Bug 15120 - Readelf coredump on malicous ar archive
Summary: Readelf coredump on malicous ar archive
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.24
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-02-08 02:04 UTC by binutils
Modified: 2013-02-08 18:06 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
ar archive 1 (938 bytes, application/octet-stream)
2013-02-08 02:04 UTC, binutils 		Details
ar archive 2 (55.56 KB, application/octet-stream)
2013-02-08 02:06 UTC, binutils 		Details
ar archive 3 (518 bytes, application/octet-stream)
2013-02-08 02:06 UTC, binutils 		Details
ar archive 4 (502 bytes, application/octet-stream)
2013-02-08 02:07 UTC, binutils 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description binutils 2013-02-08 02:04:56 UTC 
Created attachment 6857 [details]
ar archive 1

readelf gets a segmentation fault on printing headers on malicous ar archives (included in metasploit framework)

./binutils/readelf -h /tmp/metasploit/external/source/byakugan/i386/byakugan.lib
[1]    32176 segmentation fault (core dumped)  ./binutils/readelf -h

gdb:
#0  0x000000000042d6c9 in get_archive_member_name (arch=0x7fff41f5dcd0, nested_arch=0x7fff41f5dd70) at elfcomm.c:599
599	        j--;
(gdb) p j
$1 = 1257796941
(gdb) p arch->longnames_size
$2 = 0
(gdb) p arch->longnames
$3 = 0x0
(gdb) p arch->arhdr.ar_name + 1
$4 = 0x7fff41f5dd29 ' ' <repeats 15 times>, "1257796941", ' ' <repeats 14 times>, "0       964       `\n"
Comment 1 binutils 2013-02-08 02:06:12 UTC 
Created attachment 6858 [details]
ar archive 2
Comment 2 binutils 2013-02-08 02:06:57 UTC 
Created attachment 6859 [details]
ar archive 3
Comment 3 binutils 2013-02-08 02:07:40 UTC 
Created attachment 6860 [details]
ar archive 4
Comment 4 Nick Clifton 2013-02-08 18:06:18 UTC 
Already Fixed.  See:

binutils/ChangeLog

	* elfcomm.c (get_archive_member_name): Prevent seg-fault if a
	corrupt archive uses long names but has no long name table.

Cheers
  Nick