I compiled dumpelf 1.1.3 from git source ~ 5 hours ago and started in with American Fuzzy Lop. The following ELF file causes a segfault in dumpelf at dumpelf.c:108. Reproducible: Always Steps to Reproduce: 1. Compile from git source 2. dumpelf test00-min 3. Crash. Actual Results: Program received signal SIGSEGV, Segmentation fault. 0x00000000004032ee in dumpelf (file_cnt=0, filename=<optimized out>) at dumpelf.c:108 108 DUMP_SHDRS(32) (gdb) bt #0 0x00000000004032ee in dumpelf (file_cnt=0, filename=<optimized out>) at dumpelf.c:108 #1 parseargs (argv=0x7fffffffe328, argc=2) at dumpelf.c:381 #2 main (argc=2, argv=0x7fffffffe328) at dumpelf.c:390 $ valgrind -q ~/pax-utils/dumpelf test00-min dumpelf: test00-min: Invalid program header info (3) #include <elf.h> /* * ELF dump of 'test00-min' * 156 (0x9C) bytes */ Elf32_Dyn dumpedelf_dyn_0[]; struct { Elf32_Ehdr ehdr; Elf32_Phdr phdrs[12336]; Elf32_Shdr shdrs[3]; Elf32_Dyn *dyns; } dumpedelf_0 = { .ehdr = { .e_ident = { /* (EI_NIDENT bytes) */ /* [0] EI_MAG: */ 0x7F,'E','L','F', /* [4] EI_CLASS: */ 1 , /* (ELFCLASS32) */ /* [5] EI_DATA: */ 1 , /* (ELFDATA2LSB) */ /* [6] EI_VERSION: */ 1 , /* (EV_CURRENT) */ /* [7] EI_OSABI: */ 48 , /* (UNKNOWN_TYPE) */ /* [8] EI_ABIVERSION: */ 48 , /* [9] EI_PAD: */ 0x30 /* x 7 bytes */ }, .e_type = 12336 , /* (UNKNOWN_TYPE) */ .e_machine = 12336 , /* (UNKNOWN_TYPE) */ .e_version = 808464432 , .e_entry = 0x30303030 , .e_phoff = 808464432 , /* (bytes into file) */ .e_shoff = 36 , /* (bytes into file) */ .e_flags = 0x30303030 , .e_ehsize = 12336 , /* (bytes) */ .e_phentsize = 12336 , /* (bytes) */ .e_phnum = 12336 , /* (program headers) */ .e_shentsize = 40 , /* (bytes) */ .e_shnum = 3 , /* (section headers) */ .e_shstrndx = 12336 }, .phdrs = { /* no program headers ! */ }, .shdrs = { ==100430== Invalid read of size 4 ==100430== at 0x4032EE: dumpelf (dumpelf.c:108) ==100430== by 0x4032EE: parseargs (dumpelf.c:381) ==100430== by 0x4032EE: main (dumpelf.c:390) ==100430== Address 0x409a7b4 is not stack'd, malloc'd or (recently) free'd ==100430== ==100430== ==100430== Process terminating with default action of signal 11 (SIGSEGV) ==100430== Access not within mapped region at address 0x409A7B4 ==100430== at 0x4032EE: dumpelf (dumpelf.c:108) ==100430== by 0x4032EE: parseargs (dumpelf.c:381) ==100430== by 0x4032EE: main (dumpelf.c:390) ==100430== If you believe this happened as a result of a stack ==100430== overflow in your program's main thread (unlikely but ==100430== possible), you can try to increase the size of the ==100430== main thread stack using the --main-stacksize= flag. ==100430== The main thread stack size used in this run was 8388608. Segmentation fault Expected Results: No crash. Compiled on Debian 8.2 (x86_64) with afl-gcc and gcc v4.9.2.
Created attachment 418956 [details] Crashing test case
seems to be fixed w/1.1.4 already
I'm still seeing a crash in dumpelf (pax-utils-git: v1.1.4-1-g335e3c3) with the attached crash test. Can you point to where this was fixed? Thanks.
sorry, i thought you attached the ELF rather than compressing it, so i was running the tools on the compressed file. dumpelf in latest git still crashes.
dumpelf crashes are not critical as this is really just a dev/hacking tool. i'm not aware of anyone using it for any real work. scanelf is way more interesting of a target.
*** Bug 568026 has been marked as a duplicate of this bug. ***
fixed by: http://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=61ee81b90f679cc47bcb0e237e9373a4e0f4e04b
