found with the afl fuzzer
(lldb) bt
* thread #1: tid = 100186, 0x000000000042095b strings_libelf_cvt_SHDR64_tom(dst=<unavailable>, dsz=<unavailable>, src=<unavailable>, count=<unavailable>, byteswap=0) + 723 at libelf_convert.c:1672, stop reason = invalid address (fault address: 0x80069300c)
* frame #0: 0x000000000042095b strings
_libelf_cvt_SHDR64_tom(dst=<unavailable>, dsz=<unavailable>, src=<unavailable>, count=<unavailable>, byteswap=0) + 723 at libelf_convert.c:1672
frame #1: 0x000000000040b307 strings_libelf_load_section_headers(e=0x0000000800c060c0, ehdr=<unavailable>) + 1791 at elf_scn.c:108
frame #2: 0x000000000040c38b strings
elf_nextscn [inlined] elf_getscn(e=0x0000000800c060c0, index=<unavailable>) + 370 at elf_scn.c:146
frame #3: 0x000000000040c219 stringself_nextscn(e=0x0000000800c060c0, s=<unavailable>) + 305 at elf_scn.c:231
frame #4: 0x0000000000403a85 strings
handle_elf(name=0x00007fffffffe836, fd=<unavailable>) + 1229 at strings.c:280
frame #5: 0x00000000004010cd stringsmain(argc=<unavailable>, argv=<unavailable>) + 3205 at strings.c:197
frame #6: 0x000000000040030f strings
_start(ap=<unavailable>, cleanup=<unavailable>) + 367 at crt1.c:78
Take this ticket.
A fix in FreeBSD here:
https://svnweb.freebsd.org/base?view=revision&revision=276374
Original fix reverted, proper fix here:
https://github.com/emaste/elftoolchain/commit/7375be2b75b1299ffdf16b3da8cc4ce008ce0a9b
And in FreeBSD here:
https://svnweb.freebsd.org/changeset/base/276427
err, make that https://github.com/emaste/elftoolchain/commit/42746ec43c6cdcc69a064c8505912202de33fc99
Committed as [r3147]
Related
Commit: [r3147]