This is the mail archive of the mailing list for the elfutils project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: malformed elf file causes readelf -e to hang forever

On 01/25/2015 11:39 AM, Hanno Böck wrote:
> Hi,
> Please see attached file, which is a malformed (fuzzed) elf file that
> causes elfutil's readelf -e to hang, testet with the latest version
> 0.161.
> This was found with zzuf.

You should be fuzzing with git master, as Mark is still making a lot of
commits for robustness.  That said, I can reproduce this on master.

I'm not sure it's a hang, exactly, but it's a least a really huge loop.
:)  I see it stuck in __libdwfl_addrsym::search_table with the end value
of 1073741862, from the call "search_table (1, first_global)".

Debugging earlier, I see this comes from load_symtab, where the shdr is:

(gdb) p *shdr
$4 = {
  sh_name = 1,
  sh_type = 2,
  sh_flags = 0,
  sh_addr = 0,
  sh_offset = 7200,
  sh_size = 1392,
  sh_link = 33,
  sh_info = 1073741862,
  sh_addralign = 8,
  sh_entsize = 24

These are used as:
    *syments = shdr->sh_size / shdr->sh_entsize;
    *first_global = shdr->sh_info;

I guess it should be an error for first_global to be out of range, or at
least clamp it to at most syments.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]