[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/24098] New: readelf gets SegFault on crafted input that ma
From: |
PeterRong96 at gmail dot com |
Subject: |
[Bug binutils/24098] New: readelf gets SegFault on crafted input that may cause DoS |
Date: |
Wed, 16 Jan 2019 07:26:47 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=24098
Bug ID: 24098
Summary: readelf gets SegFault on crafted input that may cause
DoS
Product: binutils
Version: 2.31
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: PeterRong96 at gmail dot com
Target Milestone: ---
Created attachment 11541
--> https://sourceware.org/bugzilla/attachment.cgi?id=11541&action=edit
3 files that led to crash.
By fuzzing readelf, we have crafted three files that produce SegFaults, and it
might cause DoS vulnerabilities.
Crash site:
readelf.c:8028
8024: relname = elf_hppa_reloc_type (get_reloc_type (
filedata, rp->r_info));
...
8028: if (! const_strneq (relname, "R_PARISC_SEGREL"))
In line 8024 relname become NULL when feeded with crafted data. Doing strncmp
later on line 8028 on a NULL pointer it is invalid.
Crash cause:
According to definition in include/hppa.h:110-496 and
include/reloc-marcos.h:95-127, when given "the relocation is not recognised,
NULL is returned."(citing comment from include/reloc-marcos.h:97).
Below is a stack printed using gdb.
#0 __strncmp_avx2 () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:101
No locals.
#1 0x00005555556336f2 in slurp_hppa_unwind_table (filedata=<optimized out>,
sec=<optimized out>,
aux=<optimized out>) at readelf.c:8028
nentries = <optimized out>
size = <optimized out>
seg = <optimized out>
table = <optimized out>
tp = <optimized out>
relsec = <optimized out>
nrelas = <optimized out>
rela = <optimized out>
relname = 0x0
sym = <optimized out>
i = <optimized out>
rp = <optimized out>
tep = <optimized out>
tmp1 = <optimized out>
tmp2 = <optimized out>
#2 hppa_process_unwind (filedata=<optimized out>) at readelf.c:8115
num_unwind = <optimized out>
res = 0
i = <optimized out>
sec = <optimized out>
unwsec = <optimized out>
aux = <optimized out>
strsec = <optimized out>
#3 0x00005555555a8135 in process_unwind (filedata=<optimized out>) at
readelf.c:9253
handlers = <optimized out>
#4 process_object (filedata=<optimized out>) at readelf.c:18822
res = 0
i = 31
separates = <optimized out>
#5 0x0000555555577866 in process_file (file_name=<optimized out>) at
readelf.c:19259
armag = "\177ELF\002\003\001"
ret = 1
statbuf = <optimized out>
filedata = <optimized out>
#6 main (argc=<optimized out>, argv=<optimized out>) at readelf.c:19318
err = 0
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/24098] New: readelf gets SegFault on crafted input that may cause DoS,
PeterRong96 at gmail dot com <=