Bug 23753

Summary: Invalid Address Read problem in dwfl_segment_report_module.c when executing ./eu-stack --core=$POC
Product: elfutils Reporter: wcventure <wcventure>
Component: libdwAssignee: Not yet assigned to anyone <unassigned>
Status: RESOLVED DUPLICATE    
Severity: normal CC: elfutils-devel, mark
Priority: P2    
Version: unspecified   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:
Attachments: POC-stack

Description wcventure 2018-10-10 09:32:36 UTC 
Hi there,

Our fuzzer caught Invalid Address Read problem in eu-stack of the latest elfutils-0.174 code base, this inputs will cause the segment faults and I have confirmed them with address sanitizer too. Please use the "./eu-stack --core=$POC" or "./eu-stack --core=$POC -abdilmsv" to reproduce the bug. If you have any questions, please let me know.

The ASAN dumps the stack trace as follows:

ASAN:DEADLYSIGNAL
=================================================================
==9753==ERROR: AddressSanitizer: SEGV on unknown address 0x7f6afb9ac114 (pc 0x7f6afa17a7dc bp 0x7fffc8bb1900 sp 0x7fffc8bb17f0 T0)
==9753==The signal is caused by a READ memory access.
    #0 0x7f6afa17a7db in consider_notes /elfutils-0.174/libdwfl/dwfl_segment_report_module.c:486
    #1 0x7f6afa17accc in consider_phdr /elfutils-0.174/libdwfl/dwfl_segment_report_module.c:529
    #2 0x7f6afa176fa2 in dwfl_segment_report_module /elfutils-0.174/libdwfl/dwfl_segment_report_module.c:590
    #3 0x7f6afa185ce0 in dwfl_core_file_report /elfutils-0.174/libdwfl/core-file.c:541
    #4 0x405106 in parse_opt /elfutils-0.174/src/stack.c:590
    #5 0x7f6af9a64847 in argp_parse (/lib/x86_64-linux-gnu/libc.so.6+0x114847)
    #6 0x4056a7 in main /elfutils-0.174/src/stack.c:690
    #7 0x7f6af997082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x402308 in _start (/elfutils-0.174/build/bin/eu-stack+0x402308)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /elfutils-0.174/libdwfl/dwfl_segment_report_module.c:486 in consider_notes
==9753==ABORTING
Comment 1 wcventure 2018-10-10 09:35:05 UTC 
Created attachment 11307 [details]
POC-stack

./eu-stack --core=$POC
Comment 2 Mark Wielaard 2018-10-14 15:03:42 UTC 
Same as bug #23752.

*** This bug has been marked as a duplicate of bug 23752 ***
Comment 3 wcventure 2018-10-14 16:22:50 UTC 
Thanks for paying attention to this problem and proposing to fix it in time.
This bug was discovered by NTU Cyber-Security-Lab, for fuzzing research work.