This is the mail archive of the mailing list for the elfutils project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: out-of-bounds read / crash in elfutils tools (readelf, nm, ...) with malformed file

Am Fri, 07 Nov 2014 16:45:07 +0100
schrieb Mark Wielaard <>:

> > Fixes some of them but not all.
> > Still crashers:
> > id:000053,src:000000,op:flip1,pos:879
> > id:000054,src:000000,op:flip1,pos:885
> Those seem fine for me. How do they crash for you? Could you run under
> gdb and provide a backtrace?

Hmm, interesting, seems these only crash if compiled with american
fuzzy lop instructions...
Maybe this is a bug in afl or maybe it is triggered by the

valgrind says on id:000053,src:000000,op:flip1,pos:879:
ELF Header:
vex x86->IR: unhandled instruction bytes: 0xC5 0xF8 0x77 0xE8
==6217== valgrind: Unrecognised instruction at address 0x410f7a7.
==6217==    at 0x410F7A7: vfprintf (in /lib32/
==6217==    by 0x41C766F: __printf_chk (in /lib32/
==6217==    by 0x805F27D: printf (stdio2.h:104)
==6217==    by 0x805F27D: print_ehdr (readelf.c:944)
==6217==    by 0x806E004: process_elf_file (readelf.c:869)
==6217==    by 0x806E004: process_dwflmod (readelf.c:691)
==6217==    by 0x4082BE3: dwfl_getmodules (in /usr/lib32/
==6217==    by 0x80580D2: process_file (readelf.c:790)
==6217==    by 0x804AD57: main (readelf.c:296)

gdb backtrace:
Program received signal SIGSEGV, Segmentation fault.
0xf7de4e37 in vfprintf () from /lib32/
(gdb) bt
#0  0xf7de4e37 in vfprintf () from /lib32/
#1  0xf7e99670 in __printf_chk () from /lib32/
#2  0x08064818 in printf (__fmt=0x809e055 "(%s)")
at /usr/include/bits/stdio2.h:104 #3  handle_versym (scn=0x80aef04,
shdr=0xffffcae8, ebl=<optimized out>) at readelf.c:2860 #4  0x08070531
in print_verinfo (ebl=<optimized out>) at readelf.c:2402 #5
process_elf_file (fd=<optimized out>, dwflmod=<optimized out>) at
readelf.c:885 #6  process_dwflmod (dwflmod=0x80ae8a8,
userdata=0x80ae8b0, name=0x80ae9b8
"id:000053,src:000000,op:flip1,pos:879", base=4194304, arg=0xffffca00)
at readelf.c:691 #7  0xf7f7ebe4 in dwfl_getmodules ()
from /usr/lib32/ #8  0x080580d3 in process_file
(fd=fd(a)entry=3, fname=<optimized out>, only_one=only_one(a)entry=true) at
readelf.c:790 #9  0x0804ad58 in main (argc=3, argv=0xffffce84) at

Hanno Böck


Attachment: signature.asc
Description: PGP signature

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]