
        unwsec = <optimized out>
        aux = <optimized out>
        strsec = <optimized out>
#3  0x00005555555a8135 in process_unwind (filedata=<optimized out>) at
        handlers = <optimized out>
#4  process_object (filedata=<optimized out>) at readelf.c:18822
        res = 0
        i = 31
        separates = <optimized out>
#5  0x0000555555577866 in process_file (file_name=<optimized out>) at
        armag = "\177ELF\002\003\001"
        ret = 1
        statbuf = <optimized out>
        filedata = <optimized out>
#6  main (argc=<optimized out>, argv=<optimized out>) at readelf.c:19318
        err = 0

You are receiving this mail because:
You are on the CC list for the bug.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]