Bug 24098 - readelf gets SegFault on crafted input that may cause DoS
Summary: readelf gets SegFault on crafted input that may cause DoS
Status: RESOLVED DUPLICATE of bug 23946
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.31
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
Depends on:
Reported: 2019-01-16 12:56 UTC by Yuyang Rong
Modified: 2019-01-21 13:23 UTC (History)
1 user (show)

See Also:
Last reconfirmed:

3 files that led to crash. (2.86 KB, application/zip)
2019-01-16 12:56 UTC, Yuyang Rong

Note You need to log in before you can comment on or make changes to this bug.
Description Yuyang Rong 2019-01-16 12:56:47 UTC
Created attachment 11541 [details]
3 files that led to crash.

By fuzzing readelf, we have crafted three files that produce SegFaults, and it might cause DoS vulnerabilities.

Crash site: 
      8024: relname = elf_hppa_reloc_type (get_reloc_type (
                filedata, rp->r_info));
      8028: if (! const_strneq (relname, "R_PARISC_SEGREL"))
  In line 8024 relname become NULL when feeded with crafted data. Doing strncmp 
  later on line 8028 on a NULL pointer it is invalid.

Crash cause: 
  According to definition in include/hppa.h:110-496 and 
  include/reloc-marcos.h:95-127, when given "the relocation is not recognised, 
  NULL is returned."(citing comment from include/reloc-marcos.h:97).

Below is a stack printed using gdb.

#0  __strncmp_avx2 () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:101
No locals.
#1  0x00005555556336f2 in slurp_hppa_unwind_table (filedata=<optimized out>, sec=<optimized out>, 
    aux=<optimized out>) at readelf.c:8028
        nentries = <optimized out>
        size = <optimized out>
        seg = <optimized out>
        table = <optimized out>
        tp = <optimized out>
        relsec = <optimized out>
        nrelas = <optimized out>
        rela = <optimized out>
        relname = 0x0
        sym = <optimized out>
        i = <optimized out>
        rp = <optimized out>
        tep = <optimized out>
        tmp1 = <optimized out>
        tmp2 = <optimized out>
#2  hppa_process_unwind (filedata=<optimized out>) at readelf.c:8115
        num_unwind = <optimized out>
        res = 0
        i = <optimized out>
        sec = <optimized out>
        unwsec = <optimized out>
        aux = <optimized out>
        strsec = <optimized out>
#3  0x00005555555a8135 in process_unwind (filedata=<optimized out>) at readelf.c:9253
        handlers = <optimized out>
#4  process_object (filedata=<optimized out>) at readelf.c:18822
        res = 0
        i = 31
        separates = <optimized out>
#5  0x0000555555577866 in process_file (file_name=<optimized out>) at readelf.c:19259
        armag = "\177ELF\002\003\001"
        ret = 1
        statbuf = <optimized out>
        filedata = <optimized out>
#6  main (argc=<optimized out>, argv=<optimized out>) at readelf.c:19318
        err = 0
Comment 1 Nick Clifton 2019-01-21 13:23:44 UTC
Hi Yuyang,

  Thanks for reporting this problem.  Fortunately it has already been
  solved by commit 726bd37d6c5.


*** This bug has been marked as a duplicate of bug 23946 ***