Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 568026

Summary: app-misc/pax-utils: dumpelf: segfault (vprintf.c:1642) reading malformed ELF file
Product: Gentoo Linux Reporter: Brian 'geeknik' Carpenter <brian.carpenter>
Component: Current packagesAssignee: SpanKY <vapier>
Status: RESOLVED DUPLICATE    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: AMD64   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: Crashing test case

Description Brian 'geeknik' Carpenter 2015-12-11 20:50:47 UTC 
Created attachment 418998 [details]
Crashing test case

I compiled dumpelf 1.1.4-1-g335e3c3 from git source and started in with American Fuzzy Lop. The attached ELF file causes a segfault in dumpelf at vprintf.c:1642.

Reproducible: Always

Steps to Reproduce:
1. Compile from git source
2. ./dumpelf test00
3. Crash.

Actual Results:  
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7a7de2c in _IO_vfprintf_internal (s=<optimized out>, 
    format=<optimized out>, 
    format@entry=0x4211c0 "/* Section Header #%li '%s' 0x%lX */\n{\n", 
    ap=ap@entry=0x7fffffffe0b8) at vfprintf.c:1642
1642	vfprintf.c: No such file or directory.
(gdb) bt
#0  0x00007ffff7a7de2c in _IO_vfprintf_internal (s=<optimized out>, 
    format=<optimized out>, 
    format@entry=0x4211c0 "/* Section Header #%li '%s' 0x%lX */\n{\n", 
    ap=ap@entry=0x7fffffffe0b8) at vfprintf.c:1642
#1  0x00007ffff7b26f08 in ___printf_chk (flag=flag@entry=1, 
    format=format@entry=0x4211c0 "/* Section Header #%li '%s' 0x%lX */\n{\n")
    at printf_chk.c:35
#2  0x00000000004167fa in printf (
    __fmt=0x4211c0 "/* Section Header #%li '%s' 0x%lX */\n{\n")
    at /usr/include/x86_64-linux-gnu/bits/stdio2.h:104
#3  dump_shdr (elf=elf@entry=0x624010, 
    shdr_void=shdr_void@entry=0x7ffff7ff5036, shdr_cnt=shdr_cnt@entry=1, 
    name=0x800078037077 <error: Cannot access memory at address 0x800078037077>) at dumpelf.c:291
#4  0x00000000004033c4 in dumpelf (file_cnt=0, filename=<optimized out>)
    at dumpelf.c:108
#5  parseargs (argv=0x7fffffffe368, argc=2) at dumpelf.c:381
#6  main (argc=2, argv=0x7fffffffe368) at dumpelf.c:390

$ valgrind -q ~/pax-utils/dumpelf test00
dumpelf: test00: Invalid program header info (2)
#include <elf.h>

/*
 * ELF dump of 'test00'
 *     96 (0x60) bytes
 */

Elf32_Dyn dumpedelf_dyn_0[];
struct {
	Elf32_Ehdr ehdr;
	Elf32_Phdr phdrs[4098];
	Elf32_Shdr shdrs[2];
	Elf32_Dyn *dyns;
} dumpedelf_0 = {

.ehdr = {
	.e_ident = { /* (EI_NIDENT bytes) */
		/* [0] EI_MAG:        */ 0x7F,'E','L','F',
		/* [4] EI_CLASS:      */ 1 , /* (ELFCLASS32) */
		/* [5] EI_DATA:       */ 2 , /* (ELFDATA2MSB) */
		/* [6] EI_VERSION:    */ 1 , /* (EV_CURRENT) */
		/* [7] EI_OSABI:      */ 8 , /* (ELFOSABI_IRIX) */
		/* [8] EI_ABIVERSION: */ 106 ,
		/* [9] EI_PAD:        */ 0xFF /* x 7 bytes */
	},
	.e_type      = 32512      , /* (UNKNOWN_TYPE) */
	.e_machine   = 3          , /* (EM_386) */
	.e_version   = 65536      ,
	.e_entry     = 0x920100   ,
	.e_phoff     = 0          , /* (bytes into file) */
	.e_shoff     = 14         , /* (bytes into file) */
	.e_flags     = 0x10002    ,
	.e_ehsize    = 45         , /* (bytes) */
	.e_phentsize = 32         , /* (bytes) */
	.e_phnum     = 4098       , /* (program headers) */
	.e_shentsize = 40         , /* (bytes) */
	.e_shnum     = 2          , /* (section headers) */
	.e_shstrndx  = 56        
},

.phdrs = {
 /* no program headers ! */ },

.shdrs = {
==53736== Invalid read of size 1
==53736==    at 0x4E7DE2C: vfprintf (vfprintf.c:1642)
==53736==    by 0x4F26F07: __printf_chk (printf_chk.c:35)
==53736==    by 0x4167F9: printf (stdio2.h:104)
==53736==    by 0x4167F9: dump_shdr (dumpelf.c:291)
==53736==    by 0x4033C3: dumpelf (dumpelf.c:108)
==53736==    by 0x4033C3: parseargs (dumpelf.c:381)
==53736==    by 0x4033C3: main (dumpelf.c:390)
==53736==  Address 0x4029f00 is not stack'd, malloc'd or (recently) free'd
==53736== 
==53736== 
==53736== Process terminating with default action of signal 11 (SIGSEGV)
==53736==  Access not within mapped region at address 0x4029F00
==53736==    at 0x4E7DE2C: vfprintf (vfprintf.c:1642)
==53736==    by 0x4F26F07: __printf_chk (printf_chk.c:35)
==53736==    by 0x4167F9: printf (stdio2.h:104)
==53736==    by 0x4167F9: dump_shdr (dumpelf.c:291)
==53736==    by 0x4033C3: dumpelf (dumpelf.c:108)
==53736==    by 0x4033C3: parseargs (dumpelf.c:381)
==53736==    by 0x4033C3: main (dumpelf.c:390)
==53736==  If you believe this happened as a result of a stack
==53736==  overflow in your program's main thread (unlikely but
==53736==  possible), you can try to increase the size of the
==53736==  main thread stack using the --main-stacksize= flag.
==53736==  The main thread stack size used in this run was 8388608.
/* Section Header #0 'Segmentation fault

Expected Results:  
No crash.

Compiled on Debian 8.2 (x86_64) with afl-gcc and gcc v4.9.2.
Comment 1 SpanKY gentoo-dev 2015-12-12 21:36:43 UTC 
same as bug 567954

*** This bug has been marked as a duplicate of bug 567954 ***