Bug 25082 - Multiple crashes in eu-unstrip
Summary: Multiple crashes in eu-unstrip
Status: RESOLVED FIXED
Alias: None
Product: elfutils
Classification: Unclassified
Component: tools (show other bugs)
Version: unspecified
: P2 normal
Target Milestone: ---
Assignee: Mark Wielaard
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-10-08 14:55 UTC by leftcopy.chx
Modified: 2019-10-26 00:11 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed: 2019-10-21 00:00:00

Attachments
pocs and error messages (61.65 KB, application/x-bzip)
2019-10-08 14:55 UTC, leftcopy.chx 		Details
more pocs (41.71 KB, application/x-bzip)
2019-10-09 02:38 UTC, leftcopy.chx 		Details
unstrip: Add various checks for bad input data (2.72 KB, patch)
2019-10-21 10:59 UTC, Mark Wielaard 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description leftcopy.chx 2019-10-08 14:55:17 UTC 
Created attachment 12033 [details]
pocs and error messages

When executing `./eu-unstrip $FILE ./stripped -o /dev/null`, there might be some crashes if elfutils is built with ASAN. e.g., invalid read at unstrip.c:1661, unstrip.c:1663, unstrip.c:444 and unstrip.c:774.

The relevant files are attached.

ASAN:DEADLYSIGNAL
=================================================================
==19829==ERROR: AddressSanitizer: SEGV on unknown address 0x1000802274a1 (pc 0x5555555673e7 bp 0x7fffffffbd10 sp 0x7fffffffa4e0 T0)
==19829==The signal is caused by a READ memory access.
    #0 0x5555555673e6 in copy_elided_sections /home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:1661
    #1 0x55555556bea1 in handle_file /home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2162
    #2 0x55555556c760 in handle_explicit_files /home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2227
    #3 0x55555556f1f6 in main /home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:2562
    #4 0x7ffff6596b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #5 0x555555559a89 in _start (/home/hongxu/FOT/Targets/elfutils/eu-asan/install/bin/eu-unstrip+0x5a89)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/hongxu/FOT/Targets/elfutils/eu-asan/src/unstrip.c:1661 in copy_elided_sections
==19829==ABORTING
Comment 1 leftcopy.chx 2019-10-09 02:38:03 UTC 
Created attachment 12035 [details]
more pocs
Comment 2 leftcopy.chx 2019-10-09 02:38:45 UTC 
Comment on attachment 12035 [details]
more pocs

crashes with different backtraces
Comment 3 Mark Wielaard 2019-10-21 10:59:20 UTC 
Created attachment 12047 [details]
unstrip: Add various checks for bad input data

eu-unstrip was clearly not written for bad ELF input files. Not surprisingly because it would be slightly odd to run it on untrusted input, which wasn't just stripped in two.

But I have added a couple of robustness fixed that should at least not make it crash and give an error message that will hopefully explain what is wrong with the input files.
Comment 4 Mark Wielaard 2019-10-26 00:11:39 UTC 
commit 90f4bb30381b0354b8b40cd09e68005713bfd69a (HEAD -> master, origin/master, origin/HEAD)
Author: Mark Wielaard <mark@klomp.org>
Date:   Mon Oct 21 10:55:32 2019 +0200

    unstrip: Add various checks for bad input data.
    
    There were various ways to crash eu-unstrip with bad ELF input
    data. Add various tests against bad data and allocate some structures
    on the heap instead of on the stack.
    
    https://sourceware.org/bugzilla/show_bug.cgi?id=25082
    
    Signed-off-by: Mark Wielaard <mark@klomp.org>