Created attachment 847774 [details] scanelf testcase scanelf -s '*' 1.crashes.elf ==58545==ERROR: AddressSanitizer: unknown-crash on address 0x7fe059136001 at pc 0x00000041bd79 bp 0x7ffe19497290 sp 0x7ffe19497288 READ of size 4 at 0x7fe059136001 thread T0 #0 0x41bd78 in scanelf_file_get_symtabs ../pax-utils-1.3.6/scanelf.c:354 #1 0x427638 in scanelf_file_sym ../pax-utils-1.3.6/scanelf.c:1313 #2 0x427638 in scanelf_elfobj ../pax-utils-1.3.6/scanelf.c:1533 #3 0x43fe33 in scanelf_elf ../pax-utils-1.3.6/scanelf.c:1598 #4 0x43fe33 in scanelf_fileat ../pax-utils-1.3.6/scanelf.c:1665 #5 0x44096c in scanelf_dirat ../pax-utils-1.3.6/scanelf.c:1699 #6 0x443e03 in scanelf_dir ../pax-utils-1.3.6/scanelf.c:1749 #7 0x443e03 in parseargs ../pax-utils-1.3.6/scanelf.c:2262 #8 0x40291e in main ../pax-utils-1.3.6/scanelf.c:2350 #9 0x7fe05caed1f6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #10 0x7fe05caed2ab in __libc_start_main_impl ../csu/libc-start.c:381 #11 0x402c10 (/usr/bin/scanelf+0x402c10) A similar (same?) was already reported twice in the past: https://blogs.gentoo.org/ago/2017/02/01/pax-utils-scanelf-out-of-bounds-read-in-scanelf_file_get_symtabs-scanelf-c/ https://blogs.gentoo.org/ago/2017/02/25/pax-utils-scanelf-out-of-bounds-read-in-scanelf_file_get_symtabs-scanelf-c-2/
Created attachment 847882 [details] dumpelf testcase There is also a crash in dumpelf: dumpelf 1.crashes.elf ==6304==ERROR: AddressSanitizer: unknown-crash on address 0x7ff4963c7000 at pc 0x000000415aaa bp 0x7ffd1fb5c0e0 sp 0x7ffd1fb5c0d8 READ of size 4 at 0x7ff4963c7000 thread T0 #0 0x415aa9 in dump_notes ../pax-utils-1.3.6/dumpelf.c:262 #1 0x41655d in dump_phdr ../pax-utils-1.3.6/dumpelf.c:336 #2 0x405789 in dumpelf ../pax-utils-1.3.6/dumpelf.c:83 #3 0x405789 in dumpelf_file ../pax-utils-1.3.6/dumpelf.c:153 #4 0x405789 in parseargs ../pax-utils-1.3.6/dumpelf.c:576 #5 0x405789 in main ../pax-utils-1.3.6/dumpelf.c:604 #6 0x7ff499d7d1f6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #7 0x7ff499d7d2ab in __libc_start_main_impl ../csu/libc-start.c:381 #8 0x40a290 (/usr/bin/dumpelf+0x40a290)
Mike, I don't know how much you monitor the toolchain@ alias. Since you are one of the main author, you may be interested in this.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=c1759f9bf28edb910208a7c7fbb4b373fe8b1297 commit c1759f9bf28edb910208a7c7fbb4b373fe8b1297 Author: Mike Frysinger <vapier@gentoo.org> AuthorDate: 2024-01-25 05:19:50 +0000 Commit: Mike Frysinger <vapier@gentoo.org> CommitDate: 2024-01-25 05:19:50 +0000 scanelf: fix hashtable overflow checks Make sure we use the right offset, and make sure the numbers to check don't overflow themselves -- if nbuckets & nchains are 32-bit, and if we multiply them by 4, we can easily overflow before we get a chance to see if they will fit within the memory range. Bug: https://bugs.gentoo.org/890028 Signed-off-by: Mike Frysinger <vapier@gentoo.org> scanelf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
(In reply to Agostino Sarubbo from comment #0) > Created attachment 847774 [details] > scanelf testcase > > scanelf -s '*' 1.crashes.elf should be fixed now (In reply to Agostino Sarubbo from comment #1) > There is also a crash in dumpelf: > > dumpelf 1.crashes.elf i can't reproduce this > ==6304==ERROR: AddressSanitizer: unknown-crash on address 0x7ff4963c7000 at > pc 0x000000415aaa bp 0x7ffd1fb5c0e0 sp 0x7ffd1fb5c0d8 > READ of size 4 at 0x7ff4963c7000 thread T0 > #0 0x415aa9 in dump_notes ../pax-utils-1.3.6/dumpelf.c:262 glancing at this line/section, it seems like we already verify the memory is valid before we read it, so not sure what this is tripping on.
(In reply to SpanKY from comment #4) > i can't reproduce this > > > ==6304==ERROR: AddressSanitizer: unknown-crash on address 0x7ff4963c7000 at > > pc 0x000000415aaa bp 0x7ffd1fb5c0e0 sp 0x7ffd1fb5c0d8 > > READ of size 4 at 0x7ff4963c7000 thread T0 > > #0 0x415aa9 in dump_notes ../pax-utils-1.3.6/dumpelf.c:262 > > glancing at this line/section, it seems like we already verify the memory is > valid before we read it, so not sure what this is tripping on. I still can reproduce on -9999 (a1d0123581ede02b54cf2c071507612dde25236c)
let's keep this bug focused on scanelf_file_get_symtabs. that was distinct, and it's fixed. the dumpelf stuff is a completely diff codebase, and not really important as it's only a low level curiosity type of thing. i keep debating whether to include it in the default install. i can repro one ASAN crash in dumpelf (out of bounds read), but i'm not sure it's a real bug, or it's a 1-byte boundary that ASAN doesn't like. still poking it.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9d250d23d6c2ff3286a8cdbfbe89f2c040b4a20c commit 9d250d23d6c2ff3286a8cdbfbe89f2c040b4a20c Author: Sam James <sam@gentoo.org> AuthorDate: 2024-09-22 04:38:47 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-09-22 04:40:13 +0000 app-misc/pax-utils: add 1.3.8 Aliaksei Urbanski (1): Fix fuzz-dumpelf test Daniel Verkamp (1): lddtree: use readlink -f for absolute links David Riley (1): lddtree: Add --wrapper-preload Frederic Cambus (2): lddtree: allow lddtree.sh to find Xenocara libraries on OpenBSD. README: fix typo: s/peforming/performing. George Burgess IV (1): lddtree: add LD_ARGV0_REL Mathias Krause (4): seccomp: make socket() fail with -ENOSYS tests: add basic pspax test pspax: fix libcap memory leaks meson: avoid using replace() to not unnecessarily bump meson >= 0.58.0 Mike Frysinger (45): Revert "paxinc: include <alloca.h> for alloca" lddtree: add docstring for all classes pylintrc: remove old entries github: update to checkout@v3 lddtree: use f-string in warn message lddtree: fix argcomplete typing elf.h: pull from latest glibc update copyright headers dumpelf: use explicit 64-bit to display off_t github: disable fuzzing on macOS github: update to checkout@v4 lddtree: use older Python typing style lddtree: disable pyelftools pylint import errors lddtree: disable mypy import errors lddtree: add some more typing info for mypy github: add python checkers lddtree: raise min version to Python 3.8 pyproject.toml: add black & isort & mypy settings pylintrc: merge into pyproject.toml requirements: pin(ish) Python deps that we use to check things drop old __BOUNDS_CHECKING_ON support fix various typos found w/codespell github: add codespell checker build: use standard config.h naming build: use standard HAVE_xxx define style pspax: rework & document get_proc_name pspax: replace proc_fopen with fopenat_r pspax: fix buffer limiting in cmdline reading pspax: fix error handling when reading attr or ipaddr fail pspax: switch from fgets to getline unify usage() output across all the tools ar: handle invalid ascii numbers better ar: handle invalid extended filename offsets ar: switch from alloca to malloc scanelf: fix hashtable overflow checks README: update macOS name paxelf: reject ELFs with incomplete Ehdr structures dumpelf: free elf after fuzzing it to avoid leaking sanitizer: fix feature tests under clang dumpelf: check dyn pointer before DT_NULL check too dumpelf: improve note memory check dumpelf: limit note name display fuzz-ar: fuzzer for the archive parsing API fuzz-dumpelf: fix stats argument fuzzer: fix unused setting on argc & argv Mike Gilbert (1): make-seccomp-filters.sh: split cflags/ldflags for libseccomp Sam James (10): Make headers standalone (missing includes, prep for clang-tidy) *: IWYU fixes *: IWYU fixes deux .github: add Alpine CI Undo IWYU fixes paxinc: include <alloca.h> for alloca porting.h: include <stddef.h> for size_t, sort includes ci: make tests verbose meson.build: prepare for pax-utils-1.3.8 CI: update muon URL Takuto Ikuta (1): lddtree: keep relativeness of invoked program in elf wrapper Zach van Rijn (1): paxelf: use correct format string Bug: https://bugs.gentoo.org/890028 Bug: https://bugs.gentoo.org/890577 Bug: https://bugs.gentoo.org/890579 Bug: https://bugs.gentoo.org/922906 Signed-off-by: Sam James <sam@gentoo.org> app-misc/pax-utils/Manifest | 1 + app-misc/pax-utils/pax-utils-1.3.8.ebuild | 77 +++++++++++++++++++++++++++++++ 2 files changed, 78 insertions(+)