Bug 17531 - readelf crashes on fuzzed samples
Summary: readelf crashes on fuzzed samples
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.26
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
: 19518 (view as bug list)
Depends on:
Blocks:
 
Reported: 2014-11-01 19:41 UTC by Alexander Cherepanov
Modified: 2022-08-02 07:00 UTC (History)
3 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
`readelf -a` crashes (1.71 KB, application/x-executable)
2014-11-01 19:41 UTC, Alexander Cherepanov
Details
`readelf -a` assertion failed (1.71 KB, application/x-executable)
2014-11-01 19:42 UTC, Alexander Cherepanov
Details
`readelf -a` loops forever (1.70 KB, application/x-executable)
2014-11-01 19:42 UTC, Alexander Cherepanov
Details
Fixes for readelf problems (1.82 KB, patch)
2014-11-04 11:59 UTC, Nick Clifton
Details | Diff
Crashers for `readelf -a` (1.16 MB, application/x-gzip)
2014-11-04 13:09 UTC, Alexander Cherepanov
Details
More readelf fixes (2.49 KB, patch)
2014-11-04 15:30 UTC, Nick Clifton
Details | Diff
More crashers (577.60 KB, application/x-gzip)
2014-11-04 18:33 UTC, Alexander Cherepanov
Details
Third readelf patch (4.63 KB, application/x-troff-man)
2014-11-05 16:22 UTC, Nick Clifton
Details
More badness for `readelf -a` (195.42 KB, application/x-gzip)
2014-11-05 22:26 UTC, Alexander Cherepanov
Details
More badness for `readelf -a` (130.13 KB, application/x-gzip)
2014-11-06 15:49 UTC, Alexander Cherepanov
Details
One more crash (5.24 KB, application/x-gzip)
2014-11-09 21:16 UTC, Alexander Cherepanov
Details
Assertions failed (1.53 MB, application/x-gzip)
2014-11-09 21:18 UTC, Alexander Cherepanov
Details
One more assertion failed (316.60 KB, application/x-gzip)
2014-11-11 14:50 UTC, Alexander Cherepanov
Details
crasher for `readelf -agteADruhlsSdIncwVW` (2.51 KB, application/x-gzip)
2014-11-11 16:25 UTC, Alexander Cherepanov
Details
Crasher for `readelf -agteAruhlsSdIncwVW --dyn-syms -D` (282.16 KB, application/x-gzip)
2014-11-11 16:53 UTC, Alexander Cherepanov
Details
More badness for `readelf -agteAruhlsSdIncwVW --dyn-syms -D` (61.01 KB, application/x-gzip)
2014-11-12 22:51 UTC, Alexander Cherepanov
Details
Another crasher for `readelf -a` (240.45 KB, application/x-gzip)
2014-11-16 21:28 UTC, Alexander Cherepanov
Details
Binary that triggers assert in decode_tic6x_unwind_bytecode (820 bytes, application/gzip)
2014-11-17 18:50 UTC, Espen Grindhaug
Details
2 more problematic test cases (674 bytes, application/gzip)
2014-11-20 07:09 UTC, Espen Grindhaug
Details
AFL crashers for `readelf -a` (8.42 KB, application/x-gzip)
2014-11-20 23:13 UTC, Alexander Cherepanov
Details
3 more problematic programs (2.33 KB, application/gzip)
2014-11-22 18:08 UTC, Espen Grindhaug
Details
Sample with fishy malloc (3.39 KB, application/x-gzip)
2014-11-22 23:22 UTC, Alexander Cherepanov
Details
Possible fix for asan problems in comment #39 (548 bytes, patch)
2014-11-23 15:07 UTC, Espen Grindhaug
Details | Diff
Possible fix for problems in comment #39 (716 bytes, patch)
2014-11-23 16:02 UTC, Espen Grindhaug
Details | Diff
Possible fix for problem in comment #40 (491 bytes, patch)
2014-11-23 18:06 UTC, Espen Grindhaug
Details | Diff
Crashes for `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (48.49 KB, application/x-gzip)
2014-11-28 12:08 UTC, Alexander Cherepanov
Details
Aborts for `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (4.75 KB, application/x-gzip)
2014-12-03 13:01 UTC, Alexander Cherepanov
Details
More crashes for `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (85.62 KB, application/x-gzip)
2014-12-04 08:54 UTC, Alexander Cherepanov
Details
More aborts for `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (10.36 KB, application/x-gzip)
2014-12-04 08:56 UTC, Alexander Cherepanov
Details
AFL crashers for `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (14.86 KB, application/x-gzip)
2014-12-18 22:46 UTC, Alexander Cherepanov
Details
More problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (7.65 MB, application/x-xz)
2015-01-01 21:38 UTC, Alexander Cherepanov
Details
Big (28MB) problem with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (5.52 MB, application/x-xz)
2015-01-01 21:43 UTC, Alexander Cherepanov
Details
Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (6.26 MB, application/x-xz)
2015-01-11 21:32 UTC, Alexander Cherepanov
Details
Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (4.40 MB, application/x-xz)
2015-01-11 21:35 UTC, Alexander Cherepanov
Details
Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit) (9.37 MB, application/x-xz)
2015-02-02 22:55 UTC, Alexander Cherepanov
Details
Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit) (7.31 MB, application/x-xz)
2015-02-04 16:53 UTC, Alexander Cherepanov
Details
Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit) (5.52 MB, application/x-xz)
2015-02-08 16:29 UTC, Alexander Cherepanov
Details
Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit) -- ubsan (2.94 MB, application/x-xz)
2015-02-08 16:48 UTC, Alexander Cherepanov
Details
Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit) (9.25 MB, application/x-xz)
2015-02-10 19:56 UTC, Alexander Cherepanov
Details
Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit) (7.36 MB, application/x-xz)
2015-02-12 01:03 UTC, Alexander Cherepanov
Details
Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit) (4.77 MB, application/x-xz)
2015-02-13 23:53 UTC, Alexander Cherepanov
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Cherepanov 2014-11-01 19:41:08 UTC
Created attachment 7882 [details]
`readelf -a` crashes

`readelf -a` (both 2.24 and head) fails on some fuzzed samples:
- crashes  -- readelf-crash attached;
- triggers assertions -- readelf-assert;
- loops forever -- readelf-loop.
Comment 1 Alexander Cherepanov 2014-11-01 19:42:16 UTC
Created attachment 7883 [details]
`readelf -a` assertion failed
Comment 2 Alexander Cherepanov 2014-11-01 19:42:41 UTC
Created attachment 7884 [details]
`readelf -a` loops forever
Comment 3 Nick Clifton 2014-11-04 11:59:32 UTC
Created attachment 7889 [details]
Fixes for readelf problems
Comment 4 Sourceware Commits 2014-11-04 11:59:37 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  049b0c3a2467c785f9068915d81fdba4985470bf (commit)
      from  e0f52461c2467b6610391681fa27cd9b3c5def57 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=049b0c3a2467c785f9068915d81fdba4985470bf

commit 049b0c3a2467c785f9068915d81fdba4985470bf
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Nov 4 11:58:16 2014 +0000

    Fixes for crashes running readelf.
    
    	PR binutils/17531
    	* readelf.c (get_data): If the reason parameter is null, do not
    	print any error messages.
    	(get_32bit_section_headers): Verify section header entry size
    	before reading in the section headers.
    	(get_64bit_section_headers): Likewise.
    	(process_section_headers): Pass FALSE to get_section_headers.
    	(get_file_header): Pass TRUE to get_section_headers.
    	(process_dynamic_section): Change an assert to an error message.
    	(process_symbol_table): Handle corrupt histograms.

-----------------------------------------------------------------------

Summary of changes:
 binutils/ChangeLog |   13 ++++++
 binutils/readelf.c |  116 +++++++++++++++++++++++++++++++++++++---------------
 2 files changed, 96 insertions(+), 33 deletions(-)
Comment 5 Nick Clifton 2014-11-04 12:00:37 UTC
Hi Alexander,

  I have uploaded the master branch with the uploaded patch.  Please give it a try.

  Cheers
    Nick
Comment 6 Alexander Cherepanov 2014-11-04 13:09:21 UTC
Created attachment 7890 [details]
Crashers for `readelf -a`

Files: 8
Errors:
      2 Conditional jump or move depends on uninitialised value(s)
     49 Invalid read of size ...
      4 Process terminating with default action of signal 11 (SIGSEGV)
      3 Use of uninitialised value of size ...
Comment 7 Nick Clifton 2014-11-04 15:30:35 UTC
Created attachment 7892 [details]
More readelf fixes
Comment 8 Sourceware Commits 2014-11-04 15:30:37 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  e0a31db1b16fe0a010aa46185e4a31a08e7fd97f (commit)
      from  bb0d867169d7e9743d229804106a8fbcab7f3b3f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e0a31db1b16fe0a010aa46185e4a31a08e7fd97f

commit e0a31db1b16fe0a010aa46185e4a31a08e7fd97f
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Nov 4 15:29:03 2014 +0000

    More fixes for memory corruption when readelf processes corrupt files.
    
    	PR binutils/17531
    	(get_32bit_program_headers): Verify program header entry size
    	before reading in the program headers.
    	(get_64bit_program_headers): Likewise.
    	(get_unwind_section_word): Do nothing if no section was provided.
    	Fail if the offset is outside of the section.
    	(print_dynamic_symbol): Catch out of range symbol indicies.
    	(process_mips_specific): Likewise.
    	(process_attributes): Make sure that there is enough space left in
    	the section before attempting to read the length of the next
    	attribute.

-----------------------------------------------------------------------

Summary of changes:
 binutils/ChangeLog |   11 +++
 binutils/readelf.c |  173 ++++++++++++++++++++++++++++++++++++++--------------
 2 files changed, 138 insertions(+), 46 deletions(-)
Comment 9 Nick Clifton 2014-11-04 15:31:19 UTC
Hi Alexander,

  Please update your master branch and try again...

Cheers
  Nick
Comment 10 Alexander Cherepanov 2014-11-04 18:33:09 UTC
Created attachment 7895 [details]
More crashers

Files: 10
Errors:
      2 Conditional jump or move depends on uninitialised value(s)
     45 Invalid read of size ...
      5 Process terminating with default action of signal 11 (SIGSEGV)
      3 Use of uninitialised value of size ...

And 011-12666-0.004 gives "readelf.c:7770: arm_process_unwind: Assertion `aux.strtab == ((void *)0)' failed."
Comment 11 Nick Clifton 2014-11-05 16:22:09 UTC
Created attachment 7901 [details]
Third readelf patch

Hi Alexander,

  Please update your master branch and try again...

Cheers
  Nick
Comment 12 Alexander Cherepanov 2014-11-05 22:26:34 UTC
Created attachment 7906 [details]
More badness for `readelf -a`

Files: 16
Errors:
     13 Argument 'size' of function malloc has a fishy (possibly negative) value: ...
      3 Conditional jump or move depends on uninitialised value(s)
      1 Invalid read of size ...
      1 Process terminating with default action of signal 11 (SIGSEGV)
      2 Use of uninitialised value of size ...

Not all samples crash with SIGSEGV, most have problems with memory allocation. Anyway all their badness is described in list.txt inside the archive.
Comment 13 Alexander Cherepanov 2014-11-06 15:49:28 UTC
Created attachment 7911 [details]
More badness for `readelf -a`

Files: 11
Errors:
     40 Invalid read of size ...
      2 Process terminating with default action of signal 11 (SIGSEGV)
Comment 14 Sourceware Commits 2014-11-07 13:41:20 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  071436c6e94be13904438b6eb70ee79c73354a61 (commit)
      from  56aedec7ab6a1da818ed900827e3a2eb1f5cc5d2 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=071436c6e94be13904438b6eb70ee79c73354a61

commit 071436c6e94be13904438b6eb70ee79c73354a61
Author: Nick Clifton <nickc@redhat.com>
Date:   Fri Nov 7 13:39:45 2014 +0000

    Add more fixes for inavlid memory accesses triggered by corrupt files.
    
    	PR binutils/17531
    	* readelf.c (get_data): Avoid allocating memory when we know that
    	the read will fail.
    	(find_section_by_type): New function.
    	(get_unwind_section_word): Check for invalid symbol indicies.
    	Check for invalid reloc types.
    	(get_32bit_dynamic_section): Add range checks.
    	(get_64bit_dynamic_section): Add range checks.
    	(process_dynamic_section): Check for a corrupt time value.
    	(process_symbol_table): Add range checks.
    	(dump_section_as_strings): Add string length range checks.
    	(display_tag_value): Likewise.
    	(display_arm_attribute): Likewise.
    	(display_gnu_attribute): Likewise.
    	(display_tic6x_attribute): Likewise.
    	(display_msp430x_attribute): Likewise.
    	(process_mips_specific): Add range check.

-----------------------------------------------------------------------

Summary of changes:
 binutils/ChangeLog |   20 ++++
 binutils/readelf.c |  297 ++++++++++++++++++++++++++++++++++++----------------
 2 files changed, 226 insertions(+), 91 deletions(-)
Comment 15 Nick Clifton 2014-11-07 13:42:28 UTC
Hi Alexander,

  I have updated the master branch with fixes for the new tests that you provided.  Please give the new sources a spin.

Cheers
  Nick
Comment 16 Alexander Cherepanov 2014-11-09 21:16:16 UTC
Created attachment 7915 [details]
One more crash

Cool! Only one crash so far.

But there are some asserts (attached next).

And a lot of hangs and memory exhaustions but they are harder to deduplicate and probably not so dangerous from security POV.
Comment 17 Alexander Cherepanov 2014-11-09 21:18:34 UTC
Created attachment 7916 [details]
Assertions failed

Files: 11
Errors:
      1 readelf.c:10471: process_syminfo: Assertion `i < num_dynamic_syms' failed.
      1 readelf.c:12897: process_attributes: Assertion `p <= end' failed.
      6 readelf.c:435: print_symbol: Assertion `width != 0' failed.
      1 readelf.c:6470: ia64_process_unwind: Assertion `aux.strtab == ((void *)0)' failed.
      1 readelf.c:6881: hppa_process_unwind: Assertion `aux.strtab == ((void *)0)' failed.
      1 readelf.c:7362: decode_arm_unwind_bytecode: Assertion `i < sizeof (buf)' failed.
Comment 18 Alexander Cherepanov 2014-11-09 21:22:11 UTC
(In reply to Alexander Cherepanov from comment #16)
> Created attachment 7915 [details]
> One more crash

Files: 1
Errors:
      1 Invalid read of size ...
      1 Process terminating with default action of signal 11 (SIGSEGV)
Comment 19 Nick Clifton 2014-11-10 16:33:58 UTC
Hi Alexander.

  Please try again ...

Cheers
  Nick
Comment 20 Sourceware Commits 2014-11-10 16:34:10 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  4082ef846466438ea2cd5b3606f304f6fded152b (commit)
      from  5e186ece2feebb46e63ff6bb2d2490aad0d5a724 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=4082ef846466438ea2cd5b3606f304f6fded152b

commit 4082ef846466438ea2cd5b3606f304f6fded152b
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Nov 10 16:32:32 2014 +0000

    More fixes for assertion failures and out-of-bounds reads by readelf.
    
    	PR binutils/17531
    	* (ia64_process_unwind): Replace assertion with an error message.
    	Add range checking for group section indicies.
    	(hppa_process_unwind): Replace assertion with an error message.
    	(process_syminfo): Likewise.
    	(decode_arm_unwind_bytecode): Add range checking.
    	(dump_section_as_strings): Add more string range checking.
    	(display_tag_value): Likewise.
    	(display_arm_attribute): Likewise.
    	(display_gnu_attribute): Likewise.
    	(display_tic6x_attribute): Likewise.
    	(display_msp430x_attribute): Likewise.

-----------------------------------------------------------------------

Summary of changes:
 binutils/ChangeLog |   15 +++++
 binutils/readelf.c |  179 +++++++++++++++++++++++++++++++++++++---------------
 2 files changed, 143 insertions(+), 51 deletions(-)
Comment 21 Alexander Cherepanov 2014-11-11 14:50:24 UTC
Created attachment 7920 [details]
One more assertion failed

Files: 1
Errors:
      1 readelf.c:12975: process_attributes: Assertion `p <= end' failed.
Comment 22 Sourceware Commits 2014-11-11 16:17:09 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  541a3cbda9de8ae8888906cfe14887c394a3f772 (commit)
      from  201159ecec7e17600df4153e5d4e7a145f0c7cfe (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=541a3cbda9de8ae8888906cfe14887c394a3f772

commit 541a3cbda9de8ae8888906cfe14887c394a3f772
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Nov 11 16:15:47 2014 +0000

    Prevent a buffer overrun whilst displaying corrupt ARM tags.
    
    	PR binutils/17531
    	* readelf.c (display_arm_attribute): Avoid reading off the end of
    	the buffer when processing a Tag_nodefaults.

-----------------------------------------------------------------------

Summary of changes:
 binutils/ChangeLog |    6 ++++++
 binutils/readelf.c |    4 +++-
 2 files changed, 9 insertions(+), 1 deletions(-)
Comment 23 Nick Clifton 2014-11-11 16:18:03 UTC
Hi Alexander,

  OK, that one is fixed.

Cheers
  Nick
Comment 24 Alexander Cherepanov 2014-11-11 16:25:46 UTC
Created attachment 7921 [details]
crasher for `readelf -agteADruhlsSdIncwVW`

Files: 1
Errors:
      2 Invalid read of size ...
      1 Process terminating with default action of signal 11 (SIGSEGV)
Comment 25 Alexander Cherepanov 2014-11-11 16:53:10 UTC
Created attachment 7922 [details]
Crasher for `readelf -agteAruhlsSdIncwVW --dyn-syms -D`

Files: 1
Errors:
      1 Invalid read of size ...
      1 Process terminating with default action of signal 11 (SIGSEGV)

This one is very noisy in fuzzing `readelf -agteAruhlsSdIncwVW --dyn-syms -D`.
Comment 26 Sourceware Commits 2014-11-11 20:51:40 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  8b73c35699b4b1da558be29ac3c90aee0e0e1e49 (commit)
      from  51b26797b4a05304e4d00e2fd77810e38147bb7f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8b73c35699b4b1da558be29ac3c90aee0e0e1e49

commit 8b73c35699b4b1da558be29ac3c90aee0e0e1e49
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Nov 11 20:50:03 2014 +0000

    Fix invalid memory accesses for more corrupt binary files.
    
    	PR binutils/17531
    	* binutils/readelf.c (dynamic_nent): Change type to size_t.
    	(slurp_rela_relocs): Use size_t type for nrelas.
    	(slurp_rel_relocs): Likewise.
    	(get_program_headers): Improve out of memory error message.
    	(get_32bit_section_headers): Likewise.
    	(get_32bit_section_headers): Likewise.
    	(get_64bit_section_headers): Likewise.
    	(get_32bit_elf_symbols): Likewise.
    	(get_64bit_elf_symbols): Likewise.
    	(process_section_groups): Likewise.
    	(get_32bit_dynamic_section): Likewise.
    	(get_64bit_dynamic_section): Likewise.
    	(process_dynamic_section): Likewise.
    	(process_version_sections): Likewise.
    	(get_symbol_index_type): Likewise.
    	(process_mips_specific): Likewise.
    	(process_corefile_note_segment): Likewise.
    	(process_version_sections): Use size_t type for total.
    	(get_dynamic_data): Change type of number parameter to size_t.
    	Improve out of memory error messages.
    	(process_symbol_table): Change type of nbuckets and nchains to
    	size_t.  Skip processing of sections headers if there are none.
    	Improve out of memory error messages.

-----------------------------------------------------------------------

Summary of changes:
 binutils/ChangeLog |   27 ++++++++++++++++
 binutils/readelf.c |   87 +++++++++++++++++++++++++++++----------------------
 2 files changed, 76 insertions(+), 38 deletions(-)
Comment 27 Nick Clifton 2014-11-11 21:02:42 UTC
Also fixed...
Comment 28 Alexander Cherepanov 2014-11-12 22:51:20 UTC
Created attachment 7927 [details]
More badness for `readelf -agteAruhlsSdIncwVW --dyn-syms -D`

No crashes so far but some badness...

Files: 2
Errors:
      7 Conditional jump or move depends on uninitialised value(s)
      3 Invalid read of size ...
      1 Syscall param lseek(offset) contains uninitialised byte(s)
      1 Use of uninitialised value of size ...
Comment 29 Sourceware Commits 2014-11-13 10:47:00 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  3102e897eeda28961a32826095befef5c4a74097 (commit)
      from  a59add0c2ed21c03efc8b39e333564d7713a7ccc (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3102e897eeda28961a32826095befef5c4a74097

commit 3102e897eeda28961a32826095befef5c4a74097
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Nov 13 10:45:50 2014 +0000

    More fixes for readelf problems reading corrupt files.
    
    	PR binutils/17531
    	* readelf.c (process_version_sections): If the read of the version
    	def information fails, make sure that the external verdef data is
    	not used.
    	(get_dynamic_data): Do not attempt to allocate memory for more
    	dynamic data than there is in the file.  If the read fails, free
    	the allocated buffer.
    	(process_symbol_table): Do not print dynamic information if we
    	were unable to read the dynamic symbol table.
    	(print_gnu_note): Do not print the note if the descsz is too
    	small.

-----------------------------------------------------------------------

Summary of changes:
 binutils/ChangeLog |   14 ++++++++++++++
 binutils/readelf.c |   30 ++++++++++++++++++++++++++----
 2 files changed, 40 insertions(+), 4 deletions(-)
Comment 30 Nick Clifton 2014-11-13 10:48:25 UTC
Thanks Alexander,

  Those problems should be fixed too.

Cheers
  Nick
Comment 31 Alexander Cherepanov 2014-11-16 21:28:25 UTC
Created attachment 7942 [details]
Another crasher for `readelf -a`

Files: 1
Errors:
      2 Invalid read of size ...
      1 Process terminating with default action of signal 11 (SIGSEGV)

This one is found with American Fuzzy Lop.
Comment 32 Sourceware Commits 2014-11-17 17:06:14 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, binutils-2_25-branch has been updated
       via  8f66a6af276d17c0e386cd2409873f2e3e0b8a37 (commit)
       via  32a9d621c3c480aa093a089a36e36c35f68a4010 (commit)
      from  ff67f476b9907b9fddfbafff52caa4cce6a6f58c (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8f66a6af276d17c0e386cd2409873f2e3e0b8a37

commit 8f66a6af276d17c0e386cd2409873f2e3e0b8a37
Merge: 32a9d62 ff67f47
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Nov 17 17:04:16 2014 +0000

    Merge branch 'binutils-2_25-branch' of ssh://sourceware.org/git/binutils-gdb into binutils-2_25-branch
    
    Conflicts:
    	gas/ChangeLog

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=32a9d621c3c480aa093a089a36e36c35f68a4010

commit 32a9d621c3c480aa093a089a36e36c35f68a4010
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Nov 17 16:59:09 2014 +0000

    Applies a series of patches for PR 17512 and 17533 which fix invalid memory accesses.
    
    	2014-11-13  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* config/obj-coff.c (coff_obj_symbol_new_hook): Set the is_sym
    	field.
    
    	2014-11-14  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* dwarf.c (get_encoded_value): Add an 'end' parameter.  Change the
    	'data' parameter to a double pointer and return the updated value.
    	(decode_location_expression): Update call to get_encoded_value.
    	(frame_need_space): Handle the case where one or both of the
    	mallocs fails.
    	(read_cie): Initialise the cie pointer, even if the read fails.
    	(display_debug_frames): Warn if the calculated block_end is before
    	the start of the block.  Break the loop if the CIE could not be
    	read.  Update call to get_encoded_value.  Warn if the read CFA
    	expressions are too big.
    
    	2014-11-13  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* readelf.c (process_version_sections): If the read of the version
    	def information fails, make sure that the external verdef data is
    	not used.
    	(get_dynamic_data): Do not attempt to allocate memory for more
    	dynamic data than there is in the file.  If the read fails, free
    	the allocated buffer.
    	(process_symbol_table): Do not print dynamic information if we
    	were unable to read the dynamic symbol table.
    	(print_gnu_note): Do not print the note if the descsz is too
    	small.
    
    	2014-11-12  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* dwarf.c (read_and_display_attr_value): Check that we do not read
    	past end.
    	(display_debug_pubnames_worker): Add range checks.
    	(process_debug_info): Check for invalid pointer sizes.
    	(display_loc_list): Likewise.
    	(display_loc_list_dwo): Likewise.
    	(display_debug_ranges): Likewise.
    	(display_debug_aranges): Check for invalid address size.
    	(read_cie): Add range checks.  Replace call strchr with while loop.
    	* objdump.c (dump_dwarf): Replace abort with a warning message.
    	(print_section_stabs): Improve range checks.
    	* rdcoff.c (coff_get_slot): Use long for indx parameter type.
    	Add check for an excesively large index.
    	* rddbg.c (read_section_stabs_debugging_info): Zero terminate the
    	string table.  Avoid walking off the end of the stabs data.
    	* stabs.c (parse_stab_string): Add check for a NULL name.
    
    	2014-11-11  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* binutils/readelf.c (dynamic_nent): Change type to size_t.
    	(slurp_rela_relocs): Use size_t type for nrelas.
    	(slurp_rel_relocs): Likewise.
    	(get_program_headers): Improve out of memory error message.
    	(get_32bit_section_headers): Likewise.
    	(get_32bit_section_headers): Likewise.
    	(get_64bit_section_headers): Likewise.
    	(get_32bit_elf_symbols): Likewise.
    	(get_64bit_elf_symbols): Likewise.
    	(process_section_groups): Likewise.
    	(get_32bit_dynamic_section): Likewise.
    	(get_64bit_dynamic_section): Likewise.
    	(process_dynamic_section): Likewise.
    	(process_version_sections): Likewise.
    	(get_symbol_index_type): Likewise.
    	(process_mips_specific): Likewise.
    	(process_corefile_note_segment): Likewise.
    	(process_version_sections): Use size_t type for total.
    	(get_dynamic_data): Change type of number parameter to size_t.
    	Improve out of memory error messages.
    	(process_symbol_table): Change type of nbuckets and nchains to
    	size_t.  Skip processing of sections headers if there are none.
    	Improve out of memory error messages.
    
    	2014-11-11  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* readelf.c (display_arm_attribute): Avoid reading off the end of
    	the buffer when processing a Tag_nodefaults.
    
    	2014-11-10  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* readelf.c (ia64_process_unwind): Replace assertion with an error
    	message.  Add range checking for group section indicies.
    	(hppa_process_unwind): Replace assertion with an error message.
    	(process_syminfo): Likewise.
    	(decode_arm_unwind_bytecode): Add range checking.
    	(dump_section_as_strings): Add more string range checking.
    	(display_tag_value): Likewise.
    	(display_arm_attribute): Likewise.
    	(display_gnu_attribute): Likewise.
    	(display_tic6x_attribute): Likewise.
    	(display_msp430x_attribute): Likewise.
    
    	2014-11-10  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17552
    	* objcopy.c (copy_archive): Clean up temporary files even if an
    	error occurs.
    
    	2014-11-07  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* readelf.c (get_data): Avoid allocating memory when we know that
    	the read will fail.
    	(find_section_by_type): New function.
    	(get_unwind_section_word): Check for invalid symbol indicies.
    	Check for invalid reloc types.
    	(get_32bit_dynamic_section): Add range checks.
    	(get_64bit_dynamic_section): Add range checks.
    	(process_dynamic_section): Check for a corrupt time value.
    	(process_symbol_table): Add range checks.
    	(dump_section_as_strings): Add string length range checks.
    	(display_tag_value): Likewise.
    	(display_arm_attribute): Likewise.
    	(display_gnu_attribute): Likewise.
    	(display_tic6x_attribute): Likewise.
    	(display_msp430x_attribute): Likewise.
    	(process_mips_specific): Add range check.
    
    	2014-11-06  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17552, binutils/17533
    	* bucomm.c (is_valid_archive_path): New function.  Returns false
    	for absolute pathnames and pathnames that include /../.
    	* bucomm.h (is_valid_archive_path): Add prototype.
    	* ar.c (extract_file): Use new function to check for valid
    	pathnames when extracting files from an archive.
    	* objcopy.c (copy_archive): Likewise.
    	* doc/binutils.texi: Update documentation to mention the
    	limitation on pathname of archive members.
    
    	2014-11-05  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* readelf.c (printable_section_name): New function.
    	(printable_section_name_from_index): New function.
    	(dump_relocations): Use new function.
    	(process_program_headers, get_32bit_elf_symbols,
    	(get_64bit_elf_symbols, process_section_headers,
    	(process_section_groups, process_relocs, ia64_process_unwind,
    	(hppa_process_unwind, get_unwind_section_word, decode_arm_unwind,
    	(arm_process_unwind, process_version_sections,
    	(process_symbol_table, apply_relocations, get_section_contents,
    	(dump_section_as_strings, dump_section_as_bytes,
    	(display_debug_section, process_attributes, process_mips_specific,
    	(process_mips_specific process_gnu_liblist): Likewise.
    	(get_unwind_section_word): Check for a missing symbol table.
    	Replace aborts with error messages.
    	(arm_process_unwind): Check for a missing string table.
    	(process_attributes): Check for an attribute length that is too
    	small.
    	(process_mips_specific): Check for a corrupt GOT symbol offset.
    
    	2014-11-05  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17533
    	* bucomm.c (is_valid_archive_path): New function.
    	* bucomm.h (is_valid_archive_path): Prototype it.
    	* ar.c (extract_file): Call is_valid_archive_path to verify a
    	member filename before extracting it.
    	* objcopy.c (copy_archive): Likewise.
    
    	2014-11-04  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* readelf.c (get_data): If the reason parameter is null, do not
    	print any error messages.
    	(get_32bit_section_headers): Verify section header entry size
    	before reading in the section headers.
    	(get_64bit_section_headers): Likewise.
    	(process_section_headers): Pass FALSE to get_section_headers.
    	(get_file_header): Pass TRUE to get_section_headers.
    	(process_dynamic_section): Change an assert to an error message.
    	(process_symbol_table): Handle corrupt histograms.
    	(get_32bit_program_headers): Verify program header entry size
    	before reading in the program headers.
    	(get_64bit_program_headers): Likewise.
    	(get_unwind_section_word): Do nothing if no section was provided.
    	Fail if the offset is outside of the section.
    	(print_dynamic_symbol): Catch out of range symbol indicies.
    	(process_mips_specific): Likewise.
    	(process_attributes): Make sure that there is enough space left in
    	the section before attempting to read the length of the next
    	attribute.
    
    	2014-11-03  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* objdump.c (slurp_symtab): Fail gracefully if the table could not
    	be read.
    	(dump_relocs_in_section): Likewise.
    
    	2014-11-14  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17597
    	* opncls.c (bfd_get_debug_link_info): Avoid reading off the end of
    	the section.
    	(bfd_get_alt_debug_link_info): Likewise.
    
    	2014-11-14  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* ieee.c (ieee_archive_p) Skip processing if no bytes are read at
    	all.
    	(ieee_object_p): Likewise.
    
    	2014-11-13  H.J. Lu  <hongjiu.lu@intel.com>
    
    	* coffcode.h (coff_slurp_line_table): Add cast to unsigned int.
    
    	2014-11-13  H.J. Lu  <hongjiu.lu@intel.com>
    
    	* coffcode.h (coff_pointerize_aux_hook): Fix a typo.
    
    	2014-11-13  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* coffcode.h (coff_ptr_struct): Add is_sym field.
    	(coff_new_section_hook): Set the is_sym field.
    	(coff_pointerize_aux_hook): Check the is_sym field.
    	(coff_print_aux): Likewise.
    	(coff_compute_section_file_positions): Likewise.
    	(coff_write_object_contents): Likewise.
    	(coff_slurp_line_table): Likewise.
    	(coff_slurp_symbol_table): Likewise.
    	(CALC_ADDEND): Likewise.
    	* coffgen.c (coff_renumber_symbols): Likewise.
    	(coff_mangle_symbols): Likewise.
    	(coff_fix_symbol_name): Likewise.
    	(coff_write_symbol): Likewise.
    	(coff_write_alien_symbol): Likewise.
    	(coff_write_native_symbol): Likewise.
    	(coff_write_symbols): Likewise.
    	(coff_write_linenumbers): Likewise.
    	(coff_pointerize_aux): Likewise.
    	(coff_get_normalized_symtab): Likewise.
    	(coff_get_symbol_info): Likewise.
    	(bfd_coff_get_syment): Likewise.
    	(bfd_coff_get_auxent): Likewise.
    	(coff_print_symbol): Likewise.
    	(coff_find_nearest_line_with_names): Likewise.
    	(bfd_coff_set_symbol_class): Likewise.
    	(coff_make_empty_symbol): Set the is_sym field.
    	(coff_bfd_make_debug_symbol): Likewise.
    	* peicode.h (pe_ILF_make_a_symbol): Likewise.
    	* libcoff.h: Regenerate.
    	* libcoff-in.h: Regenerate.
    
    	2014-11-12  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* coffcode.h (coff_slurp_line_table): Set the line number of
    	corrupt entries to -1.
    	(coff_slurp_symbol_table): Alway initialise the value of the
    	symbol.
    	* coffgen.c (coff_print_symbol): Check that the combined pointer
    	is valid.
    	(coff_print_symbol): Do not print negative line numbers.
    	* peXXigen.c (pe_print_idata): Add range checking displaying
    	member names.
    
    	2014-11-12  Alan Modra  <amodra@gmail.com>
    
    	PR binutils/17512
    	* coffcode.h (coff_slurp_line_table): Drop line number info
    	not preceded by a valid function entry.  Revert last change.
    
    	2014-11-11  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* coffcode.h (coff_slurp_line_table): Initialise the parts of the
    	line number cache that would not be initialised by the copy from
    	the new line number table.
    	(coff_classify_symbol): Allow for _bfd_coff_internal_syment_name
    	returning NULL.
    	* coffgen.c (coff_get_normalized_symbols): Get the external
    	symbols before allocating space for the internal symbols, in case
    	the get fails.
    	* elf.c (_bfd_elf_slurp_version_tables): Only allocate a verref
    	array if one is needed.  Likewise with the verdef array.
    	* peXXigen.c (_bfd_XXi_swap_sym_in): Replace abort()'s with error
    	messages.
    	(_bfd_XXi_swap_aux_in): Make sure that all fields of the aux
    	structure are initialised.
    	(pe_print_edata): Avoid reading off the end of the data buffer.
    
    	2014-11-11  Alan Modra  <amodra@gmail.com>
    
    	PR binutils/17512
    	* coffcode.h (coff_slurp_line_table): Use updated lineno_count
    	when building func_table.
    
    	2014-11-11  Alan Modra  <amodra@gmail.com>
    
    	PR binutils/17512
    	* coffcode.h (coff_slurp_line_table): Don't bfd_zalloc, just
    	memset the particular bits we need.  Update src after hitting loop
    	"continue".  Don't count lineno omitted due to invalid symbols in
    	nbr_func, and update lineno_count.  Init entire terminating
    	lineno.  Don't both allocating terminator in n_lineno_cache.
    	Redirect sym->lineno pointer to where n_lineno_cache will be
    	copied, and free n_lineno_cache.
    	* pe-mips.c (NUM_HOWTOS): Typo fix.
    
    	2014-11-10  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17521
    	* coff-i386.c (NUM_HOWTOS): New define.
    	(RTYPE2HOWTO): Use it.
    	(coff_i386_rtype_to_howto): Likewise.
    	(coff_i386_reloc_name_lookup): Likewise.
    	(CALC_ADDEND): Check that reloc r_type field is valid.
    	* coff-x86_64.c (NUM_HOWTOS): New define.
    	(RTYPE2HOWTO): Use it.
    	(coff_amd64_rtype_to_howto): Likewise.
    	(coff_amd64_reloc_name_lookup): Likewise.
    	(CALC_ADDEND): Check that reloc r_type field is valid.
    	* coffcode.h (coff_slurp_line_table): Check for symbol table
    	indexing underflow.
    	(coff_slurp_symbol_table): Use zalloc to ensure that all table
    	entries are initialised.
    	* coffgen.c (_bfd_coff_read_string_table): Initialise unused bits
    	in the string table.  Also ensure that the table is 0 terminated.
    	(coff_get_normalized_symtab): Check for symbol table indexing
    	underflow.
    	* opncls.c (bfd_alloc): Catch the case where a small negative size
    	can result in only 1 byte being allocated.
    	(bfd_alloc2): Use bfd_alloc.
    	* pe-mips.c (NUM_HOWTOS): New define.
    	(coff_mips_reloc_name_lookup): Use it.
    	(CALC_ADDEND): Check that reloc r_type field is valid.
    	* peXXigen.c (_bfd_XXi_swap_aouthdr_in): Initialise unused entries
    	in the DataDirectory.
    	(pe_print_idata): Avoid reading beyond the end of the data block
    	wen printing strings.
    	(pe_print_edata): Likewise.
    	Check for table indexing underflow.
    	* peicode.h (pe_mkobject): Initialise the pe_opthdr field.
    	(pe_bfd_object_p): Allocate and initialize enough space to hold a
    	PEAOUTHDR, even if the opt_hdr field specified less.
    
    	2014-11-08  Alan Modra  <amodra@gmail.com>
    
    	* peXXigen.c (pe_print_idata): Revert last patch, cast lhs instead.
    
    	2014-11-07  H.J. Lu  <hongjiu.lu@intel.com>
    
    	* peXXigen.c (pe_print_idata): Cast to unsigned long in range
    	checks.
    
    	2014-11-07  Alan Modra  <amodra@gmail.com>
    
    	* tekhex.c (tekhex_set_arch_mach): Ignore unknown arch errors.
    
    	2014-11-07  Alan Modra  <amodra@gmail.com>
    
    	* tekhex.c (CHUNK_SPAN): Define.
    	(struct data_struct <chunk_init>): Use one byte per span, update
    	all code accessing this field.
    	(find_chunk): Add create param, don't create new entry unless set.
    	(insert_byte): Don't save zeros.
    	(first_phase): Set section SEC_CODE or SEC_DATA flag depending
    	on symbol type.  Create an alternate section if both types of
    	symbol are given.  Attach type '2' and '6' symbols to absolute
    	section.
    	(move_section_contents): Fix caching of chunk.  Don't create chunk
    	when reading, or for writing zeros.
    	(tekhex_set_section_contents): Don't create initial chunks.
    	(tekhex_write_object_contents): Use CHUNK_SPAN.
    
    	2014-11-07  Alan Modra  <amodra@gmail.com>
    
    	* aoutx.h (aout_get_external_symbols): Tidy allocation of symbol buffer.
    
    	2014-11-07  Alan Modra  <amodra@gmail.com>
    
    	* archive.c (_bfd_slurp_extended_name_table): Revert bfd_get_size check.
    	* coffcode.h (coff_set_alignment_hook): Likewise.
    	(coff_slurp_line_table): Likewise.
    	* coffgen.c (coff_get_normalized_symtab): Likewise.
    	(_bfd_coff_get_external_symbols): Likewise.
    	* elf.c (bfd_elf_get_str_section): Likewise.
    	* tekhex.c (first_phase): Likewise.
    
    	2014-11-06  Nick Clifton  <nickc@redhat.com>
    
    	* aoutx.h (slurp_symbol_table): Revert previous delta.
    	(slurp_reloc_table): Likewise.
    	* compress.c (bfd_get_full_section_contents): Remove file size
    	test.
    	* coffgen.c (coff_get_normalized_symtab): Allow zero-sized symtabs
    	and do not complain about linker generated files.
    
    	2014-11-04  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* coffcode.h (handle_COMDAT): Replace abort with BFD_ASSERT.
    	Replace another abort with an error message.
    	(coff_slurp_line_table): Add more range checking.
    	* peXXigen.c (pe_print_debugdata): Add range checking.
    
    	2014-11-05  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* coffcode.h (coff_set_alignment_hook): Warn if the file lies
    	about the number of relocations it contains.
    	(coff_sort_func_alent): Return 0 if the pointers are NULL.
    	(coff_slurp_line_table): Add more range checks.  Do not free new
    	tables created when sorting line numbers.
    	* peXXigen.c (pe_print_idata): Add range checks.
    	(pe_print_edata): Likewise.
    	(rsrc_print_resource_entries): Likewise.  Avoid printing control
    	characters.  Terminate priniting if corruption is detected.
    	(rsrc_print_resource_directory): Terminate printing if an unknown
    	directory type is encountered.
    	(pe_print_debugdata): Fix off-by-one error.
    	(rsrc_count_entries): Add range checking.
    	(rsrc_parse_entry): Likewise.
    
    	2014-11-04  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* compress.c (bfd_get_full_section_contents): Improve test for
    	linker created objects.
    
    	PR binutils/17533
    	* archive.c (_bfd_slurp_extended_name_table): Handle archives with
    	corrupt extended name tables.
    
    	2014-11-03  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* aoutx.h (slurp_symbol_table): Check that computed table size is
    	not bigger than the file from which is it being read.
    	(slurp_reloc_table): Likewise.
    	* coffcode.h (coff_slurp_line_table): Remove unneeded local
    	'warned'.  Do not try to print the details of a symbol with an
    	invalid index.
    	* coffgen.c (make_a_sectiobn_from_file): Check computed string
    	index against length of string table.
    	(bfd_coff_internal_syment_name): Check read in string offset
    	against length of string table.
    	(build_debug_section): Return a pointer to the section used.
    	(_bfd_coff_read_string_table): Store the length of the string
    	table in the coff_tdata structure.
    	(bfd_coff_free_symbols): Set the length of the string table to
    	zero when it is freed.
    	(coff_get_normalized_symtab): Check offsets against string table
    	or data table lengths as appropriate.
    	* cofflink.c (_bfd_coff_link_input_bfd): Check offset against
    	length of string table.
    	* compress.c (bfd_get_full_section_contents): Check computed size
    	against the size of the file.
    	* libcoff-in.h (obj_coff_strings_len): Define.
    	(struct coff_tdata): Add strings_len field.
    	* libcoff.h: Regenerate.
    	* peXXigen.c (pe_print_debugdata): Do not attempt to print the
    	data if the debug section is too small.
    	* xcofflink.c (xcoff_link_input_bfd):  Check offset against
    	length of string table.
    
    	2014-10-31  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* coffgen.c (_bfd_coff_get_external_symbols): Do not try to load a
    	symbol table bigger than the file.
    	* elf.c (bfd_elf_get_str_section): Do not try to load a string
    	table bigger than the file.
    	* tekhex.c (first_phase): Check that the section range is sane.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog              |  282 ++++++++++++
 bfd/aoutx.h                |   24 +-
 bfd/archive.c              |    5 +-
 bfd/coff-i386.c            |   17 +-
 bfd/coff-x86_64.c          |   11 +-
 bfd/coffcode.h             |  170 +++++---
 bfd/coffgen.c              |  168 ++++++--
 bfd/cofflink.c             |    5 +-
 bfd/elf.c                  |   24 +-
 bfd/ieee.c                 |    6 +-
 bfd/libcoff-in.h           |    3 +
 bfd/libcoff.h              |   16 +-
 bfd/opncls.c               |   41 +-
 bfd/pe-mips.c              |    9 +-
 bfd/peXXigen.c             |  220 +++++++---
 bfd/peicode.h              |   15 +-
 bfd/tekhex.c               |  112 +++--
 bfd/xcofflink.c            |    5 +-
 binutils/ChangeLog         |  199 +++++++++
 binutils/ar.c              |    9 +
 binutils/bucomm.c          |   26 ++
 binutils/bucomm.h          |   12 +-
 binutils/doc/binutils.texi |    3 +-
 binutils/dwarf.c           |  209 +++++++---
 binutils/objcopy.c         |   23 +-
 binutils/objdump.c         |   27 +-
 binutils/rdcoff.c          |    9 +-
 binutils/rddbg.c           |   40 ++-
 binutils/readelf.c         | 1039 ++++++++++++++++++++++++++++++++------------
 binutils/stabs.c           |   30 +-
 gas/ChangeLog              |   10 +
 gas/config/obj-coff.c      |    1 +
 32 files changed, 2109 insertions(+), 661 deletions(-)
Comment 33 Espen Grindhaug 2014-11-17 18:50:22 UTC
Created attachment 7945 [details]
Binary that triggers assert in decode_tic6x_unwind_bytecode

This binary is triggering an assert in decode_tic6x_unwind_bytecode

readelf: readelf.c:7586: decode_tic6x_unwind_bytecode: Assertion `i < sizeof (buf)' failed.

The issue was found using american fuzzy lop.
Comment 34 Sourceware Commits 2014-11-18 10:08:47 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  0eff716535f3e8f501d6b438f7f796b70a0b9f98 (commit)
      from  25a0334e39963239f03555efe7e933558cc897e0 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0eff716535f3e8f501d6b438f7f796b70a0b9f98

commit 0eff716535f3e8f501d6b438f7f796b70a0b9f98
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Nov 18 10:07:11 2014 +0000

    Fix memort access problems exposed by fuzzed binaries.
    
    	PR binutils/17531
    	* readelf.c (get_unwind_section_word): Skip reloc processing if
    	there are no relocs associated with the section.
    	(decode_tic6x_unwind_bytecode): Warn and return if the stack
    	pointer adjustment falls off the end of the buffer.

-----------------------------------------------------------------------

Summary of changes:
 binutils/ChangeLog |    8 ++++++++
 binutils/readelf.c |   16 +++++++++++++++-
 2 files changed, 23 insertions(+), 1 deletions(-)
Comment 35 Nick Clifton 2014-11-18 10:25:34 UTC
Hi Espen, Hi Alexander,

  OK, those two are fixed.  Next ?

Cheers
  Nick
Comment 36 Espen Grindhaug 2014-11-20 07:09:56 UTC
Created attachment 7954 [details]
2 more problematic test cases

(In reply to Nick Clifton from comment #35)
> Hi Espen, Hi Alexander,
> 
>   OK, those two are fixed.  Next ?
> 
> Cheers
>   Nick

It's getting harder to find problems, but attached you find two test cases. One of them seems to get into an infinite loop. The other crashes like this:

Program received signal SIGSEGV, Segmentation fault.
#0  __strncpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S:1669
#1  0x0000000000443d56 in strncpy (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/string3.h:120
#2  process_corefile_note_segment (file=0x55b000, offset=5486616, length=5486616) at readelf.c:14715
#3  0x0000000000492f1a in process_corefile_note_segment (length=<optimized out>, offset=<optimized out>, file=<optimized out>) at readelf.c:4178
#4  process_note_sections (file=<optimized out>) at readelf.c:14772
#5  process_notes (file=<optimized out>) at readelf.c:14793
#6  process_object (file_name=0x53b750 "", file=0x1, file@entry=0x53b000) at readelf.c:15011
#7  0x0000000000403c69 in process_file (file_name=0x7fffffffe29b "id:000000,sig:11,src:006986,op:havoc,rep:4") at readelf.c:15382
#8  main (argc=3, argv=0x7fffffffdef8) at readelf.c:15448

Espen
Comment 37 Alexander Cherepanov 2014-11-20 23:13:58 UTC
Created attachment 7957 [details]
AFL crashers for `readelf -a`

Files: 4
Errors:
      1 Invalid read of size ...
      4 Invalid write of size ...
      3 Process terminating with default action of signal 11 (SIGSEGV)
Comment 38 Sourceware Commits 2014-11-21 13:38:56 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  5d921cbd81554867007e903b634acc6bc8281f9f (commit)
      from  cd11f78f810cf12b04046ac954ceb6528b00956c (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5d921cbd81554867007e903b634acc6bc8281f9f

commit 5d921cbd81554867007e903b634acc6bc8281f9f
Author: Nick Clifton <nickc@redhat.com>
Date:   Fri Nov 21 13:37:39 2014 +0000

    Resolve more problems with readelf uncovered by fuzzing binary files.
    
    	PR binutils/17531
    	* readelf.c (process_version_sections): Prevent an infinite loop
    	processing corrupt version need data.
    	(process_corefile_note_segment): Handle corrupt notes.

-----------------------------------------------------------------------

Summary of changes:
 binutils/ChangeLog |    7 +++++++
 binutils/readelf.c |    8 +++++++-
 2 files changed, 14 insertions(+), 1 deletions(-)
Comment 39 Espen Grindhaug 2014-11-22 18:08:07 UTC
Created attachment 7963 [details]
3 more problematic programs

Attached is three more problematic programs. One more infinite loop, one heap buffer overflow and one use after free. The ASAN output is also included.

Found using AFL.
Comment 40 Alexander Cherepanov 2014-11-22 23:22:07 UTC
Created attachment 7964 [details]
Sample with fishy malloc

This one doesn't crash `readelf -agteAruhlsSdIncwVW --dyn-syms -D` but gives an error under valgrind.

Files: 1
Errors:
      1 Argument 'size' of function malloc has a fishy (possibly negative) value: ...
Comment 41 Espen Grindhaug 2014-11-23 15:07:09 UTC
Created attachment 7966 [details]
Possible fix for asan problems in comment #39
Comment 42 Espen Grindhaug 2014-11-23 16:02:45 UTC
Created attachment 7967 [details]
Possible fix for problems in comment #39

Possible fix for all three problems attached in comment #39.
Comment 43 Espen Grindhaug 2014-11-23 18:06:17 UTC
Created attachment 7968 [details]
Possible fix for problem in comment #40
Comment 44 Sourceware Commits 2014-11-27 15:51:01 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  c9c1d674406c5fff9d2f2ea771e4288cb6bf4e5a (commit)
      from  3a1cfc456f3b3f422b7c6c0d63891b015ea234b9 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c9c1d674406c5fff9d2f2ea771e4288cb6bf4e5a

commit c9c1d674406c5fff9d2f2ea771e4288cb6bf4e5a
Author: Espen Grindhaug <espen@grindhaug.org>
Date:   Thu Nov 27 15:49:23 2014 +0000

    Fixes an infinite loop in readelf parsing a corrupt binary, and other minor corrections.
    
    	PR binutils/17531
    	* readelf.c (get_data): Move excessive length check to earlier on
    	in the function and allow for wraparound in the arithmetic.
    	(get_32bit_elf_symbols): Terminate early if the section size is
    	zero.  Check for an invalid sh_entsize.  Check for an index
    	section with an invalid size.
    	(get_64bit_elf_symbols): Likewise.
    	(process_section_groups): Check for an invalid sh_entsize.

-----------------------------------------------------------------------

Summary of changes:
 binutils/ChangeLog |   12 +++++++
 binutils/readelf.c |   88 ++++++++++++++++++++++++++++++++++++++++------------
 2 files changed, 80 insertions(+), 20 deletions(-)
Comment 45 Nick Clifton 2014-11-27 15:55:00 UTC
Hi Espen,

  Thanks very much for the patch.  I have checked it in with two minor additions: I duplicated the fix for get_32bit_elf_symbols() into get_64bit_elf_symbols() and I improved the range test in get_data() so that it makes fewer silly calls to malloc.

Cheers
  Nick
Comment 46 Alexander Cherepanov 2014-11-28 12:08:02 UTC
Created attachment 7975 [details]
Crashes for `readelf -agteAruhlsSdIncVWw --dyn-syms -D`

Files: 19
Errors:
      1 Argument 'size' of function malloc has a fishy (possibly negative) value: ...
      1 Conditional jump or move depends on uninitialised value(s)
     36 Invalid read of size ...
      8 Invalid write of size ...
      5 Process terminating with default action of signal 11 (SIGSEGV)
Comment 47 Sourceware Commits 2014-12-01 11:21:08 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  591f7597d447d8d038d6d8e24a706d1d5e32eba1 (commit)
      from  9e8cd6df3ca295986b2c295b6cfa5ceadd410bb4 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=591f7597d447d8d038d6d8e24a706d1d5e32eba1

commit 591f7597d447d8d038d6d8e24a706d1d5e32eba1
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Dec 1 11:19:39 2014 +0000

    Add checks for memory access violations exposed by fuzzed archives.
    
    	PR binutils/17531
    	* dwarf.c (process_cu_tu_index): Check for an out of range row
    	index.
    	* elfcomm.c (adjust_relative_path): Change name_len parameter to
    	an unsigned long.  Check for path length overflow.
    	(process_archive_index_and_symbols): Check for invalid header
    	size.
    	(setup_archive): Add checks for invalid archives.
    	(get_archive_member_name): Add range checks.
    	* elfcomm.h (adjust_relative_path): Update prototyoe.
    	* readelf.c (process_archive): Add range checks.

-----------------------------------------------------------------------

Summary of changes:
 binutils/ChangeLog |   14 +++++++++++++
 binutils/dwarf.c   |    8 +++++++
 binutils/elfcomm.c |   55 +++++++++++++++++++++++++++++++++++++++++++++++----
 binutils/elfcomm.h |    2 +-
 binutils/readelf.c |   11 +++++----
 5 files changed, 79 insertions(+), 11 deletions(-)
Comment 48 Nick Clifton 2014-12-01 11:23:39 UTC
Thanks Alexander,

  Those new archive based problems should be fixed now.

Cheers
  Nick
Comment 49 Alexander Cherepanov 2014-12-03 13:01:35 UTC
Created attachment 7991 [details]
Aborts for `readelf -agteAruhlsSdIncVWw --dyn-syms -D`

Files: 4
Errors:
      4 No assertion info in gdb backtrace.
Comment 50 Sourceware Commits 2014-12-03 16:35:01 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  bee0ee850e846a8717b9aadb8d5da3adee3254ee (commit)
      from  9d157cb9fe73ff3d911ccdf581ab09eae02e78aa (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=bee0ee850e846a8717b9aadb8d5da3adee3254ee

commit bee0ee850e846a8717b9aadb8d5da3adee3254ee
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Dec 3 16:33:33 2014 +0000

    Replace calls to abort (in readelf) with informative error messages.
    
    	PR binutils/17531
    	* readelf.c (get_machine_flags): Replace call to abort with a
    	warning message and a return value.
    	(get_elf_section_flags): Likewise.
    	(get_symbol_visibility): Likewise.
    	(get_ia64_symbol_other): Likewise.
    	(get_ia64_symbol_other): Likewise.
    	(is_32bit_abs_reloc): Likewise.
    	(apply_relocations): Likewise.
    	(display_arm_attribute): Likewise.

-----------------------------------------------------------------------

Summary of changes:
 binutils/ChangeLog |   13 +++++++++++
 binutils/readelf.c |   61 ++++++++++++++++++++++++++++++++++++++++------------
 2 files changed, 60 insertions(+), 14 deletions(-)
Comment 51 Nick Clifton 2014-12-03 16:35:43 UTC
Hi Alexander,

> Aborts for `readelf -agteAruhlsSdIncVWw --dyn-syms -D`

Thanks - I have checked in a patch to remove all calls to abort from inside readelf.

Cheers
  Nick
Comment 52 Alexander Cherepanov 2014-12-04 08:54:28 UTC
Created attachment 7994 [details]
More crashes for `readelf -agteAruhlsSdIncVWw --dyn-syms -D`

Files: 18
Errors:
     12 Conditional jump or move depends on uninitialised value(s)
    128 Invalid read of size ...
      6 Invalid write of size ...
      5 Process terminating with default action of signal 11 (SIGSEGV)
     11 Use of uninitialised value of size ...
Comment 53 Alexander Cherepanov 2014-12-04 08:56:54 UTC
Created attachment 7995 [details]
More aborts for `readelf -agteAruhlsSdIncVWw --dyn-syms -D`

Files: 2
Errors:
      2 No assertion info in gdb backtrace.
Comment 54 Sourceware Commits 2014-12-08 17:53:10 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  53774b7e76dc5b3e8cc00d6f7a9d27e6c65830a9 (commit)
      from  2ebecbb12e1281fca50fb0361475a01243432825 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=53774b7e76dc5b3e8cc00d6f7a9d27e6c65830a9

commit 53774b7e76dc5b3e8cc00d6f7a9d27e6c65830a9
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Dec 8 17:51:46 2014 +0000

    More fixes for invalid memory accesses triggered by fuzzed binaries.
    
    	PR binutils/17531
    	* dwarf.c (display_debug_frames): Check for a negative
    	augmentation data length.
    	(display_gdb_index): Check for invalid offsets.
    	* elfcomm.c (process_archive_index_and_symbols): Check for an
    	index number that overflows when multiplied by the ar index size.
    	* readelf.c (dump_ia64_unwind): Add range checks.
    	(slurp_ia64_unwind_table): Change to a boolean function.  Add
    	range checks.
    	(process_version_sections): Add range checks.
    	(get_symbol_version_string): Add check for missing section
    	headers.

-----------------------------------------------------------------------

Summary of changes:
 binutils/ChangeLog |   15 +++++++++++
 binutils/dwarf.c   |   70 +++++++++++++++++++++++++++++++++++++++++++++++---
 binutils/elfcomm.c |    6 +++-
 binutils/readelf.c |   72 +++++++++++++++++++++++++++++++++++++++-------------
 4 files changed, 139 insertions(+), 24 deletions(-)
Comment 55 Nick Clifton 2014-12-08 17:54:23 UTC
Hi Alexander,

  These should be fixed now.

Cheers
  Nick
Comment 56 Alexander Cherepanov 2014-12-18 22:46:53 UTC
Created attachment 8019 [details]
AFL crashers for `readelf -agteAruhlsSdIncVWw --dyn-syms -D`

crashes

Files: 7
Errors:
     25 Invalid read of size ...
      2 Invalid write of size ...
      2 Process terminating with default action of signal 11 (SIGSEGV)
      1 Process terminating with default action of signal 8 (SIGFPE)

----------------------------------------------------------------------

asserts

Files: 1
Errors:
      1 No assertion info in gdb backtrace.
Comment 57 Sourceware Commits 2014-12-22 22:45:51 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  058037d3a169c91042c9b8549f7d04fd7550bed6 (commit)
      from  5860e3f883597cf6b8a937547015394edc1e8784 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=058037d3a169c91042c9b8549f7d04fd7550bed6

commit 058037d3a169c91042c9b8549f7d04fd7550bed6
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Dec 22 22:44:34 2014 +0000

    More fixes for invalid memory accesses exposed by fuzzed binaries.
    
    	PR binutils/17531
    	* dwarf.c (decode_location_expression): Check for an out of range
    	value for a DW_OP_GNU_entry_value expression.
    	(display_debug_lines_raw): Check for a partial
    	.debug_line. section being encountered without a prior, full
    	.debug.line section.
    	(display_debug_lines_decoded): Likewise.  Also check for
    	li_line_range being zero.
    	(display_debug_pubnames_worker): Check for an invalid pn_length
    	field.
    	(read_cie): Add range checks.
    	* elfcomm.c (setup_archive): Check for a negative longnames_size.

-----------------------------------------------------------------------

Summary of changes:
 binutils/ChangeLog |   15 +++++++++++
 binutils/dwarf.c   |   70 +++++++++++++++++++++++++++++++++++++++++++---------
 binutils/elfcomm.c |   10 +++++++
 3 files changed, 83 insertions(+), 12 deletions(-)
Comment 58 Nick Clifton 2014-12-22 22:47:37 UTC
Hi Alexander,

> Files: 7
> Errors:
>      25 Invalid read of size ...
>       2 Invalid write of size ...
>       2 Process terminating with default action of signal 11 (SIGSEGV)
>       1 Process terminating with default action of signal 8 (SIGFPE)

These should now be fixed.

Cheers
  Nick
Comment 59 Alexander Cherepanov 2015-01-01 21:38:58 UTC
Created attachment 8037 [details]
More problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D`

valgrind

Files: 5
Errors:
     12 Invalid read of size ...
      5 Invalid write of size ...
      4 Process terminating with default action of signal 11 (SIGSEGV)

----------------------------------------------------------------------

gdb

Files: 2
Errors:
      1 No assertion info in gdb backtrace.
      1 readelf.c:14056: process_mips_specific: Assertion `global_end >= local_end' failed.
Comment 60 Alexander Cherepanov 2015-01-01 21:43:50 UTC
Created attachment 8038 [details]
Big (28MB) problem with `readelf -agteAruhlsSdIncVWw --dyn-syms -D`

(Big files. Have to split submission into several parts.)

valgrind

Files: 1
Errors:
      5 Conditional jump or move depends on uninitialised value(s)
      3 Invalid read of size ...
      3 Invalid write of size ...
      1 Process terminating with default action of signal 11 (SIGSEGV)
      2 Use of uninitialised value of size ...
Comment 61 Sourceware Commits 2015-01-05 13:55:46 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  82b1b41bcdc6d01fdbd94b246e24a8a8f8c2bddd (commit)
       via  c1724c7fd39d85ccc1f94a0cd7bc25b19aa43ffd (commit)
      from  f8ed3ac5f2600f037bff4ba01e6c92257d4a4fae (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=82b1b41bcdc6d01fdbd94b246e24a8a8f8c2bddd

commit 82b1b41bcdc6d01fdbd94b246e24a8a8f8c2bddd
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Jan 5 13:54:22 2015 +0000

    More fixes for invalid memory accesses triggered by fuzzed binaries.
    
    	PR binutils/17531
    	* dwarf.c (alloc_num_debug_info_entries): New variable.
    	(process_debug_info): Set it.  Use it to avoid displaying
    	attributes for which there is no info.
    	(display_debug_abbrev): Check that the debug_info_entry index is
    	valid before using it.
    	(display_loc_list_dwo): Likewise.
    	(process_cu_tu_index): Add range check for an overlarge dw_sect
    	value.
    	(free_debug_memory): Reset alloc_num_debug_info_entries.
    	* readelf.c (slurp_ia64_unwind_table): Warn if the reloc could not
    	be indentified.
    	(dynamic_section_mips_val): Warn if the timestamp is invalid.
    	(print_mips_got_entry): Add a data_end parameter.  Warn if a read
    	would go beyond the end of the data, and return an error value.
    	(process_mips_specific): Do not read options from beyond the end
    	of the section.
    	Correct code to display optional data at the end of an option.
    	Warn if there are too many GOT symbols.
    	Update calls to print_mips_got_entry, and handle error returns.

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c1724c7fd39d85ccc1f94a0cd7bc25b19aa43ffd

commit c1724c7fd39d85ccc1f94a0cd7bc25b19aa43ffd
Author: Daniel Klauer <daniel.c.klauer@web.de>
Date:   Mon Jan 5 09:41:48 2015 +0000

    Corrects the description of the --kill-at option of dlltool.
    
    	PR binutils/17489
    	* doc/binutils.texi (dlltool): Correct description of --kill-at
    	option.

-----------------------------------------------------------------------

Summary of changes:
 binutils/ChangeLog         |   29 ++++++++++++
 binutils/doc/binutils.texi |   12 +++--
 binutils/dwarf.c           |  107 +++++++++++++++++++++++++++++++-------------
 binutils/dwarf.h           |    8 ++--
 binutils/readelf.c         |  100 +++++++++++++++++++++++++++++++---------
 5 files changed, 194 insertions(+), 62 deletions(-)
Comment 62 Nick Clifton 2015-01-05 13:57:27 UTC
Hi Alexander,

> Files: 1
> Errors:
>       5 Conditional jump or move depends on uninitialised value(s)
>       3 Invalid read of size ...
>       3 Invalid write of size ...
>       1 Process terminating with default action of signal 11 (SIGSEGV)
>       2 Use of uninitialised value of size ...
>
> Files: 5
> Errors:
>     12 Invalid read of size ...
>      5 Invalid write of size ...
>      4 Process terminating with default action of signal 11 (SIGSEGV)

These should all now be fixed.

Cheers
  Nick
Comment 63 Alexander Cherepanov 2015-01-11 21:32:21 UTC
Created attachment 8060 [details]
Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D`

Files: 1
Errors:
      4 Conditional jump or move depends on uninitialised value(s)
      1 Invalid read of size ...
      1 Process terminating with default action of signal 11 (SIGSEGV)
      1 Use of uninitialised value of size ...
Comment 64 Alexander Cherepanov 2015-01-11 21:35:56 UTC
Created attachment 8061 [details]
Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D`

Files: 1
Errors:
      6 Conditional jump or move depends on uninitialised value(s)
      8 Invalid read of size ...
      1 Process terminating with default action of signal 11 (SIGSEGV)
      1 Use of uninitialised value of size ...
Comment 65 Sourceware Commits 2015-01-12 16:09:59 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=72c61a0d1ef445f99305859b66450da60ec6e0cb

commit 72c61a0d1ef445f99305859b66450da60ec6e0cb
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Jan 12 16:08:41 2015 +0000

    More fixes for memory access errors when running readelf on fuzzed binaries.
    
    	PR binutils/17531
    	* dwarf.c (process_debug_info): Check for abbrev_base being larger
    	than the section size.
    	(process_cu_tu_index): Use xcalloc2 to allocate the CU and TU
    	arrays.
    	(xcalloc2): New function.  Like xcalloc, but checks for overflow.
    	* dwarf.h (xcalloc2): Prototype.
Comment 66 Nick Clifton 2015-01-12 16:10:45 UTC
Hi Alexander,

> Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D`
> Errors:
>       4 Conditional jump or move depends on uninitialised value(s)
>       1 Invalid read of size ...
>       1 Process terminating with default action of signal 11 (SIGSEGV)
>       1 Use of uninitialised value of size ...

Fixed. :-)

Cheers
  Nick
Comment 67 Sourceware Commits 2015-01-12 17:30:28 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1306a7421c764d1f5e2a08afdb9b5818662c9e9c

commit 1306a7421c764d1f5e2a08afdb9b5818662c9e9c
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Jan 12 17:28:55 2015 +0000

    Another fix for memory access errors trigegred by running readelf on a corrupt binary.
    
    	PR binutils/17531
    	* dwarf.c (display_debug_addr): Use xcalloc to allocate the debug_addr_info
    	array.  Check for an address_base that is too large.
Comment 68 Nick Clifton 2015-01-12 17:31:19 UTC
Hi Alexander,

> Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D`
> Errors:
>       6 Conditional jump or move depends on uninitialised value(s)
>       8 Invalid read of size ...
>       1 Process terminating with default action of signal 11 (SIGSEGV)
>       1 Use of uninitialised value of size ...

Also fixed.

Cheers
  Nick
Comment 69 jsm-csl@polyomino.org.uk 2015-01-12 19:05:51 UTC
On Mon, 12 Jan 2015, cvs-commit at gcc dot gnu.org wrote:

>         (xcalloc2): New function.  Like xcalloc, but checks for overflow.
>         * dwarf.h (xcalloc2): Prototype.

This should not be needed.  xcalloc calls calloc, which should check for 
overflow itself.  I see libiberty has a broken version of calloc, but 
since calloc is a C89 function no modern system should be using 
libiberty's version.  If we wish to allow for systems with broken calloc, 
libiberty's configure should detect such systems (based on a blacklist of 
broken systems) and substitute a working calloc.

(On the other hand, all the allocation macros in libiberty.h that do 
multiplications do need replacing by versions that check for overflow - 
that is, the existing macros need to be made to check for overflow, rather 
than having separate checking and non-checking versions.)
Comment 70 Alexander Cherepanov 2015-02-02 22:55:19 UTC
Created attachment 8095 [details]
Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit)

More problems found with 32-bit binutils: built with -m32 on 64-bit host.

----------------------------------------------------------------------

valgrind

Files: 39
Errors:
     39 Conditional jump or move depends on uninitialised value(s)
    105 Invalid read of size ...
      1 Invalid write of size ...
     24 Process terminating with default action of signal 11 (SIGSEGV)
      7 Use of uninitialised value of size ...

----------------------------------------------------------------------

gdb

Files: 4
Errors:
      4 No assertion info in gdb backtrace.

----------------------------------------------------------------------

catchsegv

Files: 11
Errors:
     11 *** Segmentation fault
Comment 71 Sourceware Commits 2015-02-03 20:43:57 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=570286220e28e606e199b37a06cd199cadb592ba

commit 570286220e28e606e199b37a06cd199cadb592ba
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Feb 3 20:42:36 2015 +0000

    Fix memory access violations triggered by running readelf on fuzzed binaries.
    
    	PR binutils/17531
    	* dwarf.c (process_debug_info): Add range check.
    	(display_debug_pubnames_worker): Likewise.
    	(display_gdb_index): Fix range check.
    	(process_cu_tu_index): Add range check.
    	* readelf.c (get_data): Change parameter types from size_t to
    	bfd_size_type.  Add checks for loss of accuracy when casting from
    	bfd_size_type to size_t.
    	(get_dynamic_data): Likewise.
    	(process_section_groups): Limit number of error messages.
Comment 72 Nick Clifton 2015-02-03 20:45:10 UTC
Hi Alexander,

> Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit)
> More problems found with 32-bit binutils: built with -m32 on 64-bit host.

>      39 Conditional jump or move depends on uninitialised value(s)
>     105 Invalid read of size ...
>       1 InvalHi Alexander,
>      24 Process terminating with default action of signal 11 (SIGSEGV)
>       7 Use of uninitialised value of size ...

These should all be fixed now.

Cheers
  Nick
Comment 73 Alexander Cherepanov 2015-02-03 22:56:25 UTC
Hi Nick,

(In reply to Nick Clifton from comment #72)
> > Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit)
> > More problems found with 32-bit binutils: built with -m32 on 64-bit host.
> 
> >      39 Conditional jump or move depends on uninitialised value(s)
> >     105 Invalid read of size ...
> >       1 InvalHi Alexander,
> >      24 Process terminating with default action of signal 11 (SIGSEGV)
> >       7 Use of uninitialised value of size ...
> 
> These should all be fixed now.

Not sure if it supposed to be fixed already but the following samples still crash for me (without valgrind):

0239616b
0d903ffb
206b89bd
5b5f0592
705e010d
731b937f
8a415f90
908c0847
e6b58147
Comment 74 Sourceware Commits 2015-02-04 10:52:08 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f3853b34448594744f284fa96f26e41fd533a50d

commit f3853b34448594744f284fa96f26e41fd533a50d
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Feb 4 10:40:05 2015 +0000

    More fixes for memory access violations triggered by running readelf on fuzzed binaries.
    
    	PR binutils/17531
    	* dwarf.c (read_and_display_attr_value): Test for a block length
    	being so long that it wraps around to before the start of the block.
    	(process_debug_info): Test for section_begin wrapping around to
    	before the start of the section.
    	(display_gdb_index): Test for num_cus being so large that the end
    	address wraps around to before the start of the section.
    	(process_cu_tu_index): Test for j being so large that the section
    	index pool wraps around to before the start of the section.
Comment 75 Nick Clifton 2015-02-04 10:54:48 UTC
Hi Alexander,

> Not sure if it supposed to be fixed already but the following samples still
> crash for me (without valgrind):
> 
> 0239616b
> 0d903ffb
> 206b89bd
> 5b5f0592
> 705e010d
> 731b937f
> 8a415f90
> 908c0847
> e6b58147

Fascinating.  Valgrind was actually preventing the seg-faults from occurring.  I would never have suspected that.  Anyway, I have checked in another patch and these tests should all pass now, bit with and without valgrind.

Cheers
  Nick
Comment 76 Alexander Cherepanov 2015-02-04 16:53:31 UTC
Created attachment 8102 [details]
Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit)

Files: 2
Errors:
      8 Conditional jump or move depends on uninitialised value(s)
      1 Invalid write of size ...
      1 Process terminating with default action of signal 11 (SIGSEGV)
      2 Use of uninitialised value of size ...
Comment 77 Alexander Cherepanov 2015-02-04 19:53:06 UTC
(In reply to Nick Clifton from comment #75)
> Fascinating.  Valgrind was actually preventing the seg-faults from
> occurring.  I would never have suspected that.  

It happens sometimes, and it's kinda documented -- http://valgrind.org/docs/manual/faq.html#faq.crashes . In such cases I provide the output from the catchsegv(1) instead of valgrind log. Previous example:

https://sourceware.org/bugzilla/show_bug.cgi?id=17512#c125

Probably I should have described it better...
Comment 78 Sourceware Commits 2015-02-06 12:21:00 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8490fb409a37072389da7cafc3a92255e9a34c98

commit 8490fb409a37072389da7cafc3a92255e9a34c98
Author: Nick Clifton <nickc@redhat.com>
Date:   Fri Feb 6 12:19:20 2015 +0000

    Fix memory access violations triggered by processing fuzzed binaries with a 32-bit version of readelf, compiled on a 64-bit host.
    
    	PR binutils/17531
    	* dwarf.c (xcmalloc): Fail if the arguments are too big.
    	(xcrealloc): Likewise.
    	(xcalloc2): Likewise.
Comment 79 Sourceware Commits 2015-02-06 13:04:06 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=55325047241cf38dae3c6a577561c740a9024bf3

commit 55325047241cf38dae3c6a577561c740a9024bf3
Author: Nick Clifton <nickc@redhat.com>
Date:   Fri Feb 6 12:59:25 2015 +0000

    Fix an invalid memory access triggered by running readelf on a fuzzed binary.
    
    	PR binutils/17531
    	* readelf.c (process_mips_specific): Fail if an option has an
    	invalid size.
Comment 80 Nick Clifton 2015-02-06 13:05:03 UTC
Hi Alexander,

> Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit)
> Errors:
>       8 Conditional jump or move depends on uninitialised value(s)
>       1 Invalid write of size ...
>       1 Process terminating with default action of signal 11 (SIGSEGV)
>       2 Use of uninitialised value of size ...

These should all be fixed now.

Cheers
  Nick
Comment 81 Alexander Cherepanov 2015-02-08 16:29:41 UTC
Created attachment 8107 [details]
Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit)

I've started to build binutils with some hardening features turned on (still 32-bit). It doesn't make a difference for these particular samples but it could in the future. Exact `configure` command-line is in configure.txt inside the archive.

----------------------------------------------------------------------

valgrind

Files: 2
Errors:
      8 Conditional jump or move depends on uninitialised value(s)
      1 Invalid read of size ...
      1 Process terminating with default action of signal 11 (SIGSEGV)
      2 Use of uninitialised value of size ...
Comment 82 Alexander Cherepanov 2015-02-08 16:48:09 UTC
Created attachment 8108 [details]
Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit) -- ubsan

This is an experimental report. Attached samples expose undefined behavior. The errors are collected with binutils built with gcc-4.9 -fsanitize=undefined (exact configure is in configure-ubsan.txt).

It it's useful I'll integrate it into the usual reports. It it's not useful feel free to ignore it.

----------------------------------------------------------------------

ubsan

Files: 12
Errors:
      1 ../../../source/binutils/dwarf.c:2771:3: runtime error: variable length array bound evaluates to non-positive value ...
      1 ../../../source/binutils/dwarf.c:279:45: runtime error: shift exponent ... is too large for 64-bit type 'long long unsigned int'
      1 ../../../source/binutils/dwarf.c:3781:4: runtime error: variable length array bound evaluates to non-positive value ...
      1 ../../../source/binutils/dwarf.c:451:7: runtime error: variable length array bound evaluates to non-positive value ...
      1 ../../../source/binutils/dwarf.c:5884:6: runtime error: variable length array bound evaluates to non-positive value ...
      1 ../../../source/binutils/dwarf.c:5892:4: runtime error: variable length array bound evaluates to non-positive value ...
      1 ../../../source/binutils/dwarf.c:6431:3: runtime error: signed integer overflow: ... * ... cannot be represented in type 'int'
      1 ../../../source/binutils/dwarf.c:6437:29: runtime error: signed integer overflow: ... * ... cannot be represented in type 'int'
      1 ../../../source/binutils/dwarf.c:6447:3: runtime error: signed integer overflow: ... * ... cannot be represented in type 'int'
      1 ../../../source/binutils/dwarf.c:6453:29: runtime error: signed integer overflow: ... * ... cannot be represented in type 'int'
      1 ../../../source/binutils/dwarf.c:6460:40: runtime error: signed integer overflow: ... * ... cannot be represented in type 'int'
      1 ../../../source/binutils/dwarf.c:6469:40: runtime error: signed integer overflow: ... * ... cannot be represented in type 'int'
      1 ../../../source/binutils/readelf.c:15068:46: runtime error: signed integer overflow: ... - ... cannot be represented in type 'int'
      1 ../../../source/binutils/readelf.c:1615:7: runtime error: negation of ... cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself
      1 ../../../source/binutils/readelf.c:1627:6: runtime error: negation of ... cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself
Comment 83 Sourceware Commits 2015-02-10 17:14:40 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=03a91817f163986f10cb843f58e2f2cd9186e4f0

commit 03a91817f163986f10cb843f58e2f2cd9186e4f0
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Feb 10 17:13:31 2015 +0000

    Fixes for memory access violations triggered by running readelf on fuzzed binaries.
    
    	PR binutils/17531
    	* dwarf.c (process_debug_info): Zero the debug information array
    	since correct initialisation cannot be relied upon.
    	(process_cu_tu_index): Improve range checks.
Comment 84 Nick Clifton 2015-02-10 17:15:16 UTC
Hi Alexander,

> Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit)
> Errors:
>       8 Conditional jump or move depends on uninitialised value(s)
>       1 Invalid read of size ...
>       1 Process terminating with default action of signal 11 (SIGSEGV)
>       2 Use of uninitialised value of size ...

Fixed.

Cheers
  Nick
Comment 85 Sourceware Commits 2015-02-10 17:55:28 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=834f871cdc6e5d9f5bda9ce607fd3c47f41a2ade

commit 834f871cdc6e5d9f5bda9ce607fd3c47f41a2ade
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Feb 10 17:53:53 2015 +0000

    Fix memory access violations discovered by running readelf compiled with undefined memory access sanitization on fuzzed binaries.
    
    	PR binutils/17531
    	* dwarf.c (display_debug_pubnames_worker): Use dwarf_vma type for
    	offset.
    	* readelf.c (dump_relocations): Handle printing offsets which are
    	MIN_INT.
    	(process_corefile_note_segment): Add range check of the namesz
    	field.
Comment 86 Nick Clifton 2015-02-10 17:56:25 UTC
Hi Alexander,

> Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit) -- ubsan

> This is an experimental report. Attached samples expose undefined behavior.
> The errors are collected with binutils built with gcc-4.9
> -fsanitize=undefined (exact configure is in configure-ubsan.txt).
> 
> It it's useful I'll integrate it into the usual reports. It it's not useful
> feel free to ignore it.

I do find it useful, so please do integrate it into your reports.

> Errors:
>       1 ../../../source/binutils/dwarf.c:2771:3: runtime error: variable
> length array bound evaluates to non-positive value ...
>       1 ../../../source/binutils/dwarf.c:279:45: runtime error: shift
> exponent ... is too large for 64-bit type 'long long unsigned int'
>       1 ../../../source/binutils/dwarf.c:3781:4: runtime error: variable
> length array bound evaluates to non-positive value ...
>       1 ../../../source/binutils/dwarf.c:451:7: runtime error: variable
> length array bound evaluates to non-positive value ...
>       1 ../../../source/binutils/dwarf.c:5884:6: runtime error: variable
> length array bound evaluates to non-positive value ...
>       1 ../../../source/binutils/dwarf.c:5892:4: runtime error: variable
> length array bound evaluates to non-positive value ...
>       1 ../../../source/binutils/dwarf.c:6431:3: runtime error: signed
> integer overflow: ... * ... cannot be represented in type 'int'
>       1 ../../../source/binutils/dwarf.c:6437:29: runtime error: signed
> integer overflow: ... * ... cannot be represented in type 'int'
>       1 ../../../source/binutils/dwarf.c:6447:3: runtime error: signed
> integer overflow: ... * ... cannot be represented in type 'int'
>       1 ../../../source/binutils/dwarf.c:6453:29: runtime error: signed
> integer overflow: ... * ... cannot be represented in type 'int'
>       1 ../../../source/binutils/dwarf.c:6460:40: runtime error: signed
> integer overflow: ... * ... cannot be represented in type 'int'
>       1 ../../../source/binutils/dwarf.c:6469:40: runtime error: signed
> integer overflow: ... * ... cannot be represented in type 'int'
>       1 ../../../source/binutils/readelf.c:15068:46: runtime error: signed
> integer overflow: ... - ... cannot be represented in type 'int'
>       1 ../../../source/binutils/readelf.c:1615:7: runtime error: negation
> of ... cannot be represented in type 'long long int'; cast to an unsigned
> type to negate this value to itself
>       1 ../../../source/binutils/readelf.c:1627:6: runtime error: negation
> of ... cannot be represented in type 'long long int'; cast to an unsigned
> type to negate this value to itself

These should all be fixed now.

Cheers
  Nick
Comment 87 Alexander Cherepanov 2015-02-10 19:56:35 UTC
Created attachment 8119 [details]
Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit)

valgrind

Files: 1
Errors:
      1 Invalid read of size ...
      1 Process terminating with default action of signal 11 (SIGSEGV)

----------------------------------------------------------------------

catchsegv

Files: 2
Errors:
      2 *** Segmentation fault
Comment 88 Sourceware Commits 2015-02-11 13:06:22 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=362beea4b400bcd5aca3bb1215a77e9e749b07fe

commit 362beea4b400bcd5aca3bb1215a77e9e749b07fe
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Feb 11 13:05:04 2015 +0000

    Fixes for invalid memory accesses triggered by running readelf on fuzzed binaries.
    
    	PR binutils/17531
    	* dwarf.c (display_debug_pubnames_worker): Work around compiler
    	bug checking address ranges.
    	(display_debug_frames): Likewise.
    	(display_gdb_index): Likewise.
    	(process_cu_tu_index): Add range check on the ncols value.
Comment 89 Nick Clifton 2015-02-11 13:07:18 UTC
Hi Alexander,

> Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit)
> Errors:
>       1 Invalid read of size ...
>       1 Process terminating with default action of signal 11 (SIGSEGV)

Fixed.

Cheers
  Nick
Comment 90 Alexander Cherepanov 2015-02-12 01:03:41 UTC
Created attachment 8124 [details]
Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit)

catchsegv (crashes without valgrind only)

Files: 2
Errors:
      2 *** Segmentation fault
Comment 91 Sourceware Commits 2015-02-13 14:18:32 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ffc0f143c74a7d49f6d1ae3f835e404ef4e56772

commit ffc0f143c74a7d49f6d1ae3f835e404ef4e56772
Author: Nick Clifton <nickc@redhat.com>
Date:   Fri Feb 13 14:17:18 2015 +0000

    Fixes for memory access violations triggered by running readelf on fuzzed binaries.
    
    	PR binutils/17531
    	* dwarf.c (display_debug_aranges): Add check for an excessive
    	ar_length value.
    	(process_cu_tu_index): Check for a row * columns sum being too
    	large.
Comment 92 Nick Clifton 2015-02-13 14:18:59 UTC
Hi Alexander,

> Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit)
> Files: 2
> Errors:
>       2 *** Segmentation fault

Fixed.

Cheers
  Nick
Comment 93 Alexander Cherepanov 2015-02-13 23:53:32 UTC
Created attachment 8127 [details]
Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit)

valgrind

Files: 1
Errors:
      5 Invalid read of size ...
Comment 94 Nick Clifton 2015-02-27 10:15:00 UTC
Hi Alexander,

(In reply to Alexander Cherepanov from comment #93)
> Created attachment 8127 [details]
> Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit)
> 
> valgrind
> 
> Files: 1
> Errors:
>       5 Invalid read of size ...

I cannot reproduce these failures. :-{  Maybe they have already been fixed by one of the patches for PR 17512 ?

Cheers
  Nick
Comment 95 Sourceware Commits 2015-03-24 10:31:58 UTC
The binutils-2_25-branch branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1dead8aee09e9ba148f6f44040122f62b5e4acea

commit 1dead8aee09e9ba148f6f44040122f62b5e4acea
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Mar 24 10:30:34 2015 +0000

    Import security fixes for readelf from the master branch:
    
    	2015-02-26  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* readelf.c (process_corefile_note_segment): Check for
    	inote.descdata extending beyond the end of the section.
    	(process_v850_notes): Likewise.
    
    	2015-02-24  Mike Frysinger  <vapier@gentoo.org>
    
    	PR binutils/17531
    	* readelf.c (process_symbol_table): Declare chained.  Increment it
    	in every loop.  Abort when chained is larger than nchains.  Move
    	error check outside of chain loop.
    
    	2015-02-10  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* readelf.c (dump_relocations): Handle printing offsets which are
    	MIN_INT.
    	(process_corefile_note_segment): Add range check of the namesz
    	field.
    
    	2015-02-06  Nick Clifton  <nickc@redhat.com>
    
    	* readelf.c (process_mips_specific): Fail if an option has an
    	invalid size.
    
    	2015-02-03  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* readelf.c (get_data): Change parameter types from size_t to
    	bfd_size_type.  Add checks for loss of accuracy when casting from
    	bfd_size_type to size_t.
    	(get_dynamic_data): Likewise.
    	(process_section_groups): Limit number of error messages.
    
    	2015-01-05  Nick Clifton  <nickc@redhat.com>
    
    	* readelf.c (slurp_ia64_unwind_table): Warn if the reloc could not
    	be indentified.
    	(dynamic_section_mips_val): Warn if the timestamp is invalid.
    	(print_mips_got_entry): Add a data_end parameter.  Warn if a read
    	would go beyond the end of the data, and return an error value.
    	(process_mips_specific): Do not read options from beyond the end
    	of the section.
    	Correct code to display optional data at the end of an option.
    	Warn if there are too many GOT symbols.
    	Update calls to print_mips_got_entry, and handle error returns.
    
    	2014-12-08  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* readelf.c (dump_ia64_unwind): Add range checks.
    	(slurp_ia64_unwind_table): Change to a boolean function.  Add
    	range checks.
    	(process_version_sections): Add range checks.
    	(get_symbol_version_string): Add check for missing section
    	headers.
    
    	2014-12-03  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* readelf.c (get_machine_flags): Replace call to abort with a
    	warning message and a return value.
    	(get_elf_section_flags): Likewise.
    	(get_symbol_visibility): Likewise.
    	(get_ia64_symbol_other): Likewise.
    	(get_ia64_symbol_other): Likewise.
    	(is_32bit_abs_reloc): Likewise.
    	(apply_relocations): Likewise.
    	(display_arm_attribute): Likewise.
    
    	2014-12-01  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* dwarf.h (struct dwarf_section): Add user_data field.
    	* dwarf.c (frame_need_space): Check for an over large register
    	number.
    	(display_debug_frames): Check the return value from
    	frame_need_space.  Check for a CFA expression that is so long the
    	start address wraps around.
    	(debug_displays): Initialise the user_data field.
    	* objdump.c (load_specific_debug_section): Save the BFD section
    	pointer in the user_data field of the dwarf_section structure.
    	(free_debug_section): Update BFD section data when freeing section
    	contents.
    	* readelf.c (load_specific_debug_section): Initialise the
    	user_data field.
    
    	2014-12-01  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* readelf.c (process_archive): Add range checks.
    
    	2014-11-28  Alan Modra  <amodra@gmail.com>
    
    	* readelf.c (get_32bit_elf_symbols): Cast bfd_size_type values to
    	unsigned long for %lx.
    	(get_64bit_elf_symbols, process_section_groups): Likewise.
    
    	2014-11-27  Espen Grindhaug <espen@grindhaug.org>
    	    Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* readelf.c (get_data): Move excessive length check to earlier on
    	in the function and allow for wraparound in the arithmetic.
    	(get_32bit_elf_symbols): Terminate early if the section size is
    	zero.  Check for an invalid sh_entsize.  Check for an index
    	section with an invalid size.
    	(get_64bit_elf_symbols): Likewise.
    	(process_section_groups): Check for an invalid sh_entsize.
    
    	2014-11-21  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* readelf.c (process_version_sections): Prevent an infinite loop
    	processing corrupt version need data.
    	(process_corefile_note_segment): Handle corrupt notes.
    
    	2014-11-18  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* readelf.c (get_unwind_section_word): Skip reloc processing if
    	there are no relocs associated with the section.
    	(decode_tic6x_unwind_bytecode): Warn and return if the stack
    	pointer adjustment falls off the end of the buffer.
Comment 96 Sourceware Commits 2015-03-24 11:33:30 UTC
The binutils-2_25-branch branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=304a2b6fe67786b45889a784bf71aabf2a9d26fd

commit 304a2b6fe67786b45889a784bf71aabf2a9d26fd
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Mar 24 11:31:37 2015 +0000

    Import fixes for invalid memory access issues in the binutils DWARF parser from the trunk sources.
    
    	PR binutils/17512
    	* dwarf.c (display_debug_loc): Pacify the undefined behaviour
    	sanitizer by simplifying address difference calculation.
    	(struct Frame_Chunk): Change type of cfa_offset to dwarf_vma in
    	order to avoid arithmetic overflows.
    	(frame_display_row): Cast cfa_offset before printing it.
    	(display_debug_frames): Likewise.
    	Check for an unexpected segment size.
    	Chnage type of 'l' local to dwarf_vma and cast it back to an int
    	when printing.
    	(process_cu_tu_index): Tighten check for an invalid ncols value.
    	* readelf.c (process_corefile_note_segment): Check for
    	inote.descdata extending beyond the end of the section.
    	(process_v850_notes): Likewise.
    
    	2015-02-13  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* dwarf.c (read_leb128): Fix test for shift becoming too large.
    
    	PR binutils/17531
    	* dwarf.c (display_debug_aranges): Add check for an excessive
    	ar_length value.
    	(process_cu_tu_index): Check for a row * columns sum being too
    	large.
    
    	2015-02-13  Alan Modra  <amodra@gmail.com>
    
    	* dwarf.c: Formatting, whitespace.
    	(process_debug_info): Style fix.
    
    	2015-02-11  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* dwarf.c (display_debug_pubnames_worker): Work around compiler
    	bug checking address ranges.
    	(display_debug_frames): Likewise.
    	(display_gdb_index): Likewise.
    	(process_cu_tu_index): Add range check on the ncols value.
    
    	2015-02-10  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* dwarf.c (eh_addr_size): Use an unsigned type.
    	(size_of_encoded_value): Return an unsigned type.
    	(read_leb128): Break if the shift becomes too big.
    	(process_extended_line_op): Do not read the address if the length
    	is too long.
    	(read_cie): Warn and fail if the pointer size or segment size are
    	too big.
    	* dwarf.h (DWARF2_External_LineInfo): Delete unused and incorrect
    	structure definition.
    	(DWARF2_External_PubNames): Likewise.
    	(DWARF2_External_CompUnit): Likewise.
    	(DWARF2_External_ARange): Likewise.
    	(DWARF2_Internal_LineInfo): Use dwarf_vma type for
    	li_prologue_length.
    	(eh_addr_size): Update prototype.
    
    	PR binutils/17531
    	* dwarf.c (process_debug_info): Zero the debug information array
    	since correct initialisation cannot be relied upon.
    	(process_cu_tu_index): Improve range checks.
    
    	PR binutils/17531
    	* dwarf.c (display_debug_pubnames_worker): Use dwarf_vma type for
    	offset.
    
    	2015-02-06  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* dwarf.c (display_debug_frames): Fix range checks to work on
    	32-bit binaries complied on a 64-bit host.
    
    	PR binutils/17531
    	* dwarf.c (xcmalloc): Fail if the arguments are too big.
    	(xcrealloc): Likewise.
    	(xcalloc2): Likewise.
    	* readelf.c (process_mips_specific): Fail if an option has an
    	invalid size.
    
    	2015-02-05  Alan Modra  <amodra@gmail.com>
    
    	PR binutils/17926
    	* dwarf.c (dwarf_select_sections_by_letters): Don't refer to optarg.
    
    	2015-02-04  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* dwarf.c (read_and_display_attr_value): Test for a block length
    	being so long that it wraps around to before the start of the block.
    	(process_debug_info): Test for section_begin wrapping around to
    	before the start of the section.
    	(display_gdb_index): Test for num_cus being so large that the end
    	address wraps around to before the start of the section.
    	(process_cu_tu_index): Test for j being so large that the section
    	index pool wraps around to before the start of the section.
    
    	2015-02-03  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* dwarf.c (process_debug_info): Add range check.
    	(display_debug_pubnames_worker): Likewise.
    	(display_gdb_index): Fix range check.
    	(process_cu_tu_index): Add range check.
    	* readelf.c (get_data): Change parameter types from size_t to
    	bfd_size_type.  Add checks for loss of accuracy when casting from
    	bfd_size_type to size_t.
    	(get_dynamic_data): Likewise.
    	(process_section_groups): Limit number of error messages.
    
    	2015-01-12  H.J. Lu  <hongjiu.lu@intel.com>
    
    	* dwarf.c (process_debug_info): Properly check abbrev size.
    
    	2015-01-12  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* dwarf.c (process_debug_info): Check for abbrev_base being larger
    	than the section size.
    	(process_cu_tu_index): Use xcalloc2 to allocate the CU and TU
    	arrays.
    	(xcalloc2): New function.  Like xcalloc, but checks for overflow.
    	(display_debug_addr): Use xcalloc to allocate the debug_addr_info
    	array.  Check for an address_base that is too large.
    
    	* dwarf.h (xcalloc2): Prototype.
    
    	2015-01-05  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* dwarf.c (alloc_num_debug_info_entries): New variable.
    	(process_debug_info): Set it.  Use it to avoid displaying
    	attributes for which there is no info.
    	(display_debug_abbrev): Check that the debug_info_entry index is
    	valid before using it.
    	(display_loc_list_dwo): Likewise.
    	(process_cu_tu_index): Add range check for an overlarge dw_sect
    	value.
    	(free_debug_memory): Reset alloc_num_debug_info_entries.
    
    	2014-12-22  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* dwarf.c (decode_location_expression): Check for an out of range
    	value for a DW_OP_GNU_entry_value expression.
    	(display_debug_lines_raw): Check for a partial
    	.debug_line. section being encountered without a prior, full
    	.debug.line section.
    	(display_debug_lines_decoded): Likewise.  Also check for
    	li_line_range being zero.
    	(display_debug_pubnames_worker): Check for an invalid pn_length
    	field.
    	(read_cie): Add range checks.
    
    	2014-12-11  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* dwarf.c (display_gdb_index): Add more range checks.
    
    	2014-12-08  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* dwarf.c (display_debug_frames): Check for a negative
    	augmentation data length.
    	(display_gdb_index): Check for invalid offsets.
    
    	2014-12-01  H.J. Lu  <hongjiu.lu@intel.com>
    
    	* dwarf.c (process_cu_tu_index): Properly check for an out of
    	range row index.
    
    	2014-12-01  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* dwarf.h (struct dwarf_section): Add user_data field.
    	* dwarf.c (frame_need_space): Check for an over large register
    	number.
    	(display_debug_frames): Check the return value from
    	frame_need_space.  Check for a CFA expression that is so long the
    	start address wraps around.
    	(debug_displays): Initialise the user_data field.
    	* objdump.c (load_specific_debug_section): Save the BFD section
    	pointer in the user_data field of the dwarf_section structure.
    	(free_debug_section): Update BFD section data when freeing section
    	contents.
    	* readelf.c (load_specific_debug_section): Initialise the
    	user_data field.
    
    	2014-12-01  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* dwarf.c (process_cu_tu_index): Check for an out of range row
    	index.
    	* elfcomm.c (adjust_relative_path): Change name_len parameter to
    	an unsigned long.  Check for path length overflow.
    	(process_archive_index_and_symbols): Check for invalid header
    	size.
    	(setup_archive): Add checks for invalid archives.
    	(get_archive_member_name): Add range checks.
    	* elfcomm.h (adjust_relative_path): Update prototyoe.
    	* readelf.c (process_archive): Add range checks.
    
    	2014-11-26  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* dwarf.c (display_block): Do nothing if the block starts after
    	the end of the buffer.
    	(read_and_display_attr_value): Add range checks.
    	(struct Frame_Chunk): Make the ncols and ra fields unsigned.
    	(frame_need_space): Test for an ncols of zero.
    	(read_cie): Fail if the augmentation data extends off the end of
    	the buffer.
    	(display_debug_frames): Add checks for read_cie failing.  Add
    	range checks.
    
    	2014-11-21  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* dwarf.c (get_encoded_value): Check for an encoded size of 0.
    	(display_debug_lines_raw): Check for an invalid line range value.
    	(display_debug_frames): Check for corrupt augmentation data.
    
    	2014-11-19  Jan-Benedict Glaw  <jbglaw@lug-owl.de>
    
    	* dwarf.c (process_extended_line_op): Fix signedness warning.
    
    	2014-11-18  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* dwarf.c (get_encoded_value): Warn and return if the encoded
    	value is more than 64-bits long.
    	(SAFE_BYTE_GET): Do not attempt to read more than 64-bits.
    	(process_extended_line_op): Add more range checks.
    	(decode_location_expression): Use the return value from
    	display_block.  Add more range checks.
    	(read_debug_line_header): Add range check.
    	(display_debug_lines_raw): Add range checks.
    	(display_debug_frames): Silently skip multiple zero terminators.
    	Add range checks.
    	(process_cu_tu_index): Check for non-existant or empty sections.
    	Use SAFE_BYTE_GET instead of byte_get.
Comment 97 Nick Clifton 2016-01-25 14:24:46 UTC
*** Bug 19518 has been marked as a duplicate of this bug. ***
Comment 98 Sourceware Commits 2017-02-24 13:52:10 UTC
The master branch has been updated by Maciej W. Rozycki <macro@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c9f02c3e29498fd9ecb1a9719c317c305fe509ae

commit c9f02c3e29498fd9ecb1a9719c317c305fe509ae
Author: Maciej W. Rozycki <macro@imgtec.com>
Date:   Thu Feb 23 18:16:11 2017 +0000

    readelf: Fix incorrect "Version definition past end of section" message
    
    Fix a commit 74e1a04b9787 ("More fixes for reading corrupt ELF files.")
    `readelf --version-info' regression that caused "Version definition past
    end of section" to be always printed at the end, even with good section
    data.
    
    For example with the `mips-linux' target we get:
    
    $ cat ver_def.s
    	.data
    	.globl	new_foo
    	.type	new_foo, %object
    new_foo:
    	.symver	new_foo, foo@@ver_foo
    $ cat ver_def.ver
    { global: *foo*; local: *; };
    $ as -o ver_def.o ver_def.s
    $ ld -e 0 --export-dynamic --version-script=ver_def.ver -o ver_def ver_def.o
    $ readelf -V ver_def
    
    Version symbols section '.gnu.version' contains 4 entries:
     Addr: 000000000000007e  Offset: 0x01007e  Link: 2 (.dynsym)
      000:   0 (*local*)       2 (ver_foo)       1 (*global*)      2 (ver_foo)
    
    Version definition section '.gnu.version_d' contains 2 entries:
      Addr: 0x0000000000000088  Offset: 0x010088  Link: 3 (.dynstr)
      000000: Rev: 1  Flags: BASE   Index: 1  Cnt: 1  Name: ver_def
      0x001c: Rev: 1  Flags: none  Index: 2  Cnt: 1  Name: ver_foo
      Version definition past end of section
    $
    
    The cause is the `if (idx + ent.vd_next <= idx)' condition introduced to
    ensure forward progress, which however always triggers for good version
    definition section data as the last entry will have its `vd_next' value
    set to 0.
    
    Adjust the condition then, to say `if (idx + ent.vd_next < idx)' instead
    and to ensure forward progress limit the number of entries processed to
    the size of the version definition section, removing the problematic
    message from output quoted above, while ensuring the original PR 17531
    test case is still handled gracefully.
    
    Add a suitable test case so that we have `readelf --version-info'
    coverage; due to the lack of infrastructure needed to run the linker in
    the `binutils' test suite and limited justification to implement it add
    a new `readelf.exp' script to the `ld' test suite instead, intended to
    gather any `readelf' test cases that require the linker to be run.  If
    ever we decide to have linker infrastructure added to the `binutils'
    test suite, then the script can be moved between the test suites.
    
    	binutils/
    	* readelf.c (process_version_sections) <SHT_GNU_verdef>: Limit
    	the number of entries processed by the section size.  Don't
    	break out of the loop if `ent.vd_next' is 0.
    
    	ld/
    	* testsuite/ld-elf/ver_def.d: New test.
    	* testsuite/ld-elf/ver_def.ld: New test linker script.
    	* testsuite/ld-elf/ver_def.ver: New test version script.
    	* testsuite/ld-elf/ver_def.s: New test source.
    	* testsuite/ld-elf/readelf.exp: New test script.
Comment 99 Sourceware Commits 2017-09-27 08:02:08 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6bd6a03d6975a96802b37741a99644570e52a72b

commit 6bd6a03d6975a96802b37741a99644570e52a72b
Author: Alan Modra <amodra@gmail.com>
Date:   Wed Sep 27 15:14:00 2017 +0930

    PR22216, infinite loop in readelf process_symbol_table
    
    This should make readelf bombproof given a fuzzed DT_HASH.  Also
    removes a bogus check that would have resulted in wrong histograms.
    
    	PR 22216
    	* readelf.c (process_symbol_table): Check that DT_HASH symbol
    	chains are only visited once, and report an error if not.  Display
    	invalid symbol index if chain is out of range.  Use the same logic
    	when calculating histograms rather than the PR 17531 fix.  Delete
    	bogus check that chained index is less than number of buckets.
Comment 100 Alan Modra 2022-08-02 07:00:36 UTC
fixed a while ago