Created attachment 15940 [details] poc **Description** A segv can occur in eu-strip when using the --reloc-debug-sections-only options with a specially crafted input file. This issue leads to illegal memory access. **Affected Version** GNU eu-strip 0.192 **Steps to Reproduce** Build elfutils 0.192 with AddressSanitizer (e.g., CFLAGS="-g -fsanitize=address" ./configure && make -j). Run the following command: ./elfutils-0.192/bins/bin/eu-strip --reloc-debug-sections-only /tmp/poc AddressSanitizer:DEADLYSIGNAL ================================================================= ==2777947==ERROR: AddressSanitizer: SEGV on unknown address 0x00000e000007 (pc 0x7f9816ea0d19 bp 0x7ffff0d10c10 sp 0x7ffff0d10bf0 T0) ==2777947==The signal is caused by a READ memory access. #0 0x7f9816ea0d18 in validate_str ./elfutils-0.192/libelf/elf_strptr.c:60 #1 0x7f9816ea153a in elf_strptr ./elfutils-0.192/libelf/elf_strptr.c:206 #2 0x5629e2496a4e in remove_debug_relocations ./elfutils-0.192/src/strip.c:593 #3 0x5629e2498e29 in handle_debug_relocs ./elfutils-0.192/src/strip.c:914 #4 0x5629e249a51b in handle_elf ./elfutils-0.192/src/strip.c:1142 #5 0x5629e2498461 in process_file ./elfutils-0.192/src/strip.c:799 #6 0x5629e2494ba5 in main ./elfutils-0.192/src/strip.c:269 #7 0x7f9815ffc082 in __libc_start_main ../csu/libc-start.c:308 #8 0x5629e249432d in _start (./elfutils-0.192/bins/bin/eu-strip+0x4632d) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ./elfutils-0.192/libelf/elf_strptr.c:60 in validate_str ==2777947==ABORTING ** Env ** Distributor ID: Ubuntu Description: Ubuntu 20.04.6 LTS Release: 20.04 Codename: focal
Are you sure the poc is "correct"? This isn't an ET_REL ELF file, so this code path cannot be reached. $ eu-strip --reloc-debug-sections-only /tmp/eu-strip-20673-poc eu-strip: Ignoring --reloc-debug-sections-only for non-ET_REL file '/tmp/eu-strip-20673-poc'
I now see why I couldn't replicate your issue. After the 0.192 release Aaron fixed the following bug: https://sourceware.org/bugzilla/show_bug.cgi?id=32253 This added a check to see if the file was an ET_REL file: + if (ehdr->e_type != ET_REL) + { + /* Only ET_REL files can have debug relocations to remove. */ + error (0, 0, _("Ignoring --reloc-debug-sections-only for " \ + "non-ET_REL file '%s'"), fname); + goto fail_close; + } This specific patch was also backported to Fedora: https://src.fedoraproject.org/rpms/elfutils/blob/rawhide/f/elfutils-0.192-strip-ignore-non-ET_REL.patch Since I was testing on Fedora I had that patch already installed and the reproducer would just say Ignoring --reloc-debug-sections-only... I do think there is a real bug here though (if the poc would have the e_type set to ET_REL), so I'll investigate.
commit b16f441cca0a4841050e3215a9f120a6d8aea918 Author: Mark Wielaard <mark@klomp.org> Date: Thu Feb 13 00:02:32 2025 +0100 libelf: Handle elf_strptr on section without any data In the unlikely situation that elf_strptr was called on a section with sh_size already set, but that doesn't have any data yet we could crash trying to verify the string to return. This could happen for example when a new section was created with elf_newscn, but no data having been added yet. * libelf/elf_strptr.c (elf_strptr): Check strscn->rawdata_base is not NULL. https://sourceware.org/bugzilla/show_bug.cgi?id=32672 Signed-off-by: Mark Wielaard <mark@klomp.org>
Note that someone created CVE-2025-1376 for this bug without following our SECURITY policy: https://sourceware.org/cgit/elfutils/tree/SECURITY This is NOT a security issue according to our policy: Since most elfutils tools are run in short-lived, local, interactive, development context rather than remotely "in production", we generally treat malfunctions as ordinary bugs rather than security vulnerabilities. We request that people who report suspected security vulnerabilities report them through the contacts in our SECURITY policy and not through non-affiliated CNAs.