Found by the afl fuzzer, at [r3478]
readelf/readelf -a outputs-readelf/crashes/id:000000,sig:11,src:005289,op:arith32,pos:2452,val:-6 ... readelf: Malformed .hash section readelf: Malformed .hash section zsh: segmentation fault (core dumped) readelf/readelf -a
Backtrace:
Process 30269 stopped * thread #1: tid = 105167, 0x0000000000415877 readelf`dump_elf [inlined] dump_svr4_hash + 737 at readelf.c:3110, stop reason = invalid address (fault address: 0x801c3e308) frame #0: 0x0000000000415877 readelf`dump_elf [inlined] dump_svr4_hash + 737 at readelf.c:3110 3107 if ((bl = calloc(nbucket, sizeof(*bl))) == NULL) 3108 errx(EXIT_FAILURE, "calloc failed"); 3109 for (i = 0; (uint32_t)i < nbucket; i++) -> 3110 for (j = bucket[i]; j > 0 && (uint32_t)j < nchain; j = chain[j]) 3111 if (++bl[i] > maxl) 3112 maxl = bl[i]; 3113 if ((c = calloc(maxl + 1, sizeof(*c))) == NULL) (lldb) bt * thread #1: tid = 105167, 0x0000000000415877 readelf`dump_elf [inlined] dump_svr4_hash + 737 at readelf.c:3110, stop reason = invalid address (fault address: 0x801c3e308) * frame #0: 0x0000000000415877 readelf`dump_elf [inlined] dump_svr4_hash + 737 at readelf.c:3110 frame #1: 0x0000000000415596 readelf`dump_elf [inlined] dump_hash(re=<unavailable>) + 3246 at readelf.c:3292 frame #2: 0x00000000004148e8 readelf`dump_elf(re=0x00007fffffffe380) + 71816 at readelf.c:6612 frame #3: 0x00000000000000d7 frame #4: 0x0000000000402274 readelf`main [inlined] dump_object(re=0x00007fffffffe816) + 888 at readelf.c:6772 frame #5: 0x0000000000401efc readelf`main(argc=-6, argv=0x0000000000000012) + 6892 at readelf.c:7252 frame #6: 0x000000000040030f readelf`_start(ap=<unavailable>, cleanup=<unavailable>) + 367 at crt1.c:78 (lldb)
Diff:
crashing ELF input attached
Diff:
Another readelf crasher
Hi Ed,
Seems that the buffer size calculator check does not catch this ill case as it wraps around. Attaching a patch for it.
Akos
Any updates on this?