Based on r2983
.
In elfdump.c
, there are lots of global string arrays for various fields of ELF, e.g., e_types[]
, ei_abis[]
, etc. However, many of these arrays are not exhaustive, and there lacks a strategy to handle indices out of the range supported by these arrays. And segfault will be caused. A test case is attached and the command is elfdump elfdump-1-23-A
. In this test case, an index into ei_abis[]
is out of range and causes a segfault. gdb
output:
Program received signal SIGSEGV, Segmentation fault. 0x00002aaaaad1cf90 in _IO_vfprintf_internal (s=<optimized out>, format=<optimized out>,
ap=ap@entry=0x7fffffffd368) at vfprintf.c:1655
1655 vfprintf.c: No such file or directory.
#0 0x00002aaaaad1cf90 in _IO_vfprintf_internal (s=<optimized out>, format=<optimized out>, ap=ap@entry=0x7fffffffd368) at vfprintf.c:1655 #1 0x00002aaaaad23f57 in __fprintf (stream=<optimized out>, format=<optimized out>) at fprintf.c:32 #2 0x00000000004042fe in elf_print_ehdr (ed=0x7fffffffd4e0) at elfdump.c:1506 #3 0x000000000040383a in elf_print_elf (ed=0x7fffffffd4e0) at elfdump.c:1274 #4 0x000000000040372c in elf_print_object (ed=0x7fffffffd4e0) at elfdump.c:1237 #5 0x000000000040311a in main (ac=1, av=0x7fffffffd670) at elfdump.c:941
p ed->ehdr.e_ident[EI_OSABI]
get 97 'a'
. p ei_abis[ed->ehdr.e_ident[EI_OSABI]]
get 0x800000004 <Address 0x800000004 out of bounds>
. Jump into ei_abis[]
, it only has 13 elements. Pointer out of bounds.
Yes. It's also unfortunate that this functionality exists in both elfdump and readelf.
One possible fix would be to move elf_osabi(), elf_machine() etc. from readelf into libelftc and share it with elfdump.
Alternatively, it may make sense to just roll elfdump into readelf and switch behaviour based on argv[0].