[Bug backends/24075] New: Program Crash due to Wild pointer Deference in ebl_object_note function in eblobjnote.c in libebl.

wcventure at 126 dot com sourceware-bugzilla@sourceware.org
Wed Jan 9 11:33:00 GMT 2019


https://sourceware.org/bugzilla/show_bug.cgi?id=24075

            Bug ID: 24075
           Summary: Program Crash due to Wild pointer Deference in
                    ebl_object_note function in eblobjnote.c in libebl.
           Product: elfutils
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: backends
          Assignee: unassigned at sourceware dot org
          Reporter: wcventure at 126 dot com
                CC: elfutils-devel at sourceware dot org
  Target Milestone: ---

Created attachment 11523
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11523&action=edit
POC1

Hi there,

Our fuzzer caught Pointer Deference problem in eu-readelf of the latest
elfutils-0.174 code base, this inputs will cause the segment faults and I have
confirmed them with address sanitizer too. Please use the "./eu-readelf -a
$POC"to reproduce the bug. If you have any questions, please let me know.

This problem is in the code as fllow, it seem like a use-after-fee problem.

> size_t i;
> for (i = 0; i < prop.pr_datasz - 1; i++)
> 	printf ("%02" PRIx8 " ", (uint8_t) desc[i]);

git log

> commit 1dabad36ee28aa76b8cf14b6426b379cabee6def
> Author: Jim Wilson <jimw@sifive.com>
> Date:   Thu Dec 27 15:25:49 2018 -0800
> 
>     RISC-V: Improve riscv64 core file support.
> 
>     This fixes two problems.  The offset for x1 is changed from 1 to 8 because
>     this is a byte offset not a register skip count.  Support for reading the
>     PC value is added.  This requires changing the testsuite to match the new
>     readelf output for coredumps.
> 
>     Signed-off-by: Jim Wilson <jimw@sifive.com>

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the Elfutils-devel mailing list