Bug 25838

Summary: eu-readelf crashes due to a general protection fault
Product: elfutils Reporter: Manh-Dung Nguyen <nguyenmanhdung1710>
Component: generalAssignee: Not yet assigned to anyone <unassigned>
Status: RESOLVED WORKSFORME    
Severity: normal CC: elfutils-devel, mark, nguyenmanhdung1710
Priority: P2    
Version: unspecified   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:
Attachments: PoC
Valgrind's output

Description Manh-Dung Nguyen 2020-04-16 15:11:34 UTC 
Created attachment 12470 [details]
PoC

Hi,

A general protection fault was discovered in the latest commit 1a9fe4b of elfutils 0.179, as demonstrated by eu-readelf, that can cause a denial of service via a crafted file.

To reproduce: eu-readelf -a PoC

Valgrind says:
==3222== Process terminating with default action of signal 11 (SIGSEGV)
==3222==  General Protection Fault
==3222==    at 0x4124AB: handle_gnu_hash (readelf.c:3430)
==3222==    by 0x4124AB: handle_hash (readelf.c:3501)
==3222==    by 0x45EA8B: process_elf_file (readelf.c:1012)
==3222==    by 0x465129: process_dwflmod (readelf.c:790)
==3222==    by 0x4FCC888: dwfl_getmodules (dwfl_getmodules.c:86)
==3222==    by 0x4094D5: process_file (readelf.c:898)
==3222==    by 0x404D1E: main (readelf.c:372)

Thanks,
Manh Dung
Comment 1 Mark Wielaard 2020-04-18 00:02:43 UTC 
Sorry, I cannot replicate this on either x86_64 or i686.
Running the reproducer under valgrind doesn't show any issues.

Could you provide more details how you configured and build the binary?
How exactly are you invoking it and what exactly is the complete output?
Comment 2 Manh-Dung Nguyen 2020-04-18 07:40:01 UTC 
Created attachment 12479 [details]
Valgrind's output
Comment 3 Manh-Dung Nguyen 2020-04-18 07:41:05 UTC 
Hi Mark,

I use Ubuntu 16.04 64 bit. I recompile elf-utils using gcc 5.5.0 and I cannot reproduce the bug. However, compiling elf-utils using afl-gcc of AFL version 2.52b can trigger the bug (please see the attached log of Valgrind). Thus, I think this bug is probably triggered due to a different compiler that I've tested.

Best,
Manh Dung
Comment 4 Mark Wielaard 2020-06-06 16:01:32 UTC 
Sorry, I cannot replicate even when building elfutils with CC=afl-gcc, with or without AFL_HARDEN=1. Could you provide more information on how exactly you configure, build and run.
Comment 5 Manh-Dung Nguyen 2020-06-08 08:24:43 UTC 
So I think you can savely close this issue if you cannot reproduce the bug on your side. The root cause is probably due to my hardware specifics.

Thanks,
MD
Comment 6 Mark Wielaard 2020-06-08 09:17:40 UTC 
OK, closed for now. Thanks.