Menu
▾
▴
2 Attachments
#535 readelf segfault on malformed input
Found by the afl fuzzer, at [r3478]
readelf/readelf -a outputs-readelf/crashes/id:000000,sig:11,src:005289,op:arith32,pos:2452,val:-6 ... readelf: Malformed .hash section readelf: Malformed .hash section zsh: segmentation fault (core dumped) readelf/readelf -a
Backtrace:
Process 30269 stopped
* thread #1: tid = 105167, 0x0000000000415877 readelf`dump_elf [inlined] dump_svr4_hash + 737 at readelf.c:3110, stop reason = invalid address (fault address: 0x801c3e308)
frame #0: 0x0000000000415877 readelf`dump_elf [inlined] dump_svr4_hash + 737 at readelf.c:3110
3107 if ((bl = calloc(nbucket, sizeof(*bl))) == NULL)
3108 errx(EXIT_FAILURE, "calloc failed");
3109 for (i = 0; (uint32_t)i < nbucket; i++)
-> 3110 for (j = bucket[i]; j > 0 && (uint32_t)j < nchain; j = chain[j])
3111 if (++bl[i] > maxl)
3112 maxl = bl[i];
3113 if ((c = calloc(maxl + 1, sizeof(*c))) == NULL)
(lldb) bt
* thread #1: tid = 105167, 0x0000000000415877 readelf`dump_elf [inlined] dump_svr4_hash + 737 at readelf.c:3110, stop reason = invalid address (fault address: 0x801c3e308)
* frame #0: 0x0000000000415877 readelf`dump_elf [inlined] dump_svr4_hash + 737 at readelf.c:3110
frame #1: 0x0000000000415596 readelf`dump_elf [inlined] dump_hash(re=<unavailable>) + 3246 at readelf.c:3292
frame #2: 0x00000000004148e8 readelf`dump_elf(re=0x00007fffffffe380) + 71816 at readelf.c:6612
frame #3: 0x00000000000000d7
frame #4: 0x0000000000402274 readelf`main [inlined] dump_object(re=0x00007fffffffe816) + 888 at readelf.c:6772
frame #5: 0x0000000000401efc readelf`main(argc=-6, argv=0x0000000000000012) + 6892 at readelf.c:7252
frame #6: 0x000000000040030f readelf`_start(ap=<unavailable>, cleanup=<unavailable>) + 367 at crt1.c:78
(lldb)
Diff:
crashing ELF input attached
Diff:
Another readelf crasher
Hi Ed,
Seems that the buffer size calculator check does not catch this ill case as it wraps around. Attaching a patch for it.
Akos
Any updates on this?