Created attachment 418958 [details] Crashing test case I compiled dumpelf 1.1.3 from git source ~ 5 hours ago and started in with American Fuzzy Lop. The following ELF file causes a General Protection Fault in dump_dyn.isra.1 at dumpelf.c:310. Reproducible: Always Steps to Reproduce: 1. Compile from git source 2. dumpelf test23-min 3. Crash. Actual Results: Program received signal SIGSEGV, Segmentation fault. 0x000000000041e3d7 in dump_dyn (dyn_void=dyn_void@entry=0x3030b030282f8030, dyn_cnt=dyn_cnt@entry=0, elf=<optimized out>, elf=<optimized out>) at dumpelf.c:310 310 DUMP_DYN(64) (gdb) bt #0 0x000000000041e3d7 in dump_dyn ( dyn_void=dyn_void@entry=0x3030b030282f8030, dyn_cnt=dyn_cnt@entry=0, elf=<optimized out>, elf=<optimized out>) at dumpelf.c:310 #1 0x0000000000402b61 in dumpelf (file_cnt=0, filename=<optimized out>) at dumpelf.c:132 #2 parseargs (argv=0x7fffffffe328, argc=2) at dumpelf.c:381 #3 main (argc=2, argv=0x7fffffffe328) at dumpelf.c:390 $ valgrind -q ~/pax-utils/dumpelf test23-min dumpelf: test23-min: Invalid section header info (3) #include <elf.h> /* * ELF dump of 'test23-min' * 388 (0x184) bytes */ Elf64_Dyn dumpedelf_dyn_0[]; struct { Elf64_Ehdr ehdr; Elf64_Phdr phdrs[4]; Elf64_Shdr shdrs[12336]; Elf64_Dyn *dyns; } dumpedelf_0 = { .ehdr = { .e_ident = { /* (EI_NIDENT bytes) */ /* [0] EI_MAG: */ 0x7F,'E','L','F', /* [4] EI_CLASS: */ 2 , /* (ELFCLASS64) */ /* [5] EI_DATA: */ 1 , /* (ELFDATA2LSB) */ /* [6] EI_VERSION: */ 1 , /* (EV_CURRENT) */ /* [7] EI_OSABI: */ 48 , /* (UNKNOWN_TYPE) */ /* [8] EI_ABIVERSION: */ 48 , /* [9] EI_PAD: */ 0x30 /* x 7 bytes */ }, .e_type = 12336 , /* (UNKNOWN_TYPE) */ .e_machine = 12336 , /* (UNKNOWN_TYPE) */ .e_version = 808464432 , .e_entry = 0x3030303030303030 , .e_phoff = 164 , /* (bytes into file) */ .e_shoff = 3472328296227680304 , /* (bytes into file) */ .e_flags = 0x30303030 , .e_ehsize = 12336 , /* (bytes) */ .e_phentsize = 56 , /* (bytes) */ .e_phnum = 4 , /* (program headers) */ .e_shentsize = 12336 , /* (bytes) */ .e_shnum = 12336 , /* (section headers) */ .e_shstrndx = 12336 }, .phdrs = { /* Program Header #0 0xA4 */ { .p_type = 808464432 , /* [UNKNOWN_TYPE] */ .p_offset = 3472328296227680304 , .p_vaddr = 0x3030303030303030 , .p_paddr = 0x3030303030303030 , .p_filesz = 3472328296227680304 , .p_memsz = 3472328296227680304 , .p_flags = 808464432 , .p_align = 3472328296227680304 }, /* Program Header #1 0xDC */ { .p_type = 808464432 , /* [UNKNOWN_TYPE] */ .p_offset = 3472328296227680304 , .p_vaddr = 0x3030303030303030 , .p_paddr = 0x3030303030303030 , .p_filesz = 3472328296227680304 , .p_memsz = 3472328296227680304 , .p_flags = 808464432 , .p_align = 3472328296227680304 }, /* Program Header #2 0x114 */ { .p_type = 808464432 , /* [UNKNOWN_TYPE] */ .p_offset = 3472328296227680304 , .p_vaddr = 0x3030303030303030 , .p_paddr = 0x3030303030303030 , .p_filesz = 3472328296227680304 , .p_memsz = 3472328296227680304 , .p_flags = 808464432 , .p_align = 3472328296227680304 }, /* Program Header #3 0x14C */ { .p_type = 2 , /* [PT_DYNAMIC] */ .p_offset = 3472328296227680304 , .p_vaddr = 0x3030303030303030 , .p_paddr = 0x3030303030303030 , .p_filesz = 3472328296227680304 , .p_memsz = 3472328296227680304 , .p_flags = 808464432 , .p_align = 3472328296227680304 }, }, .shdrs = { /* no section headers ! */ }, .dyns = dumpedelf_dyn_0, }; Elf64_Dyn dumpedelf_dyn_0[] = { ==57469== Invalid read of size 8 ==57469== at 0x41E3D7: dump_dyn.isra.1 (dumpelf.c:310) ==57469== by 0x402B60: dumpelf (dumpelf.c:132) ==57469== by 0x402B60: parseargs (dumpelf.c:381) ==57469== by 0x402B60: main (dumpelf.c:390) ==57469== Address 0x3030303034325030 is not stack'd, malloc'd or (recently) free'd ==57469== ==57469== ==57469== Process terminating with default action of signal 11 (SIGSEGV) ==57469== General Protection Fault ==57469== at 0x41E3D7: dump_dyn.isra.1 (dumpelf.c:310) ==57469== by 0x402B60: dumpelf (dumpelf.c:132) ==57469== by 0x402B60: parseargs (dumpelf.c:381) ==57469== by 0x402B60: main (dumpelf.c:390) Segmentation fault Expected Results: No crash. Compiled on Debian 8.2 (x86_64) with afl-gcc and gcc v4.9.2.
A slight variation in the ELF causes a segfault at dumpelf.c:309 (DUMP_DYN(32) instead of DUMP_DYN(64)) as originally reported. $ od test10-min 0000000 042577 043114 000401 030001 030060 030060 030060 030060 0000020 030060 030060 030060 030060 030060 030060 000264 000000 0000040 030060 030060 030060 030060 030060 000040 000002 030060 0000060 030060 030060 030060 030060 030060 030060 030060 030060 * 0000320 030060 030060 000002 000000 030060 030060 030060 030060 0000340 030060 030060 030060 030060 030060 030060 030060 030060 0000360 030060 030060 0000364 Program received signal SIGSEGV, Segmentation fault. dump_dyn (dyn_void=dyn_void@entry=0x8000282f8030, dyn_cnt=dyn_cnt@entry=0, elf=<optimized out>, elf=<optimized out>) at dumpelf.c:309 309 DUMP_DYN(32) #0 dump_dyn (dyn_void=dyn_void@entry=0x8000282f8030, dyn_cnt=dyn_cnt@entry=0, elf=<optimized out>, elf=<optimized out>) at dumpelf.c:309 #1 0x0000000000402e11 in dumpelf (file_cnt=0, filename=<optimized out>) at dumpelf.c:131 #2 parseargs (argv=0x7fffffffe368, argc=2) at dumpelf.c:381 #3 main (argc=2, argv=0x7fffffffe368) at dumpelf.c:390
seems to be fixed w/1.1.4 already
I'm still seeing a crash in dumpelf (pax-utils-git: v1.1.4-1-g335e3c3) with the attached crash test. Can you point to where this was fixed? Thanks.
sorry, i thought you attached the ELF rather than compressing it, so i was running the tools on the compressed file. dumpelf in latest git still crashes.
dumpelf crashes are not critical as this is really just a dev/hacking tool. i'm not aware of anyone using it for any real work. scanelf is way more interesting of a target.
fixed by: http://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=81658ac5842906a286373096691a5f8e3ad6aa2d
