Created attachment 7882 [details] `readelf -a` crashes `readelf -a` (both 2.24 and head) fails on some fuzzed samples: - crashes -- readelf-crash attached; - triggers assertions -- readelf-assert; - loops forever -- readelf-loop.
Created attachment 7883 [details] `readelf -a` assertion failed
Created attachment 7884 [details] `readelf -a` loops forever
Created attachment 7889 [details] Fixes for readelf problems
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 049b0c3a2467c785f9068915d81fdba4985470bf (commit) from e0f52461c2467b6610391681fa27cd9b3c5def57 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=049b0c3a2467c785f9068915d81fdba4985470bf commit 049b0c3a2467c785f9068915d81fdba4985470bf Author: Nick Clifton <nickc@redhat.com> Date: Tue Nov 4 11:58:16 2014 +0000 Fixes for crashes running readelf. PR binutils/17531 * readelf.c (get_data): If the reason parameter is null, do not print any error messages. (get_32bit_section_headers): Verify section header entry size before reading in the section headers. (get_64bit_section_headers): Likewise. (process_section_headers): Pass FALSE to get_section_headers. (get_file_header): Pass TRUE to get_section_headers. (process_dynamic_section): Change an assert to an error message. (process_symbol_table): Handle corrupt histograms. ----------------------------------------------------------------------- Summary of changes: binutils/ChangeLog | 13 ++++++ binutils/readelf.c | 116 +++++++++++++++++++++++++++++++++++++--------------- 2 files changed, 96 insertions(+), 33 deletions(-)
Hi Alexander, I have uploaded the master branch with the uploaded patch. Please give it a try. Cheers Nick
Created attachment 7890 [details] Crashers for `readelf -a` Files: 8 Errors: 2 Conditional jump or move depends on uninitialised value(s) 49 Invalid read of size ... 4 Process terminating with default action of signal 11 (SIGSEGV) 3 Use of uninitialised value of size ...
Created attachment 7892 [details] More readelf fixes
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via e0a31db1b16fe0a010aa46185e4a31a08e7fd97f (commit) from bb0d867169d7e9743d229804106a8fbcab7f3b3f (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e0a31db1b16fe0a010aa46185e4a31a08e7fd97f commit e0a31db1b16fe0a010aa46185e4a31a08e7fd97f Author: Nick Clifton <nickc@redhat.com> Date: Tue Nov 4 15:29:03 2014 +0000 More fixes for memory corruption when readelf processes corrupt files. PR binutils/17531 (get_32bit_program_headers): Verify program header entry size before reading in the program headers. (get_64bit_program_headers): Likewise. (get_unwind_section_word): Do nothing if no section was provided. Fail if the offset is outside of the section. (print_dynamic_symbol): Catch out of range symbol indicies. (process_mips_specific): Likewise. (process_attributes): Make sure that there is enough space left in the section before attempting to read the length of the next attribute. ----------------------------------------------------------------------- Summary of changes: binutils/ChangeLog | 11 +++ binutils/readelf.c | 173 ++++++++++++++++++++++++++++++++++++++-------------- 2 files changed, 138 insertions(+), 46 deletions(-)
Hi Alexander, Please update your master branch and try again... Cheers Nick
Created attachment 7895 [details] More crashers Files: 10 Errors: 2 Conditional jump or move depends on uninitialised value(s) 45 Invalid read of size ... 5 Process terminating with default action of signal 11 (SIGSEGV) 3 Use of uninitialised value of size ... And 011-12666-0.004 gives "readelf.c:7770: arm_process_unwind: Assertion `aux.strtab == ((void *)0)' failed."
Created attachment 7901 [details] Third readelf patch Hi Alexander, Please update your master branch and try again... Cheers Nick
Created attachment 7906 [details] More badness for `readelf -a` Files: 16 Errors: 13 Argument 'size' of function malloc has a fishy (possibly negative) value: ... 3 Conditional jump or move depends on uninitialised value(s) 1 Invalid read of size ... 1 Process terminating with default action of signal 11 (SIGSEGV) 2 Use of uninitialised value of size ... Not all samples crash with SIGSEGV, most have problems with memory allocation. Anyway all their badness is described in list.txt inside the archive.
Created attachment 7911 [details] More badness for `readelf -a` Files: 11 Errors: 40 Invalid read of size ... 2 Process terminating with default action of signal 11 (SIGSEGV)
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 071436c6e94be13904438b6eb70ee79c73354a61 (commit) from 56aedec7ab6a1da818ed900827e3a2eb1f5cc5d2 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=071436c6e94be13904438b6eb70ee79c73354a61 commit 071436c6e94be13904438b6eb70ee79c73354a61 Author: Nick Clifton <nickc@redhat.com> Date: Fri Nov 7 13:39:45 2014 +0000 Add more fixes for inavlid memory accesses triggered by corrupt files. PR binutils/17531 * readelf.c (get_data): Avoid allocating memory when we know that the read will fail. (find_section_by_type): New function. (get_unwind_section_word): Check for invalid symbol indicies. Check for invalid reloc types. (get_32bit_dynamic_section): Add range checks. (get_64bit_dynamic_section): Add range checks. (process_dynamic_section): Check for a corrupt time value. (process_symbol_table): Add range checks. (dump_section_as_strings): Add string length range checks. (display_tag_value): Likewise. (display_arm_attribute): Likewise. (display_gnu_attribute): Likewise. (display_tic6x_attribute): Likewise. (display_msp430x_attribute): Likewise. (process_mips_specific): Add range check. ----------------------------------------------------------------------- Summary of changes: binutils/ChangeLog | 20 ++++ binutils/readelf.c | 297 ++++++++++++++++++++++++++++++++++++---------------- 2 files changed, 226 insertions(+), 91 deletions(-)
Hi Alexander, I have updated the master branch with fixes for the new tests that you provided. Please give the new sources a spin. Cheers Nick
Created attachment 7915 [details] One more crash Cool! Only one crash so far. But there are some asserts (attached next). And a lot of hangs and memory exhaustions but they are harder to deduplicate and probably not so dangerous from security POV.
Created attachment 7916 [details] Assertions failed Files: 11 Errors: 1 readelf.c:10471: process_syminfo: Assertion `i < num_dynamic_syms' failed. 1 readelf.c:12897: process_attributes: Assertion `p <= end' failed. 6 readelf.c:435: print_symbol: Assertion `width != 0' failed. 1 readelf.c:6470: ia64_process_unwind: Assertion `aux.strtab == ((void *)0)' failed. 1 readelf.c:6881: hppa_process_unwind: Assertion `aux.strtab == ((void *)0)' failed. 1 readelf.c:7362: decode_arm_unwind_bytecode: Assertion `i < sizeof (buf)' failed.
(In reply to Alexander Cherepanov from comment #16) > Created attachment 7915 [details] > One more crash Files: 1 Errors: 1 Invalid read of size ... 1 Process terminating with default action of signal 11 (SIGSEGV)
Hi Alexander. Please try again ... Cheers Nick
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 4082ef846466438ea2cd5b3606f304f6fded152b (commit) from 5e186ece2feebb46e63ff6bb2d2490aad0d5a724 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=4082ef846466438ea2cd5b3606f304f6fded152b commit 4082ef846466438ea2cd5b3606f304f6fded152b Author: Nick Clifton <nickc@redhat.com> Date: Mon Nov 10 16:32:32 2014 +0000 More fixes for assertion failures and out-of-bounds reads by readelf. PR binutils/17531 * (ia64_process_unwind): Replace assertion with an error message. Add range checking for group section indicies. (hppa_process_unwind): Replace assertion with an error message. (process_syminfo): Likewise. (decode_arm_unwind_bytecode): Add range checking. (dump_section_as_strings): Add more string range checking. (display_tag_value): Likewise. (display_arm_attribute): Likewise. (display_gnu_attribute): Likewise. (display_tic6x_attribute): Likewise. (display_msp430x_attribute): Likewise. ----------------------------------------------------------------------- Summary of changes: binutils/ChangeLog | 15 +++++ binutils/readelf.c | 179 +++++++++++++++++++++++++++++++++++++--------------- 2 files changed, 143 insertions(+), 51 deletions(-)
Created attachment 7920 [details] One more assertion failed Files: 1 Errors: 1 readelf.c:12975: process_attributes: Assertion `p <= end' failed.
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 541a3cbda9de8ae8888906cfe14887c394a3f772 (commit) from 201159ecec7e17600df4153e5d4e7a145f0c7cfe (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=541a3cbda9de8ae8888906cfe14887c394a3f772 commit 541a3cbda9de8ae8888906cfe14887c394a3f772 Author: Nick Clifton <nickc@redhat.com> Date: Tue Nov 11 16:15:47 2014 +0000 Prevent a buffer overrun whilst displaying corrupt ARM tags. PR binutils/17531 * readelf.c (display_arm_attribute): Avoid reading off the end of the buffer when processing a Tag_nodefaults. ----------------------------------------------------------------------- Summary of changes: binutils/ChangeLog | 6 ++++++ binutils/readelf.c | 4 +++- 2 files changed, 9 insertions(+), 1 deletions(-)
Hi Alexander, OK, that one is fixed. Cheers Nick
Created attachment 7921 [details] crasher for `readelf -agteADruhlsSdIncwVW` Files: 1 Errors: 2 Invalid read of size ... 1 Process terminating with default action of signal 11 (SIGSEGV)
Created attachment 7922 [details] Crasher for `readelf -agteAruhlsSdIncwVW --dyn-syms -D` Files: 1 Errors: 1 Invalid read of size ... 1 Process terminating with default action of signal 11 (SIGSEGV) This one is very noisy in fuzzing `readelf -agteAruhlsSdIncwVW --dyn-syms -D`.
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 8b73c35699b4b1da558be29ac3c90aee0e0e1e49 (commit) from 51b26797b4a05304e4d00e2fd77810e38147bb7f (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8b73c35699b4b1da558be29ac3c90aee0e0e1e49 commit 8b73c35699b4b1da558be29ac3c90aee0e0e1e49 Author: Nick Clifton <nickc@redhat.com> Date: Tue Nov 11 20:50:03 2014 +0000 Fix invalid memory accesses for more corrupt binary files. PR binutils/17531 * binutils/readelf.c (dynamic_nent): Change type to size_t. (slurp_rela_relocs): Use size_t type for nrelas. (slurp_rel_relocs): Likewise. (get_program_headers): Improve out of memory error message. (get_32bit_section_headers): Likewise. (get_32bit_section_headers): Likewise. (get_64bit_section_headers): Likewise. (get_32bit_elf_symbols): Likewise. (get_64bit_elf_symbols): Likewise. (process_section_groups): Likewise. (get_32bit_dynamic_section): Likewise. (get_64bit_dynamic_section): Likewise. (process_dynamic_section): Likewise. (process_version_sections): Likewise. (get_symbol_index_type): Likewise. (process_mips_specific): Likewise. (process_corefile_note_segment): Likewise. (process_version_sections): Use size_t type for total. (get_dynamic_data): Change type of number parameter to size_t. Improve out of memory error messages. (process_symbol_table): Change type of nbuckets and nchains to size_t. Skip processing of sections headers if there are none. Improve out of memory error messages. ----------------------------------------------------------------------- Summary of changes: binutils/ChangeLog | 27 ++++++++++++++++ binutils/readelf.c | 87 +++++++++++++++++++++++++++++---------------------- 2 files changed, 76 insertions(+), 38 deletions(-)
Also fixed...
Created attachment 7927 [details] More badness for `readelf -agteAruhlsSdIncwVW --dyn-syms -D` No crashes so far but some badness... Files: 2 Errors: 7 Conditional jump or move depends on uninitialised value(s) 3 Invalid read of size ... 1 Syscall param lseek(offset) contains uninitialised byte(s) 1 Use of uninitialised value of size ...
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 3102e897eeda28961a32826095befef5c4a74097 (commit) from a59add0c2ed21c03efc8b39e333564d7713a7ccc (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3102e897eeda28961a32826095befef5c4a74097 commit 3102e897eeda28961a32826095befef5c4a74097 Author: Nick Clifton <nickc@redhat.com> Date: Thu Nov 13 10:45:50 2014 +0000 More fixes for readelf problems reading corrupt files. PR binutils/17531 * readelf.c (process_version_sections): If the read of the version def information fails, make sure that the external verdef data is not used. (get_dynamic_data): Do not attempt to allocate memory for more dynamic data than there is in the file. If the read fails, free the allocated buffer. (process_symbol_table): Do not print dynamic information if we were unable to read the dynamic symbol table. (print_gnu_note): Do not print the note if the descsz is too small. ----------------------------------------------------------------------- Summary of changes: binutils/ChangeLog | 14 ++++++++++++++ binutils/readelf.c | 30 ++++++++++++++++++++++++++---- 2 files changed, 40 insertions(+), 4 deletions(-)
Thanks Alexander, Those problems should be fixed too. Cheers Nick
Created attachment 7942 [details] Another crasher for `readelf -a` Files: 1 Errors: 2 Invalid read of size ... 1 Process terminating with default action of signal 11 (SIGSEGV) This one is found with American Fuzzy Lop.
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, binutils-2_25-branch has been updated via 8f66a6af276d17c0e386cd2409873f2e3e0b8a37 (commit) via 32a9d621c3c480aa093a089a36e36c35f68a4010 (commit) from ff67f476b9907b9fddfbafff52caa4cce6a6f58c (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8f66a6af276d17c0e386cd2409873f2e3e0b8a37 commit 8f66a6af276d17c0e386cd2409873f2e3e0b8a37 Merge: 32a9d62 ff67f47 Author: Nick Clifton <nickc@redhat.com> Date: Mon Nov 17 17:04:16 2014 +0000 Merge branch 'binutils-2_25-branch' of ssh://sourceware.org/git/binutils-gdb into binutils-2_25-branch Conflicts: gas/ChangeLog https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=32a9d621c3c480aa093a089a36e36c35f68a4010 commit 32a9d621c3c480aa093a089a36e36c35f68a4010 Author: Nick Clifton <nickc@redhat.com> Date: Mon Nov 17 16:59:09 2014 +0000 Applies a series of patches for PR 17512 and 17533 which fix invalid memory accesses. 2014-11-13 Nick Clifton <nickc@redhat.com> PR binutils/17512 * config/obj-coff.c (coff_obj_symbol_new_hook): Set the is_sym field. 2014-11-14 Nick Clifton <nickc@redhat.com> PR binutils/17512 * dwarf.c (get_encoded_value): Add an 'end' parameter. Change the 'data' parameter to a double pointer and return the updated value. (decode_location_expression): Update call to get_encoded_value. (frame_need_space): Handle the case where one or both of the mallocs fails. (read_cie): Initialise the cie pointer, even if the read fails. (display_debug_frames): Warn if the calculated block_end is before the start of the block. Break the loop if the CIE could not be read. Update call to get_encoded_value. Warn if the read CFA expressions are too big. 2014-11-13 Nick Clifton <nickc@redhat.com> PR binutils/17531 * readelf.c (process_version_sections): If the read of the version def information fails, make sure that the external verdef data is not used. (get_dynamic_data): Do not attempt to allocate memory for more dynamic data than there is in the file. If the read fails, free the allocated buffer. (process_symbol_table): Do not print dynamic information if we were unable to read the dynamic symbol table. (print_gnu_note): Do not print the note if the descsz is too small. 2014-11-12 Nick Clifton <nickc@redhat.com> PR binutils/17512 * dwarf.c (read_and_display_attr_value): Check that we do not read past end. (display_debug_pubnames_worker): Add range checks. (process_debug_info): Check for invalid pointer sizes. (display_loc_list): Likewise. (display_loc_list_dwo): Likewise. (display_debug_ranges): Likewise. (display_debug_aranges): Check for invalid address size. (read_cie): Add range checks. Replace call strchr with while loop. * objdump.c (dump_dwarf): Replace abort with a warning message. (print_section_stabs): Improve range checks. * rdcoff.c (coff_get_slot): Use long for indx parameter type. Add check for an excesively large index. * rddbg.c (read_section_stabs_debugging_info): Zero terminate the string table. Avoid walking off the end of the stabs data. * stabs.c (parse_stab_string): Add check for a NULL name. 2014-11-11 Nick Clifton <nickc@redhat.com> PR binutils/17531 * binutils/readelf.c (dynamic_nent): Change type to size_t. (slurp_rela_relocs): Use size_t type for nrelas. (slurp_rel_relocs): Likewise. (get_program_headers): Improve out of memory error message. (get_32bit_section_headers): Likewise. (get_32bit_section_headers): Likewise. (get_64bit_section_headers): Likewise. (get_32bit_elf_symbols): Likewise. (get_64bit_elf_symbols): Likewise. (process_section_groups): Likewise. (get_32bit_dynamic_section): Likewise. (get_64bit_dynamic_section): Likewise. (process_dynamic_section): Likewise. (process_version_sections): Likewise. (get_symbol_index_type): Likewise. (process_mips_specific): Likewise. (process_corefile_note_segment): Likewise. (process_version_sections): Use size_t type for total. (get_dynamic_data): Change type of number parameter to size_t. Improve out of memory error messages. (process_symbol_table): Change type of nbuckets and nchains to size_t. Skip processing of sections headers if there are none. Improve out of memory error messages. 2014-11-11 Nick Clifton <nickc@redhat.com> PR binutils/17531 * readelf.c (display_arm_attribute): Avoid reading off the end of the buffer when processing a Tag_nodefaults. 2014-11-10 Nick Clifton <nickc@redhat.com> PR binutils/17531 * readelf.c (ia64_process_unwind): Replace assertion with an error message. Add range checking for group section indicies. (hppa_process_unwind): Replace assertion with an error message. (process_syminfo): Likewise. (decode_arm_unwind_bytecode): Add range checking. (dump_section_as_strings): Add more string range checking. (display_tag_value): Likewise. (display_arm_attribute): Likewise. (display_gnu_attribute): Likewise. (display_tic6x_attribute): Likewise. (display_msp430x_attribute): Likewise. 2014-11-10 Nick Clifton <nickc@redhat.com> PR binutils/17552 * objcopy.c (copy_archive): Clean up temporary files even if an error occurs. 2014-11-07 Nick Clifton <nickc@redhat.com> PR binutils/17531 * readelf.c (get_data): Avoid allocating memory when we know that the read will fail. (find_section_by_type): New function. (get_unwind_section_word): Check for invalid symbol indicies. Check for invalid reloc types. (get_32bit_dynamic_section): Add range checks. (get_64bit_dynamic_section): Add range checks. (process_dynamic_section): Check for a corrupt time value. (process_symbol_table): Add range checks. (dump_section_as_strings): Add string length range checks. (display_tag_value): Likewise. (display_arm_attribute): Likewise. (display_gnu_attribute): Likewise. (display_tic6x_attribute): Likewise. (display_msp430x_attribute): Likewise. (process_mips_specific): Add range check. 2014-11-06 Nick Clifton <nickc@redhat.com> PR binutils/17552, binutils/17533 * bucomm.c (is_valid_archive_path): New function. Returns false for absolute pathnames and pathnames that include /../. * bucomm.h (is_valid_archive_path): Add prototype. * ar.c (extract_file): Use new function to check for valid pathnames when extracting files from an archive. * objcopy.c (copy_archive): Likewise. * doc/binutils.texi: Update documentation to mention the limitation on pathname of archive members. 2014-11-05 Nick Clifton <nickc@redhat.com> PR binutils/17531 * readelf.c (printable_section_name): New function. (printable_section_name_from_index): New function. (dump_relocations): Use new function. (process_program_headers, get_32bit_elf_symbols, (get_64bit_elf_symbols, process_section_headers, (process_section_groups, process_relocs, ia64_process_unwind, (hppa_process_unwind, get_unwind_section_word, decode_arm_unwind, (arm_process_unwind, process_version_sections, (process_symbol_table, apply_relocations, get_section_contents, (dump_section_as_strings, dump_section_as_bytes, (display_debug_section, process_attributes, process_mips_specific, (process_mips_specific process_gnu_liblist): Likewise. (get_unwind_section_word): Check for a missing symbol table. Replace aborts with error messages. (arm_process_unwind): Check for a missing string table. (process_attributes): Check for an attribute length that is too small. (process_mips_specific): Check for a corrupt GOT symbol offset. 2014-11-05 Nick Clifton <nickc@redhat.com> PR binutils/17533 * bucomm.c (is_valid_archive_path): New function. * bucomm.h (is_valid_archive_path): Prototype it. * ar.c (extract_file): Call is_valid_archive_path to verify a member filename before extracting it. * objcopy.c (copy_archive): Likewise. 2014-11-04 Nick Clifton <nickc@redhat.com> PR binutils/17531 * readelf.c (get_data): If the reason parameter is null, do not print any error messages. (get_32bit_section_headers): Verify section header entry size before reading in the section headers. (get_64bit_section_headers): Likewise. (process_section_headers): Pass FALSE to get_section_headers. (get_file_header): Pass TRUE to get_section_headers. (process_dynamic_section): Change an assert to an error message. (process_symbol_table): Handle corrupt histograms. (get_32bit_program_headers): Verify program header entry size before reading in the program headers. (get_64bit_program_headers): Likewise. (get_unwind_section_word): Do nothing if no section was provided. Fail if the offset is outside of the section. (print_dynamic_symbol): Catch out of range symbol indicies. (process_mips_specific): Likewise. (process_attributes): Make sure that there is enough space left in the section before attempting to read the length of the next attribute. 2014-11-03 Nick Clifton <nickc@redhat.com> PR binutils/17512 * objdump.c (slurp_symtab): Fail gracefully if the table could not be read. (dump_relocs_in_section): Likewise. 2014-11-14 Nick Clifton <nickc@redhat.com> PR binutils/17597 * opncls.c (bfd_get_debug_link_info): Avoid reading off the end of the section. (bfd_get_alt_debug_link_info): Likewise. 2014-11-14 Nick Clifton <nickc@redhat.com> PR binutils/17512 * ieee.c (ieee_archive_p) Skip processing if no bytes are read at all. (ieee_object_p): Likewise. 2014-11-13 H.J. Lu <hongjiu.lu@intel.com> * coffcode.h (coff_slurp_line_table): Add cast to unsigned int. 2014-11-13 H.J. Lu <hongjiu.lu@intel.com> * coffcode.h (coff_pointerize_aux_hook): Fix a typo. 2014-11-13 Nick Clifton <nickc@redhat.com> PR binutils/17512 * coffcode.h (coff_ptr_struct): Add is_sym field. (coff_new_section_hook): Set the is_sym field. (coff_pointerize_aux_hook): Check the is_sym field. (coff_print_aux): Likewise. (coff_compute_section_file_positions): Likewise. (coff_write_object_contents): Likewise. (coff_slurp_line_table): Likewise. (coff_slurp_symbol_table): Likewise. (CALC_ADDEND): Likewise. * coffgen.c (coff_renumber_symbols): Likewise. (coff_mangle_symbols): Likewise. (coff_fix_symbol_name): Likewise. (coff_write_symbol): Likewise. (coff_write_alien_symbol): Likewise. (coff_write_native_symbol): Likewise. (coff_write_symbols): Likewise. (coff_write_linenumbers): Likewise. (coff_pointerize_aux): Likewise. (coff_get_normalized_symtab): Likewise. (coff_get_symbol_info): Likewise. (bfd_coff_get_syment): Likewise. (bfd_coff_get_auxent): Likewise. (coff_print_symbol): Likewise. (coff_find_nearest_line_with_names): Likewise. (bfd_coff_set_symbol_class): Likewise. (coff_make_empty_symbol): Set the is_sym field. (coff_bfd_make_debug_symbol): Likewise. * peicode.h (pe_ILF_make_a_symbol): Likewise. * libcoff.h: Regenerate. * libcoff-in.h: Regenerate. 2014-11-12 Nick Clifton <nickc@redhat.com> PR binutils/17512 * coffcode.h (coff_slurp_line_table): Set the line number of corrupt entries to -1. (coff_slurp_symbol_table): Alway initialise the value of the symbol. * coffgen.c (coff_print_symbol): Check that the combined pointer is valid. (coff_print_symbol): Do not print negative line numbers. * peXXigen.c (pe_print_idata): Add range checking displaying member names. 2014-11-12 Alan Modra <amodra@gmail.com> PR binutils/17512 * coffcode.h (coff_slurp_line_table): Drop line number info not preceded by a valid function entry. Revert last change. 2014-11-11 Nick Clifton <nickc@redhat.com> PR binutils/17512 * coffcode.h (coff_slurp_line_table): Initialise the parts of the line number cache that would not be initialised by the copy from the new line number table. (coff_classify_symbol): Allow for _bfd_coff_internal_syment_name returning NULL. * coffgen.c (coff_get_normalized_symbols): Get the external symbols before allocating space for the internal symbols, in case the get fails. * elf.c (_bfd_elf_slurp_version_tables): Only allocate a verref array if one is needed. Likewise with the verdef array. * peXXigen.c (_bfd_XXi_swap_sym_in): Replace abort()'s with error messages. (_bfd_XXi_swap_aux_in): Make sure that all fields of the aux structure are initialised. (pe_print_edata): Avoid reading off the end of the data buffer. 2014-11-11 Alan Modra <amodra@gmail.com> PR binutils/17512 * coffcode.h (coff_slurp_line_table): Use updated lineno_count when building func_table. 2014-11-11 Alan Modra <amodra@gmail.com> PR binutils/17512 * coffcode.h (coff_slurp_line_table): Don't bfd_zalloc, just memset the particular bits we need. Update src after hitting loop "continue". Don't count lineno omitted due to invalid symbols in nbr_func, and update lineno_count. Init entire terminating lineno. Don't both allocating terminator in n_lineno_cache. Redirect sym->lineno pointer to where n_lineno_cache will be copied, and free n_lineno_cache. * pe-mips.c (NUM_HOWTOS): Typo fix. 2014-11-10 Nick Clifton <nickc@redhat.com> PR binutils/17521 * coff-i386.c (NUM_HOWTOS): New define. (RTYPE2HOWTO): Use it. (coff_i386_rtype_to_howto): Likewise. (coff_i386_reloc_name_lookup): Likewise. (CALC_ADDEND): Check that reloc r_type field is valid. * coff-x86_64.c (NUM_HOWTOS): New define. (RTYPE2HOWTO): Use it. (coff_amd64_rtype_to_howto): Likewise. (coff_amd64_reloc_name_lookup): Likewise. (CALC_ADDEND): Check that reloc r_type field is valid. * coffcode.h (coff_slurp_line_table): Check for symbol table indexing underflow. (coff_slurp_symbol_table): Use zalloc to ensure that all table entries are initialised. * coffgen.c (_bfd_coff_read_string_table): Initialise unused bits in the string table. Also ensure that the table is 0 terminated. (coff_get_normalized_symtab): Check for symbol table indexing underflow. * opncls.c (bfd_alloc): Catch the case where a small negative size can result in only 1 byte being allocated. (bfd_alloc2): Use bfd_alloc. * pe-mips.c (NUM_HOWTOS): New define. (coff_mips_reloc_name_lookup): Use it. (CALC_ADDEND): Check that reloc r_type field is valid. * peXXigen.c (_bfd_XXi_swap_aouthdr_in): Initialise unused entries in the DataDirectory. (pe_print_idata): Avoid reading beyond the end of the data block wen printing strings. (pe_print_edata): Likewise. Check for table indexing underflow. * peicode.h (pe_mkobject): Initialise the pe_opthdr field. (pe_bfd_object_p): Allocate and initialize enough space to hold a PEAOUTHDR, even if the opt_hdr field specified less. 2014-11-08 Alan Modra <amodra@gmail.com> * peXXigen.c (pe_print_idata): Revert last patch, cast lhs instead. 2014-11-07 H.J. Lu <hongjiu.lu@intel.com> * peXXigen.c (pe_print_idata): Cast to unsigned long in range checks. 2014-11-07 Alan Modra <amodra@gmail.com> * tekhex.c (tekhex_set_arch_mach): Ignore unknown arch errors. 2014-11-07 Alan Modra <amodra@gmail.com> * tekhex.c (CHUNK_SPAN): Define. (struct data_struct <chunk_init>): Use one byte per span, update all code accessing this field. (find_chunk): Add create param, don't create new entry unless set. (insert_byte): Don't save zeros. (first_phase): Set section SEC_CODE or SEC_DATA flag depending on symbol type. Create an alternate section if both types of symbol are given. Attach type '2' and '6' symbols to absolute section. (move_section_contents): Fix caching of chunk. Don't create chunk when reading, or for writing zeros. (tekhex_set_section_contents): Don't create initial chunks. (tekhex_write_object_contents): Use CHUNK_SPAN. 2014-11-07 Alan Modra <amodra@gmail.com> * aoutx.h (aout_get_external_symbols): Tidy allocation of symbol buffer. 2014-11-07 Alan Modra <amodra@gmail.com> * archive.c (_bfd_slurp_extended_name_table): Revert bfd_get_size check. * coffcode.h (coff_set_alignment_hook): Likewise. (coff_slurp_line_table): Likewise. * coffgen.c (coff_get_normalized_symtab): Likewise. (_bfd_coff_get_external_symbols): Likewise. * elf.c (bfd_elf_get_str_section): Likewise. * tekhex.c (first_phase): Likewise. 2014-11-06 Nick Clifton <nickc@redhat.com> * aoutx.h (slurp_symbol_table): Revert previous delta. (slurp_reloc_table): Likewise. * compress.c (bfd_get_full_section_contents): Remove file size test. * coffgen.c (coff_get_normalized_symtab): Allow zero-sized symtabs and do not complain about linker generated files. 2014-11-04 Nick Clifton <nickc@redhat.com> PR binutils/17512 * coffcode.h (handle_COMDAT): Replace abort with BFD_ASSERT. Replace another abort with an error message. (coff_slurp_line_table): Add more range checking. * peXXigen.c (pe_print_debugdata): Add range checking. 2014-11-05 Nick Clifton <nickc@redhat.com> PR binutils/17512 * coffcode.h (coff_set_alignment_hook): Warn if the file lies about the number of relocations it contains. (coff_sort_func_alent): Return 0 if the pointers are NULL. (coff_slurp_line_table): Add more range checks. Do not free new tables created when sorting line numbers. * peXXigen.c (pe_print_idata): Add range checks. (pe_print_edata): Likewise. (rsrc_print_resource_entries): Likewise. Avoid printing control characters. Terminate priniting if corruption is detected. (rsrc_print_resource_directory): Terminate printing if an unknown directory type is encountered. (pe_print_debugdata): Fix off-by-one error. (rsrc_count_entries): Add range checking. (rsrc_parse_entry): Likewise. 2014-11-04 Nick Clifton <nickc@redhat.com> PR binutils/17512 * compress.c (bfd_get_full_section_contents): Improve test for linker created objects. PR binutils/17533 * archive.c (_bfd_slurp_extended_name_table): Handle archives with corrupt extended name tables. 2014-11-03 Nick Clifton <nickc@redhat.com> PR binutils/17512 * aoutx.h (slurp_symbol_table): Check that computed table size is not bigger than the file from which is it being read. (slurp_reloc_table): Likewise. * coffcode.h (coff_slurp_line_table): Remove unneeded local 'warned'. Do not try to print the details of a symbol with an invalid index. * coffgen.c (make_a_sectiobn_from_file): Check computed string index against length of string table. (bfd_coff_internal_syment_name): Check read in string offset against length of string table. (build_debug_section): Return a pointer to the section used. (_bfd_coff_read_string_table): Store the length of the string table in the coff_tdata structure. (bfd_coff_free_symbols): Set the length of the string table to zero when it is freed. (coff_get_normalized_symtab): Check offsets against string table or data table lengths as appropriate. * cofflink.c (_bfd_coff_link_input_bfd): Check offset against length of string table. * compress.c (bfd_get_full_section_contents): Check computed size against the size of the file. * libcoff-in.h (obj_coff_strings_len): Define. (struct coff_tdata): Add strings_len field. * libcoff.h: Regenerate. * peXXigen.c (pe_print_debugdata): Do not attempt to print the data if the debug section is too small. * xcofflink.c (xcoff_link_input_bfd): Check offset against length of string table. 2014-10-31 Nick Clifton <nickc@redhat.com> PR binutils/17512 * coffgen.c (_bfd_coff_get_external_symbols): Do not try to load a symbol table bigger than the file. * elf.c (bfd_elf_get_str_section): Do not try to load a string table bigger than the file. * tekhex.c (first_phase): Check that the section range is sane. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 282 ++++++++++++ bfd/aoutx.h | 24 +- bfd/archive.c | 5 +- bfd/coff-i386.c | 17 +- bfd/coff-x86_64.c | 11 +- bfd/coffcode.h | 170 +++++--- bfd/coffgen.c | 168 ++++++-- bfd/cofflink.c | 5 +- bfd/elf.c | 24 +- bfd/ieee.c | 6 +- bfd/libcoff-in.h | 3 + bfd/libcoff.h | 16 +- bfd/opncls.c | 41 +- bfd/pe-mips.c | 9 +- bfd/peXXigen.c | 220 +++++++--- bfd/peicode.h | 15 +- bfd/tekhex.c | 112 +++-- bfd/xcofflink.c | 5 +- binutils/ChangeLog | 199 +++++++++ binutils/ar.c | 9 + binutils/bucomm.c | 26 ++ binutils/bucomm.h | 12 +- binutils/doc/binutils.texi | 3 +- binutils/dwarf.c | 209 +++++++--- binutils/objcopy.c | 23 +- binutils/objdump.c | 27 +- binutils/rdcoff.c | 9 +- binutils/rddbg.c | 40 ++- binutils/readelf.c | 1039 ++++++++++++++++++++++++++++++++------------ binutils/stabs.c | 30 +- gas/ChangeLog | 10 + gas/config/obj-coff.c | 1 + 32 files changed, 2109 insertions(+), 661 deletions(-)
Created attachment 7945 [details] Binary that triggers assert in decode_tic6x_unwind_bytecode This binary is triggering an assert in decode_tic6x_unwind_bytecode readelf: readelf.c:7586: decode_tic6x_unwind_bytecode: Assertion `i < sizeof (buf)' failed. The issue was found using american fuzzy lop.
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 0eff716535f3e8f501d6b438f7f796b70a0b9f98 (commit) from 25a0334e39963239f03555efe7e933558cc897e0 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0eff716535f3e8f501d6b438f7f796b70a0b9f98 commit 0eff716535f3e8f501d6b438f7f796b70a0b9f98 Author: Nick Clifton <nickc@redhat.com> Date: Tue Nov 18 10:07:11 2014 +0000 Fix memort access problems exposed by fuzzed binaries. PR binutils/17531 * readelf.c (get_unwind_section_word): Skip reloc processing if there are no relocs associated with the section. (decode_tic6x_unwind_bytecode): Warn and return if the stack pointer adjustment falls off the end of the buffer. ----------------------------------------------------------------------- Summary of changes: binutils/ChangeLog | 8 ++++++++ binutils/readelf.c | 16 +++++++++++++++- 2 files changed, 23 insertions(+), 1 deletions(-)
Hi Espen, Hi Alexander, OK, those two are fixed. Next ? Cheers Nick
Created attachment 7954 [details] 2 more problematic test cases (In reply to Nick Clifton from comment #35) > Hi Espen, Hi Alexander, > > OK, those two are fixed. Next ? > > Cheers > Nick It's getting harder to find problems, but attached you find two test cases. One of them seems to get into an infinite loop. The other crashes like this: Program received signal SIGSEGV, Segmentation fault. #0 __strncpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S:1669 #1 0x0000000000443d56 in strncpy (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/string3.h:120 #2 process_corefile_note_segment (file=0x55b000, offset=5486616, length=5486616) at readelf.c:14715 #3 0x0000000000492f1a in process_corefile_note_segment (length=<optimized out>, offset=<optimized out>, file=<optimized out>) at readelf.c:4178 #4 process_note_sections (file=<optimized out>) at readelf.c:14772 #5 process_notes (file=<optimized out>) at readelf.c:14793 #6 process_object (file_name=0x53b750 "", file=0x1, file@entry=0x53b000) at readelf.c:15011 #7 0x0000000000403c69 in process_file (file_name=0x7fffffffe29b "id:000000,sig:11,src:006986,op:havoc,rep:4") at readelf.c:15382 #8 main (argc=3, argv=0x7fffffffdef8) at readelf.c:15448 Espen
Created attachment 7957 [details] AFL crashers for `readelf -a` Files: 4 Errors: 1 Invalid read of size ... 4 Invalid write of size ... 3 Process terminating with default action of signal 11 (SIGSEGV)
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 5d921cbd81554867007e903b634acc6bc8281f9f (commit) from cd11f78f810cf12b04046ac954ceb6528b00956c (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5d921cbd81554867007e903b634acc6bc8281f9f commit 5d921cbd81554867007e903b634acc6bc8281f9f Author: Nick Clifton <nickc@redhat.com> Date: Fri Nov 21 13:37:39 2014 +0000 Resolve more problems with readelf uncovered by fuzzing binary files. PR binutils/17531 * readelf.c (process_version_sections): Prevent an infinite loop processing corrupt version need data. (process_corefile_note_segment): Handle corrupt notes. ----------------------------------------------------------------------- Summary of changes: binutils/ChangeLog | 7 +++++++ binutils/readelf.c | 8 +++++++- 2 files changed, 14 insertions(+), 1 deletions(-)
Created attachment 7963 [details] 3 more problematic programs Attached is three more problematic programs. One more infinite loop, one heap buffer overflow and one use after free. The ASAN output is also included. Found using AFL.
Created attachment 7964 [details] Sample with fishy malloc This one doesn't crash `readelf -agteAruhlsSdIncwVW --dyn-syms -D` but gives an error under valgrind. Files: 1 Errors: 1 Argument 'size' of function malloc has a fishy (possibly negative) value: ...
Created attachment 7966 [details] Possible fix for asan problems in comment #39
Created attachment 7967 [details] Possible fix for problems in comment #39 Possible fix for all three problems attached in comment #39.
Created attachment 7968 [details] Possible fix for problem in comment #40
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via c9c1d674406c5fff9d2f2ea771e4288cb6bf4e5a (commit) from 3a1cfc456f3b3f422b7c6c0d63891b015ea234b9 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c9c1d674406c5fff9d2f2ea771e4288cb6bf4e5a commit c9c1d674406c5fff9d2f2ea771e4288cb6bf4e5a Author: Espen Grindhaug <espen@grindhaug.org> Date: Thu Nov 27 15:49:23 2014 +0000 Fixes an infinite loop in readelf parsing a corrupt binary, and other minor corrections. PR binutils/17531 * readelf.c (get_data): Move excessive length check to earlier on in the function and allow for wraparound in the arithmetic. (get_32bit_elf_symbols): Terminate early if the section size is zero. Check for an invalid sh_entsize. Check for an index section with an invalid size. (get_64bit_elf_symbols): Likewise. (process_section_groups): Check for an invalid sh_entsize. ----------------------------------------------------------------------- Summary of changes: binutils/ChangeLog | 12 +++++++ binutils/readelf.c | 88 ++++++++++++++++++++++++++++++++++++++++------------ 2 files changed, 80 insertions(+), 20 deletions(-)
Hi Espen, Thanks very much for the patch. I have checked it in with two minor additions: I duplicated the fix for get_32bit_elf_symbols() into get_64bit_elf_symbols() and I improved the range test in get_data() so that it makes fewer silly calls to malloc. Cheers Nick
Created attachment 7975 [details] Crashes for `readelf -agteAruhlsSdIncVWw --dyn-syms -D` Files: 19 Errors: 1 Argument 'size' of function malloc has a fishy (possibly negative) value: ... 1 Conditional jump or move depends on uninitialised value(s) 36 Invalid read of size ... 8 Invalid write of size ... 5 Process terminating with default action of signal 11 (SIGSEGV)
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 591f7597d447d8d038d6d8e24a706d1d5e32eba1 (commit) from 9e8cd6df3ca295986b2c295b6cfa5ceadd410bb4 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=591f7597d447d8d038d6d8e24a706d1d5e32eba1 commit 591f7597d447d8d038d6d8e24a706d1d5e32eba1 Author: Nick Clifton <nickc@redhat.com> Date: Mon Dec 1 11:19:39 2014 +0000 Add checks for memory access violations exposed by fuzzed archives. PR binutils/17531 * dwarf.c (process_cu_tu_index): Check for an out of range row index. * elfcomm.c (adjust_relative_path): Change name_len parameter to an unsigned long. Check for path length overflow. (process_archive_index_and_symbols): Check for invalid header size. (setup_archive): Add checks for invalid archives. (get_archive_member_name): Add range checks. * elfcomm.h (adjust_relative_path): Update prototyoe. * readelf.c (process_archive): Add range checks. ----------------------------------------------------------------------- Summary of changes: binutils/ChangeLog | 14 +++++++++++++ binutils/dwarf.c | 8 +++++++ binutils/elfcomm.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++---- binutils/elfcomm.h | 2 +- binutils/readelf.c | 11 +++++---- 5 files changed, 79 insertions(+), 11 deletions(-)
Thanks Alexander, Those new archive based problems should be fixed now. Cheers Nick
Created attachment 7991 [details] Aborts for `readelf -agteAruhlsSdIncVWw --dyn-syms -D` Files: 4 Errors: 4 No assertion info in gdb backtrace.
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via bee0ee850e846a8717b9aadb8d5da3adee3254ee (commit) from 9d157cb9fe73ff3d911ccdf581ab09eae02e78aa (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=bee0ee850e846a8717b9aadb8d5da3adee3254ee commit bee0ee850e846a8717b9aadb8d5da3adee3254ee Author: Nick Clifton <nickc@redhat.com> Date: Wed Dec 3 16:33:33 2014 +0000 Replace calls to abort (in readelf) with informative error messages. PR binutils/17531 * readelf.c (get_machine_flags): Replace call to abort with a warning message and a return value. (get_elf_section_flags): Likewise. (get_symbol_visibility): Likewise. (get_ia64_symbol_other): Likewise. (get_ia64_symbol_other): Likewise. (is_32bit_abs_reloc): Likewise. (apply_relocations): Likewise. (display_arm_attribute): Likewise. ----------------------------------------------------------------------- Summary of changes: binutils/ChangeLog | 13 +++++++++++ binutils/readelf.c | 61 ++++++++++++++++++++++++++++++++++++++++------------ 2 files changed, 60 insertions(+), 14 deletions(-)
Hi Alexander, > Aborts for `readelf -agteAruhlsSdIncVWw --dyn-syms -D` Thanks - I have checked in a patch to remove all calls to abort from inside readelf. Cheers Nick
Created attachment 7994 [details] More crashes for `readelf -agteAruhlsSdIncVWw --dyn-syms -D` Files: 18 Errors: 12 Conditional jump or move depends on uninitialised value(s) 128 Invalid read of size ... 6 Invalid write of size ... 5 Process terminating with default action of signal 11 (SIGSEGV) 11 Use of uninitialised value of size ...
Created attachment 7995 [details] More aborts for `readelf -agteAruhlsSdIncVWw --dyn-syms -D` Files: 2 Errors: 2 No assertion info in gdb backtrace.
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 53774b7e76dc5b3e8cc00d6f7a9d27e6c65830a9 (commit) from 2ebecbb12e1281fca50fb0361475a01243432825 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=53774b7e76dc5b3e8cc00d6f7a9d27e6c65830a9 commit 53774b7e76dc5b3e8cc00d6f7a9d27e6c65830a9 Author: Nick Clifton <nickc@redhat.com> Date: Mon Dec 8 17:51:46 2014 +0000 More fixes for invalid memory accesses triggered by fuzzed binaries. PR binutils/17531 * dwarf.c (display_debug_frames): Check for a negative augmentation data length. (display_gdb_index): Check for invalid offsets. * elfcomm.c (process_archive_index_and_symbols): Check for an index number that overflows when multiplied by the ar index size. * readelf.c (dump_ia64_unwind): Add range checks. (slurp_ia64_unwind_table): Change to a boolean function. Add range checks. (process_version_sections): Add range checks. (get_symbol_version_string): Add check for missing section headers. ----------------------------------------------------------------------- Summary of changes: binutils/ChangeLog | 15 +++++++++++ binutils/dwarf.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++--- binutils/elfcomm.c | 6 +++- binutils/readelf.c | 72 +++++++++++++++++++++++++++++++++++++++------------- 4 files changed, 139 insertions(+), 24 deletions(-)
Hi Alexander, These should be fixed now. Cheers Nick
Created attachment 8019 [details] AFL crashers for `readelf -agteAruhlsSdIncVWw --dyn-syms -D` crashes Files: 7 Errors: 25 Invalid read of size ... 2 Invalid write of size ... 2 Process terminating with default action of signal 11 (SIGSEGV) 1 Process terminating with default action of signal 8 (SIGFPE) ---------------------------------------------------------------------- asserts Files: 1 Errors: 1 No assertion info in gdb backtrace.
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 058037d3a169c91042c9b8549f7d04fd7550bed6 (commit) from 5860e3f883597cf6b8a937547015394edc1e8784 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=058037d3a169c91042c9b8549f7d04fd7550bed6 commit 058037d3a169c91042c9b8549f7d04fd7550bed6 Author: Nick Clifton <nickc@redhat.com> Date: Mon Dec 22 22:44:34 2014 +0000 More fixes for invalid memory accesses exposed by fuzzed binaries. PR binutils/17531 * dwarf.c (decode_location_expression): Check for an out of range value for a DW_OP_GNU_entry_value expression. (display_debug_lines_raw): Check for a partial .debug_line. section being encountered without a prior, full .debug.line section. (display_debug_lines_decoded): Likewise. Also check for li_line_range being zero. (display_debug_pubnames_worker): Check for an invalid pn_length field. (read_cie): Add range checks. * elfcomm.c (setup_archive): Check for a negative longnames_size. ----------------------------------------------------------------------- Summary of changes: binutils/ChangeLog | 15 +++++++++++ binutils/dwarf.c | 70 +++++++++++++++++++++++++++++++++++++++++++--------- binutils/elfcomm.c | 10 +++++++ 3 files changed, 83 insertions(+), 12 deletions(-)
Hi Alexander, > Files: 7 > Errors: > 25 Invalid read of size ... > 2 Invalid write of size ... > 2 Process terminating with default action of signal 11 (SIGSEGV) > 1 Process terminating with default action of signal 8 (SIGFPE) These should now be fixed. Cheers Nick
Created attachment 8037 [details] More problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` valgrind Files: 5 Errors: 12 Invalid read of size ... 5 Invalid write of size ... 4 Process terminating with default action of signal 11 (SIGSEGV) ---------------------------------------------------------------------- gdb Files: 2 Errors: 1 No assertion info in gdb backtrace. 1 readelf.c:14056: process_mips_specific: Assertion `global_end >= local_end' failed.
Created attachment 8038 [details] Big (28MB) problem with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (Big files. Have to split submission into several parts.) valgrind Files: 1 Errors: 5 Conditional jump or move depends on uninitialised value(s) 3 Invalid read of size ... 3 Invalid write of size ... 1 Process terminating with default action of signal 11 (SIGSEGV) 2 Use of uninitialised value of size ...
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 82b1b41bcdc6d01fdbd94b246e24a8a8f8c2bddd (commit) via c1724c7fd39d85ccc1f94a0cd7bc25b19aa43ffd (commit) from f8ed3ac5f2600f037bff4ba01e6c92257d4a4fae (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=82b1b41bcdc6d01fdbd94b246e24a8a8f8c2bddd commit 82b1b41bcdc6d01fdbd94b246e24a8a8f8c2bddd Author: Nick Clifton <nickc@redhat.com> Date: Mon Jan 5 13:54:22 2015 +0000 More fixes for invalid memory accesses triggered by fuzzed binaries. PR binutils/17531 * dwarf.c (alloc_num_debug_info_entries): New variable. (process_debug_info): Set it. Use it to avoid displaying attributes for which there is no info. (display_debug_abbrev): Check that the debug_info_entry index is valid before using it. (display_loc_list_dwo): Likewise. (process_cu_tu_index): Add range check for an overlarge dw_sect value. (free_debug_memory): Reset alloc_num_debug_info_entries. * readelf.c (slurp_ia64_unwind_table): Warn if the reloc could not be indentified. (dynamic_section_mips_val): Warn if the timestamp is invalid. (print_mips_got_entry): Add a data_end parameter. Warn if a read would go beyond the end of the data, and return an error value. (process_mips_specific): Do not read options from beyond the end of the section. Correct code to display optional data at the end of an option. Warn if there are too many GOT symbols. Update calls to print_mips_got_entry, and handle error returns. https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c1724c7fd39d85ccc1f94a0cd7bc25b19aa43ffd commit c1724c7fd39d85ccc1f94a0cd7bc25b19aa43ffd Author: Daniel Klauer <daniel.c.klauer@web.de> Date: Mon Jan 5 09:41:48 2015 +0000 Corrects the description of the --kill-at option of dlltool. PR binutils/17489 * doc/binutils.texi (dlltool): Correct description of --kill-at option. ----------------------------------------------------------------------- Summary of changes: binutils/ChangeLog | 29 ++++++++++++ binutils/doc/binutils.texi | 12 +++-- binutils/dwarf.c | 107 +++++++++++++++++++++++++++++++------------- binutils/dwarf.h | 8 ++-- binutils/readelf.c | 100 +++++++++++++++++++++++++++++++--------- 5 files changed, 194 insertions(+), 62 deletions(-)
Hi Alexander, > Files: 1 > Errors: > 5 Conditional jump or move depends on uninitialised value(s) > 3 Invalid read of size ... > 3 Invalid write of size ... > 1 Process terminating with default action of signal 11 (SIGSEGV) > 2 Use of uninitialised value of size ... > > Files: 5 > Errors: > 12 Invalid read of size ... > 5 Invalid write of size ... > 4 Process terminating with default action of signal 11 (SIGSEGV) These should all now be fixed. Cheers Nick
Created attachment 8060 [details] Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` Files: 1 Errors: 4 Conditional jump or move depends on uninitialised value(s) 1 Invalid read of size ... 1 Process terminating with default action of signal 11 (SIGSEGV) 1 Use of uninitialised value of size ...
Created attachment 8061 [details] Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` Files: 1 Errors: 6 Conditional jump or move depends on uninitialised value(s) 8 Invalid read of size ... 1 Process terminating with default action of signal 11 (SIGSEGV) 1 Use of uninitialised value of size ...
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=72c61a0d1ef445f99305859b66450da60ec6e0cb commit 72c61a0d1ef445f99305859b66450da60ec6e0cb Author: Nick Clifton <nickc@redhat.com> Date: Mon Jan 12 16:08:41 2015 +0000 More fixes for memory access errors when running readelf on fuzzed binaries. PR binutils/17531 * dwarf.c (process_debug_info): Check for abbrev_base being larger than the section size. (process_cu_tu_index): Use xcalloc2 to allocate the CU and TU arrays. (xcalloc2): New function. Like xcalloc, but checks for overflow. * dwarf.h (xcalloc2): Prototype.
Hi Alexander, > Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` > Errors: > 4 Conditional jump or move depends on uninitialised value(s) > 1 Invalid read of size ... > 1 Process terminating with default action of signal 11 (SIGSEGV) > 1 Use of uninitialised value of size ... Fixed. :-) Cheers Nick
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1306a7421c764d1f5e2a08afdb9b5818662c9e9c commit 1306a7421c764d1f5e2a08afdb9b5818662c9e9c Author: Nick Clifton <nickc@redhat.com> Date: Mon Jan 12 17:28:55 2015 +0000 Another fix for memory access errors trigegred by running readelf on a corrupt binary. PR binutils/17531 * dwarf.c (display_debug_addr): Use xcalloc to allocate the debug_addr_info array. Check for an address_base that is too large.
Hi Alexander, > Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` > Errors: > 6 Conditional jump or move depends on uninitialised value(s) > 8 Invalid read of size ... > 1 Process terminating with default action of signal 11 (SIGSEGV) > 1 Use of uninitialised value of size ... Also fixed. Cheers Nick
On Mon, 12 Jan 2015, cvs-commit at gcc dot gnu.org wrote: > (xcalloc2): New function. Like xcalloc, but checks for overflow. > * dwarf.h (xcalloc2): Prototype. This should not be needed. xcalloc calls calloc, which should check for overflow itself. I see libiberty has a broken version of calloc, but since calloc is a C89 function no modern system should be using libiberty's version. If we wish to allow for systems with broken calloc, libiberty's configure should detect such systems (based on a blacklist of broken systems) and substitute a working calloc. (On the other hand, all the allocation macros in libiberty.h that do multiplications do need replacing by versions that check for overflow - that is, the existing macros need to be made to check for overflow, rather than having separate checking and non-checking versions.)
Created attachment 8095 [details] Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit) More problems found with 32-bit binutils: built with -m32 on 64-bit host. ---------------------------------------------------------------------- valgrind Files: 39 Errors: 39 Conditional jump or move depends on uninitialised value(s) 105 Invalid read of size ... 1 Invalid write of size ... 24 Process terminating with default action of signal 11 (SIGSEGV) 7 Use of uninitialised value of size ... ---------------------------------------------------------------------- gdb Files: 4 Errors: 4 No assertion info in gdb backtrace. ---------------------------------------------------------------------- catchsegv Files: 11 Errors: 11 *** Segmentation fault
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=570286220e28e606e199b37a06cd199cadb592ba commit 570286220e28e606e199b37a06cd199cadb592ba Author: Nick Clifton <nickc@redhat.com> Date: Tue Feb 3 20:42:36 2015 +0000 Fix memory access violations triggered by running readelf on fuzzed binaries. PR binutils/17531 * dwarf.c (process_debug_info): Add range check. (display_debug_pubnames_worker): Likewise. (display_gdb_index): Fix range check. (process_cu_tu_index): Add range check. * readelf.c (get_data): Change parameter types from size_t to bfd_size_type. Add checks for loss of accuracy when casting from bfd_size_type to size_t. (get_dynamic_data): Likewise. (process_section_groups): Limit number of error messages.
Hi Alexander, > Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit) > More problems found with 32-bit binutils: built with -m32 on 64-bit host. > 39 Conditional jump or move depends on uninitialised value(s) > 105 Invalid read of size ... > 1 InvalHi Alexander, > 24 Process terminating with default action of signal 11 (SIGSEGV) > 7 Use of uninitialised value of size ... These should all be fixed now. Cheers Nick
Hi Nick, (In reply to Nick Clifton from comment #72) > > Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit) > > More problems found with 32-bit binutils: built with -m32 on 64-bit host. > > > 39 Conditional jump or move depends on uninitialised value(s) > > 105 Invalid read of size ... > > 1 InvalHi Alexander, > > 24 Process terminating with default action of signal 11 (SIGSEGV) > > 7 Use of uninitialised value of size ... > > These should all be fixed now. Not sure if it supposed to be fixed already but the following samples still crash for me (without valgrind): 0239616b 0d903ffb 206b89bd 5b5f0592 705e010d 731b937f 8a415f90 908c0847 e6b58147
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f3853b34448594744f284fa96f26e41fd533a50d commit f3853b34448594744f284fa96f26e41fd533a50d Author: Nick Clifton <nickc@redhat.com> Date: Wed Feb 4 10:40:05 2015 +0000 More fixes for memory access violations triggered by running readelf on fuzzed binaries. PR binutils/17531 * dwarf.c (read_and_display_attr_value): Test for a block length being so long that it wraps around to before the start of the block. (process_debug_info): Test for section_begin wrapping around to before the start of the section. (display_gdb_index): Test for num_cus being so large that the end address wraps around to before the start of the section. (process_cu_tu_index): Test for j being so large that the section index pool wraps around to before the start of the section.
Hi Alexander, > Not sure if it supposed to be fixed already but the following samples still > crash for me (without valgrind): > > 0239616b > 0d903ffb > 206b89bd > 5b5f0592 > 705e010d > 731b937f > 8a415f90 > 908c0847 > e6b58147 Fascinating. Valgrind was actually preventing the seg-faults from occurring. I would never have suspected that. Anyway, I have checked in another patch and these tests should all pass now, bit with and without valgrind. Cheers Nick
Created attachment 8102 [details] Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit) Files: 2 Errors: 8 Conditional jump or move depends on uninitialised value(s) 1 Invalid write of size ... 1 Process terminating with default action of signal 11 (SIGSEGV) 2 Use of uninitialised value of size ...
(In reply to Nick Clifton from comment #75) > Fascinating. Valgrind was actually preventing the seg-faults from > occurring. I would never have suspected that. It happens sometimes, and it's kinda documented -- http://valgrind.org/docs/manual/faq.html#faq.crashes . In such cases I provide the output from the catchsegv(1) instead of valgrind log. Previous example: https://sourceware.org/bugzilla/show_bug.cgi?id=17512#c125 Probably I should have described it better...
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8490fb409a37072389da7cafc3a92255e9a34c98 commit 8490fb409a37072389da7cafc3a92255e9a34c98 Author: Nick Clifton <nickc@redhat.com> Date: Fri Feb 6 12:19:20 2015 +0000 Fix memory access violations triggered by processing fuzzed binaries with a 32-bit version of readelf, compiled on a 64-bit host. PR binutils/17531 * dwarf.c (xcmalloc): Fail if the arguments are too big. (xcrealloc): Likewise. (xcalloc2): Likewise.
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=55325047241cf38dae3c6a577561c740a9024bf3 commit 55325047241cf38dae3c6a577561c740a9024bf3 Author: Nick Clifton <nickc@redhat.com> Date: Fri Feb 6 12:59:25 2015 +0000 Fix an invalid memory access triggered by running readelf on a fuzzed binary. PR binutils/17531 * readelf.c (process_mips_specific): Fail if an option has an invalid size.
Hi Alexander, > Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit) > Errors: > 8 Conditional jump or move depends on uninitialised value(s) > 1 Invalid write of size ... > 1 Process terminating with default action of signal 11 (SIGSEGV) > 2 Use of uninitialised value of size ... These should all be fixed now. Cheers Nick
Created attachment 8107 [details] Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit) I've started to build binutils with some hardening features turned on (still 32-bit). It doesn't make a difference for these particular samples but it could in the future. Exact `configure` command-line is in configure.txt inside the archive. ---------------------------------------------------------------------- valgrind Files: 2 Errors: 8 Conditional jump or move depends on uninitialised value(s) 1 Invalid read of size ... 1 Process terminating with default action of signal 11 (SIGSEGV) 2 Use of uninitialised value of size ...
Created attachment 8108 [details] Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit) -- ubsan This is an experimental report. Attached samples expose undefined behavior. The errors are collected with binutils built with gcc-4.9 -fsanitize=undefined (exact configure is in configure-ubsan.txt). It it's useful I'll integrate it into the usual reports. It it's not useful feel free to ignore it. ---------------------------------------------------------------------- ubsan Files: 12 Errors: 1 ../../../source/binutils/dwarf.c:2771:3: runtime error: variable length array bound evaluates to non-positive value ... 1 ../../../source/binutils/dwarf.c:279:45: runtime error: shift exponent ... is too large for 64-bit type 'long long unsigned int' 1 ../../../source/binutils/dwarf.c:3781:4: runtime error: variable length array bound evaluates to non-positive value ... 1 ../../../source/binutils/dwarf.c:451:7: runtime error: variable length array bound evaluates to non-positive value ... 1 ../../../source/binutils/dwarf.c:5884:6: runtime error: variable length array bound evaluates to non-positive value ... 1 ../../../source/binutils/dwarf.c:5892:4: runtime error: variable length array bound evaluates to non-positive value ... 1 ../../../source/binutils/dwarf.c:6431:3: runtime error: signed integer overflow: ... * ... cannot be represented in type 'int' 1 ../../../source/binutils/dwarf.c:6437:29: runtime error: signed integer overflow: ... * ... cannot be represented in type 'int' 1 ../../../source/binutils/dwarf.c:6447:3: runtime error: signed integer overflow: ... * ... cannot be represented in type 'int' 1 ../../../source/binutils/dwarf.c:6453:29: runtime error: signed integer overflow: ... * ... cannot be represented in type 'int' 1 ../../../source/binutils/dwarf.c:6460:40: runtime error: signed integer overflow: ... * ... cannot be represented in type 'int' 1 ../../../source/binutils/dwarf.c:6469:40: runtime error: signed integer overflow: ... * ... cannot be represented in type 'int' 1 ../../../source/binutils/readelf.c:15068:46: runtime error: signed integer overflow: ... - ... cannot be represented in type 'int' 1 ../../../source/binutils/readelf.c:1615:7: runtime error: negation of ... cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself 1 ../../../source/binutils/readelf.c:1627:6: runtime error: negation of ... cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=03a91817f163986f10cb843f58e2f2cd9186e4f0 commit 03a91817f163986f10cb843f58e2f2cd9186e4f0 Author: Nick Clifton <nickc@redhat.com> Date: Tue Feb 10 17:13:31 2015 +0000 Fixes for memory access violations triggered by running readelf on fuzzed binaries. PR binutils/17531 * dwarf.c (process_debug_info): Zero the debug information array since correct initialisation cannot be relied upon. (process_cu_tu_index): Improve range checks.
Hi Alexander, > Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit) > Errors: > 8 Conditional jump or move depends on uninitialised value(s) > 1 Invalid read of size ... > 1 Process terminating with default action of signal 11 (SIGSEGV) > 2 Use of uninitialised value of size ... Fixed. Cheers Nick
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=834f871cdc6e5d9f5bda9ce607fd3c47f41a2ade commit 834f871cdc6e5d9f5bda9ce607fd3c47f41a2ade Author: Nick Clifton <nickc@redhat.com> Date: Tue Feb 10 17:53:53 2015 +0000 Fix memory access violations discovered by running readelf compiled with undefined memory access sanitization on fuzzed binaries. PR binutils/17531 * dwarf.c (display_debug_pubnames_worker): Use dwarf_vma type for offset. * readelf.c (dump_relocations): Handle printing offsets which are MIN_INT. (process_corefile_note_segment): Add range check of the namesz field.
Hi Alexander, > Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit) -- ubsan > This is an experimental report. Attached samples expose undefined behavior. > The errors are collected with binutils built with gcc-4.9 > -fsanitize=undefined (exact configure is in configure-ubsan.txt). > > It it's useful I'll integrate it into the usual reports. It it's not useful > feel free to ignore it. I do find it useful, so please do integrate it into your reports. > Errors: > 1 ../../../source/binutils/dwarf.c:2771:3: runtime error: variable > length array bound evaluates to non-positive value ... > 1 ../../../source/binutils/dwarf.c:279:45: runtime error: shift > exponent ... is too large for 64-bit type 'long long unsigned int' > 1 ../../../source/binutils/dwarf.c:3781:4: runtime error: variable > length array bound evaluates to non-positive value ... > 1 ../../../source/binutils/dwarf.c:451:7: runtime error: variable > length array bound evaluates to non-positive value ... > 1 ../../../source/binutils/dwarf.c:5884:6: runtime error: variable > length array bound evaluates to non-positive value ... > 1 ../../../source/binutils/dwarf.c:5892:4: runtime error: variable > length array bound evaluates to non-positive value ... > 1 ../../../source/binutils/dwarf.c:6431:3: runtime error: signed > integer overflow: ... * ... cannot be represented in type 'int' > 1 ../../../source/binutils/dwarf.c:6437:29: runtime error: signed > integer overflow: ... * ... cannot be represented in type 'int' > 1 ../../../source/binutils/dwarf.c:6447:3: runtime error: signed > integer overflow: ... * ... cannot be represented in type 'int' > 1 ../../../source/binutils/dwarf.c:6453:29: runtime error: signed > integer overflow: ... * ... cannot be represented in type 'int' > 1 ../../../source/binutils/dwarf.c:6460:40: runtime error: signed > integer overflow: ... * ... cannot be represented in type 'int' > 1 ../../../source/binutils/dwarf.c:6469:40: runtime error: signed > integer overflow: ... * ... cannot be represented in type 'int' > 1 ../../../source/binutils/readelf.c:15068:46: runtime error: signed > integer overflow: ... - ... cannot be represented in type 'int' > 1 ../../../source/binutils/readelf.c:1615:7: runtime error: negation > of ... cannot be represented in type 'long long int'; cast to an unsigned > type to negate this value to itself > 1 ../../../source/binutils/readelf.c:1627:6: runtime error: negation > of ... cannot be represented in type 'long long int'; cast to an unsigned > type to negate this value to itself These should all be fixed now. Cheers Nick
Created attachment 8119 [details] Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit) valgrind Files: 1 Errors: 1 Invalid read of size ... 1 Process terminating with default action of signal 11 (SIGSEGV) ---------------------------------------------------------------------- catchsegv Files: 2 Errors: 2 *** Segmentation fault
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=362beea4b400bcd5aca3bb1215a77e9e749b07fe commit 362beea4b400bcd5aca3bb1215a77e9e749b07fe Author: Nick Clifton <nickc@redhat.com> Date: Wed Feb 11 13:05:04 2015 +0000 Fixes for invalid memory accesses triggered by running readelf on fuzzed binaries. PR binutils/17531 * dwarf.c (display_debug_pubnames_worker): Work around compiler bug checking address ranges. (display_debug_frames): Likewise. (display_gdb_index): Likewise. (process_cu_tu_index): Add range check on the ncols value.
Hi Alexander, > Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit) > Errors: > 1 Invalid read of size ... > 1 Process terminating with default action of signal 11 (SIGSEGV) Fixed. Cheers Nick
Created attachment 8124 [details] Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit) catchsegv (crashes without valgrind only) Files: 2 Errors: 2 *** Segmentation fault
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ffc0f143c74a7d49f6d1ae3f835e404ef4e56772 commit ffc0f143c74a7d49f6d1ae3f835e404ef4e56772 Author: Nick Clifton <nickc@redhat.com> Date: Fri Feb 13 14:17:18 2015 +0000 Fixes for memory access violations triggered by running readelf on fuzzed binaries. PR binutils/17531 * dwarf.c (display_debug_aranges): Add check for an excessive ar_length value. (process_cu_tu_index): Check for a row * columns sum being too large.
Hi Alexander, > Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit) > Files: 2 > Errors: > 2 *** Segmentation fault Fixed. Cheers Nick
Created attachment 8127 [details] Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit) valgrind Files: 1 Errors: 5 Invalid read of size ...
Hi Alexander, (In reply to Alexander Cherepanov from comment #93) > Created attachment 8127 [details] > Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms -D` (32-bit) > > valgrind > > Files: 1 > Errors: > 5 Invalid read of size ... I cannot reproduce these failures. :-{ Maybe they have already been fixed by one of the patches for PR 17512 ? Cheers Nick
The binutils-2_25-branch branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1dead8aee09e9ba148f6f44040122f62b5e4acea commit 1dead8aee09e9ba148f6f44040122f62b5e4acea Author: Nick Clifton <nickc@redhat.com> Date: Tue Mar 24 10:30:34 2015 +0000 Import security fixes for readelf from the master branch: 2015-02-26 Nick Clifton <nickc@redhat.com> PR binutils/17512 * readelf.c (process_corefile_note_segment): Check for inote.descdata extending beyond the end of the section. (process_v850_notes): Likewise. 2015-02-24 Mike Frysinger <vapier@gentoo.org> PR binutils/17531 * readelf.c (process_symbol_table): Declare chained. Increment it in every loop. Abort when chained is larger than nchains. Move error check outside of chain loop. 2015-02-10 Nick Clifton <nickc@redhat.com> PR binutils/17531 * readelf.c (dump_relocations): Handle printing offsets which are MIN_INT. (process_corefile_note_segment): Add range check of the namesz field. 2015-02-06 Nick Clifton <nickc@redhat.com> * readelf.c (process_mips_specific): Fail if an option has an invalid size. 2015-02-03 Nick Clifton <nickc@redhat.com> PR binutils/17531 * readelf.c (get_data): Change parameter types from size_t to bfd_size_type. Add checks for loss of accuracy when casting from bfd_size_type to size_t. (get_dynamic_data): Likewise. (process_section_groups): Limit number of error messages. 2015-01-05 Nick Clifton <nickc@redhat.com> * readelf.c (slurp_ia64_unwind_table): Warn if the reloc could not be indentified. (dynamic_section_mips_val): Warn if the timestamp is invalid. (print_mips_got_entry): Add a data_end parameter. Warn if a read would go beyond the end of the data, and return an error value. (process_mips_specific): Do not read options from beyond the end of the section. Correct code to display optional data at the end of an option. Warn if there are too many GOT symbols. Update calls to print_mips_got_entry, and handle error returns. 2014-12-08 Nick Clifton <nickc@redhat.com> PR binutils/17531 * readelf.c (dump_ia64_unwind): Add range checks. (slurp_ia64_unwind_table): Change to a boolean function. Add range checks. (process_version_sections): Add range checks. (get_symbol_version_string): Add check for missing section headers. 2014-12-03 Nick Clifton <nickc@redhat.com> PR binutils/17531 * readelf.c (get_machine_flags): Replace call to abort with a warning message and a return value. (get_elf_section_flags): Likewise. (get_symbol_visibility): Likewise. (get_ia64_symbol_other): Likewise. (get_ia64_symbol_other): Likewise. (is_32bit_abs_reloc): Likewise. (apply_relocations): Likewise. (display_arm_attribute): Likewise. 2014-12-01 Nick Clifton <nickc@redhat.com> PR binutils/17512 * dwarf.h (struct dwarf_section): Add user_data field. * dwarf.c (frame_need_space): Check for an over large register number. (display_debug_frames): Check the return value from frame_need_space. Check for a CFA expression that is so long the start address wraps around. (debug_displays): Initialise the user_data field. * objdump.c (load_specific_debug_section): Save the BFD section pointer in the user_data field of the dwarf_section structure. (free_debug_section): Update BFD section data when freeing section contents. * readelf.c (load_specific_debug_section): Initialise the user_data field. 2014-12-01 Nick Clifton <nickc@redhat.com> PR binutils/17531 * readelf.c (process_archive): Add range checks. 2014-11-28 Alan Modra <amodra@gmail.com> * readelf.c (get_32bit_elf_symbols): Cast bfd_size_type values to unsigned long for %lx. (get_64bit_elf_symbols, process_section_groups): Likewise. 2014-11-27 Espen Grindhaug <espen@grindhaug.org> Nick Clifton <nickc@redhat.com> PR binutils/17531 * readelf.c (get_data): Move excessive length check to earlier on in the function and allow for wraparound in the arithmetic. (get_32bit_elf_symbols): Terminate early if the section size is zero. Check for an invalid sh_entsize. Check for an index section with an invalid size. (get_64bit_elf_symbols): Likewise. (process_section_groups): Check for an invalid sh_entsize. 2014-11-21 Nick Clifton <nickc@redhat.com> PR binutils/17531 * readelf.c (process_version_sections): Prevent an infinite loop processing corrupt version need data. (process_corefile_note_segment): Handle corrupt notes. 2014-11-18 Nick Clifton <nickc@redhat.com> PR binutils/17531 * readelf.c (get_unwind_section_word): Skip reloc processing if there are no relocs associated with the section. (decode_tic6x_unwind_bytecode): Warn and return if the stack pointer adjustment falls off the end of the buffer.
The binutils-2_25-branch branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=304a2b6fe67786b45889a784bf71aabf2a9d26fd commit 304a2b6fe67786b45889a784bf71aabf2a9d26fd Author: Nick Clifton <nickc@redhat.com> Date: Tue Mar 24 11:31:37 2015 +0000 Import fixes for invalid memory access issues in the binutils DWARF parser from the trunk sources. PR binutils/17512 * dwarf.c (display_debug_loc): Pacify the undefined behaviour sanitizer by simplifying address difference calculation. (struct Frame_Chunk): Change type of cfa_offset to dwarf_vma in order to avoid arithmetic overflows. (frame_display_row): Cast cfa_offset before printing it. (display_debug_frames): Likewise. Check for an unexpected segment size. Chnage type of 'l' local to dwarf_vma and cast it back to an int when printing. (process_cu_tu_index): Tighten check for an invalid ncols value. * readelf.c (process_corefile_note_segment): Check for inote.descdata extending beyond the end of the section. (process_v850_notes): Likewise. 2015-02-13 Nick Clifton <nickc@redhat.com> PR binutils/17512 * dwarf.c (read_leb128): Fix test for shift becoming too large. PR binutils/17531 * dwarf.c (display_debug_aranges): Add check for an excessive ar_length value. (process_cu_tu_index): Check for a row * columns sum being too large. 2015-02-13 Alan Modra <amodra@gmail.com> * dwarf.c: Formatting, whitespace. (process_debug_info): Style fix. 2015-02-11 Nick Clifton <nickc@redhat.com> PR binutils/17531 * dwarf.c (display_debug_pubnames_worker): Work around compiler bug checking address ranges. (display_debug_frames): Likewise. (display_gdb_index): Likewise. (process_cu_tu_index): Add range check on the ncols value. 2015-02-10 Nick Clifton <nickc@redhat.com> PR binutils/17512 * dwarf.c (eh_addr_size): Use an unsigned type. (size_of_encoded_value): Return an unsigned type. (read_leb128): Break if the shift becomes too big. (process_extended_line_op): Do not read the address if the length is too long. (read_cie): Warn and fail if the pointer size or segment size are too big. * dwarf.h (DWARF2_External_LineInfo): Delete unused and incorrect structure definition. (DWARF2_External_PubNames): Likewise. (DWARF2_External_CompUnit): Likewise. (DWARF2_External_ARange): Likewise. (DWARF2_Internal_LineInfo): Use dwarf_vma type for li_prologue_length. (eh_addr_size): Update prototype. PR binutils/17531 * dwarf.c (process_debug_info): Zero the debug information array since correct initialisation cannot be relied upon. (process_cu_tu_index): Improve range checks. PR binutils/17531 * dwarf.c (display_debug_pubnames_worker): Use dwarf_vma type for offset. 2015-02-06 Nick Clifton <nickc@redhat.com> PR binutils/17512 * dwarf.c (display_debug_frames): Fix range checks to work on 32-bit binaries complied on a 64-bit host. PR binutils/17531 * dwarf.c (xcmalloc): Fail if the arguments are too big. (xcrealloc): Likewise. (xcalloc2): Likewise. * readelf.c (process_mips_specific): Fail if an option has an invalid size. 2015-02-05 Alan Modra <amodra@gmail.com> PR binutils/17926 * dwarf.c (dwarf_select_sections_by_letters): Don't refer to optarg. 2015-02-04 Nick Clifton <nickc@redhat.com> PR binutils/17531 * dwarf.c (read_and_display_attr_value): Test for a block length being so long that it wraps around to before the start of the block. (process_debug_info): Test for section_begin wrapping around to before the start of the section. (display_gdb_index): Test for num_cus being so large that the end address wraps around to before the start of the section. (process_cu_tu_index): Test for j being so large that the section index pool wraps around to before the start of the section. 2015-02-03 Nick Clifton <nickc@redhat.com> PR binutils/17531 * dwarf.c (process_debug_info): Add range check. (display_debug_pubnames_worker): Likewise. (display_gdb_index): Fix range check. (process_cu_tu_index): Add range check. * readelf.c (get_data): Change parameter types from size_t to bfd_size_type. Add checks for loss of accuracy when casting from bfd_size_type to size_t. (get_dynamic_data): Likewise. (process_section_groups): Limit number of error messages. 2015-01-12 H.J. Lu <hongjiu.lu@intel.com> * dwarf.c (process_debug_info): Properly check abbrev size. 2015-01-12 Nick Clifton <nickc@redhat.com> PR binutils/17531 * dwarf.c (process_debug_info): Check for abbrev_base being larger than the section size. (process_cu_tu_index): Use xcalloc2 to allocate the CU and TU arrays. (xcalloc2): New function. Like xcalloc, but checks for overflow. (display_debug_addr): Use xcalloc to allocate the debug_addr_info array. Check for an address_base that is too large. * dwarf.h (xcalloc2): Prototype. 2015-01-05 Nick Clifton <nickc@redhat.com> PR binutils/17531 * dwarf.c (alloc_num_debug_info_entries): New variable. (process_debug_info): Set it. Use it to avoid displaying attributes for which there is no info. (display_debug_abbrev): Check that the debug_info_entry index is valid before using it. (display_loc_list_dwo): Likewise. (process_cu_tu_index): Add range check for an overlarge dw_sect value. (free_debug_memory): Reset alloc_num_debug_info_entries. 2014-12-22 Nick Clifton <nickc@redhat.com> PR binutils/17531 * dwarf.c (decode_location_expression): Check for an out of range value for a DW_OP_GNU_entry_value expression. (display_debug_lines_raw): Check for a partial .debug_line. section being encountered without a prior, full .debug.line section. (display_debug_lines_decoded): Likewise. Also check for li_line_range being zero. (display_debug_pubnames_worker): Check for an invalid pn_length field. (read_cie): Add range checks. 2014-12-11 Nick Clifton <nickc@redhat.com> PR binutils/17512 * dwarf.c (display_gdb_index): Add more range checks. 2014-12-08 Nick Clifton <nickc@redhat.com> PR binutils/17531 * dwarf.c (display_debug_frames): Check for a negative augmentation data length. (display_gdb_index): Check for invalid offsets. 2014-12-01 H.J. Lu <hongjiu.lu@intel.com> * dwarf.c (process_cu_tu_index): Properly check for an out of range row index. 2014-12-01 Nick Clifton <nickc@redhat.com> PR binutils/17512 * dwarf.h (struct dwarf_section): Add user_data field. * dwarf.c (frame_need_space): Check for an over large register number. (display_debug_frames): Check the return value from frame_need_space. Check for a CFA expression that is so long the start address wraps around. (debug_displays): Initialise the user_data field. * objdump.c (load_specific_debug_section): Save the BFD section pointer in the user_data field of the dwarf_section structure. (free_debug_section): Update BFD section data when freeing section contents. * readelf.c (load_specific_debug_section): Initialise the user_data field. 2014-12-01 Nick Clifton <nickc@redhat.com> PR binutils/17531 * dwarf.c (process_cu_tu_index): Check for an out of range row index. * elfcomm.c (adjust_relative_path): Change name_len parameter to an unsigned long. Check for path length overflow. (process_archive_index_and_symbols): Check for invalid header size. (setup_archive): Add checks for invalid archives. (get_archive_member_name): Add range checks. * elfcomm.h (adjust_relative_path): Update prototyoe. * readelf.c (process_archive): Add range checks. 2014-11-26 Nick Clifton <nickc@redhat.com> PR binutils/17512 * dwarf.c (display_block): Do nothing if the block starts after the end of the buffer. (read_and_display_attr_value): Add range checks. (struct Frame_Chunk): Make the ncols and ra fields unsigned. (frame_need_space): Test for an ncols of zero. (read_cie): Fail if the augmentation data extends off the end of the buffer. (display_debug_frames): Add checks for read_cie failing. Add range checks. 2014-11-21 Nick Clifton <nickc@redhat.com> PR binutils/17512 * dwarf.c (get_encoded_value): Check for an encoded size of 0. (display_debug_lines_raw): Check for an invalid line range value. (display_debug_frames): Check for corrupt augmentation data. 2014-11-19 Jan-Benedict Glaw <jbglaw@lug-owl.de> * dwarf.c (process_extended_line_op): Fix signedness warning. 2014-11-18 Nick Clifton <nickc@redhat.com> PR binutils/17512 * dwarf.c (get_encoded_value): Warn and return if the encoded value is more than 64-bits long. (SAFE_BYTE_GET): Do not attempt to read more than 64-bits. (process_extended_line_op): Add more range checks. (decode_location_expression): Use the return value from display_block. Add more range checks. (read_debug_line_header): Add range check. (display_debug_lines_raw): Add range checks. (display_debug_frames): Silently skip multiple zero terminators. Add range checks. (process_cu_tu_index): Check for non-existant or empty sections. Use SAFE_BYTE_GET instead of byte_get.
*** Bug 19518 has been marked as a duplicate of this bug. ***
The master branch has been updated by Maciej W. Rozycki <macro@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c9f02c3e29498fd9ecb1a9719c317c305fe509ae commit c9f02c3e29498fd9ecb1a9719c317c305fe509ae Author: Maciej W. Rozycki <macro@imgtec.com> Date: Thu Feb 23 18:16:11 2017 +0000 readelf: Fix incorrect "Version definition past end of section" message Fix a commit 74e1a04b9787 ("More fixes for reading corrupt ELF files.") `readelf --version-info' regression that caused "Version definition past end of section" to be always printed at the end, even with good section data. For example with the `mips-linux' target we get: $ cat ver_def.s .data .globl new_foo .type new_foo, %object new_foo: .symver new_foo, foo@@ver_foo $ cat ver_def.ver { global: *foo*; local: *; }; $ as -o ver_def.o ver_def.s $ ld -e 0 --export-dynamic --version-script=ver_def.ver -o ver_def ver_def.o $ readelf -V ver_def Version symbols section '.gnu.version' contains 4 entries: Addr: 000000000000007e Offset: 0x01007e Link: 2 (.dynsym) 000: 0 (*local*) 2 (ver_foo) 1 (*global*) 2 (ver_foo) Version definition section '.gnu.version_d' contains 2 entries: Addr: 0x0000000000000088 Offset: 0x010088 Link: 3 (.dynstr) 000000: Rev: 1 Flags: BASE Index: 1 Cnt: 1 Name: ver_def 0x001c: Rev: 1 Flags: none Index: 2 Cnt: 1 Name: ver_foo Version definition past end of section $ The cause is the `if (idx + ent.vd_next <= idx)' condition introduced to ensure forward progress, which however always triggers for good version definition section data as the last entry will have its `vd_next' value set to 0. Adjust the condition then, to say `if (idx + ent.vd_next < idx)' instead and to ensure forward progress limit the number of entries processed to the size of the version definition section, removing the problematic message from output quoted above, while ensuring the original PR 17531 test case is still handled gracefully. Add a suitable test case so that we have `readelf --version-info' coverage; due to the lack of infrastructure needed to run the linker in the `binutils' test suite and limited justification to implement it add a new `readelf.exp' script to the `ld' test suite instead, intended to gather any `readelf' test cases that require the linker to be run. If ever we decide to have linker infrastructure added to the `binutils' test suite, then the script can be moved between the test suites. binutils/ * readelf.c (process_version_sections) <SHT_GNU_verdef>: Limit the number of entries processed by the section size. Don't break out of the loop if `ent.vd_next' is 0. ld/ * testsuite/ld-elf/ver_def.d: New test. * testsuite/ld-elf/ver_def.ld: New test linker script. * testsuite/ld-elf/ver_def.ver: New test version script. * testsuite/ld-elf/ver_def.s: New test source. * testsuite/ld-elf/readelf.exp: New test script.
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6bd6a03d6975a96802b37741a99644570e52a72b commit 6bd6a03d6975a96802b37741a99644570e52a72b Author: Alan Modra <amodra@gmail.com> Date: Wed Sep 27 15:14:00 2017 +0930 PR22216, infinite loop in readelf process_symbol_table This should make readelf bombproof given a fuzzed DT_HASH. Also removes a bogus check that would have resulted in wrong histograms. PR 22216 * readelf.c (process_symbol_table): Check that DT_HASH symbol chains are only visited once, and report an error if not. Display invalid symbol index if chain is out of range. Use the same logic when calculating histograms rather than the PR 17531 fix. Delete bogus check that chained index is less than number of buckets.
fixed a while ago