Created attachment 11331 [details] POC1 Hi, We are doing research on fuzz testing and our fuzzer caught a Negative-size-param problem in the latest elfutils(v0.174) code base. The funciton dwfl_getmodules in dwfl_getmodules.c library does not ensure a non-negative size. Those inputs will cause the Negative-size-param Problem, Segmentation fault. I have confirmed them with address sanitizer. Please use the “ ./eu-readelf $POC -w ” to reproduce the bug. If you have any questions, please let me know. Thank you. The ASAN dumps the stack trace as follows: ==31028==ERROR: AddressSanitizer: negative-size-param: (size=-4) #0 0x7ff2abbf4866 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x41866) #1 0x4973ad in print_debug_frame_section /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/readelf.c:6626 #2 0x4598f3 in print_debug /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/readelf.c:11160 #3 0x45e00a in process_elf_file /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/readelf.c:996 #4 0x45e00a in process_dwflmod /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/readelf.c:760 #5 0x7ff2ab8be2f4 in dwfl_getmodules /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/libdwfl/dwfl_getmodules.c:86 #6 0x40d055 in process_file /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/readelf.c:868 #7 0x4058f1 in main /media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/src/readelf.c:350 #8 0x7ff2aaf4682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #9 0x4064d8 in _start (/media/hjwang/01D3344861A8D2E0/wcventure/Project/elfutils/build/bin/eu-readelf+0x4064d8) Address 0x7ff2acca407d is a wild pointer. SUMMARY: AddressSanitizer: negative-size-param (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x41866) ==31028==ABORTING Aborted
Created attachment 11332 [details] POC2
Created attachment 11333 [details] POC3
Thanks for the report. I retitled the bug to better show where the issue shows up. I posted a fix: https://sourceware.org/ml/elfutils-devel/2018-q4/msg00042.html
commit 72d023b35f3639864b61bd1c11aaadc4957e6286 Author: Mark Wielaard <mark@klomp.org> Date: Tue Oct 16 14:22:33 2018 +0200 readelf: Make sure readp is smaller than cieend in print_debug_frame_section. We could end up with a negative length in a call to memchr. https://sourceware.org/bugzilla/show_bug.cgi?id=23782 Signed-off-by: Mark Wielaard <mark@klomp.org>
It’s a good reference. I’m an IT student and I face lots of difficulties during my projects. https://rheumatologyhelps.com/rheumatology/foods-that-trigger-rheumatology-arthritis/ And this site always saves me. It helps me a lot in my projects. Thank you so much for that.