This is the mail archive of the elfutils-devel@sourceware.org mailing list for the elfutils project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug general/24385] Regression lead to Invalid Address Deference, in handle_elf function in /src/strip.c

From: "mark at klomp dot org" <sourceware-bugzilla at sourceware dot org>
To: elfutils-devel at sourceware dot org
Date: Wed, 27 Mar 2019 21:02:36 +0000
Subject: [Bug general/24385] Regression lead to Invalid Address Deference, in handle_elf function in /src/strip.c
Auto-submitted: auto-generated
References: <bug-24385-10460@http.sourceware.org/bugzilla/>

https://sourceware.org/bugzilla/show_bug.cgi?id=24385

Mark Wielaard <mark at klomp dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
                 CC|                            |mark at klomp dot org
         Resolution|---                         |FIXED

--- Comment #2 from Mark Wielaard <mark at klomp dot org> ---
This code is only triggered when stripping into a new file with -o. With that
it can be replicated under valgrind:

==1008== Command: src/strip -o POC1.stripped ./POC1
==1008== 
==1008== Invalid read of size 4
==1008==    at 0x804EB0A: handle_elf.constprop.2 (strip.c:1978)
==1008==    by 0x804F2F7: process_file (strip.c:769)
==1008==    by 0x8049AFF: main (strip.c:272)
==1008==  Address 0xfec3c840 is not stack'd, malloc'd or (recently) free'd
==1008== 
==1008== 
==1008== Process terminating with default action of signal 11 (SIGSEGV)
==1008==  Access not within mapped region at address 0xFEC3C840

The file is obviously illformed because the symbol refers to a non-existing
section. The fix is simple:

diff --git a/src/strip.c b/src/strip.c
index a73009d..4cd8750 100644
--- a/src/strip.c
+++ b/src/strip.c
@@ -1975,6 +1975,7 @@ handle_elf (int fd, Elf *elf, const char *prefix, const
ch
                                  && shndxdata->d_buf != NULL);
                    size_t sidx = (sym->st_shndx != SHN_XINDEX
                                   ? sym->st_shndx : xshndx);
+                   elf_assert (sidx < shnum);
                    sec = shdr_info[sidx].idx;

                    if (sec != 0)

commit f03ac75239e0981deaf4aa18f66f423bcc5ce051
Author: Mark Wielaard <mark@klomp.org>
Date:   Wed Mar 27 21:54:06 2019 +0100

    strip: Files with symbols referring to non-existing sections are illformed

    The check added in commit 4540ea98c "strip: Fix check test for SHN_XINDEX
    symbol" was not complete. The (extended) section index should also exist.
    If it doesn't exist, mark the file as illformed.

    https://sourceware.org/bugzilla/show_bug.cgi?id=24385

    Signed-off-by: Mark Wielaard <mark@klomp.org>

-- 
You are receiving this mail because:
You are on the CC list for the bug.

References:
- [Bug general/24385] New: Regression lead to Invalid Address Deference, in handle_elf function in /src/strip.c
  - From: wcventure at 126 dot com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]