search

avast / retdec

RetDec is a retargetable machine-code decompiler based on LLVM.
https://retdec.com/
MIT License
8k stars 946 forks source link

fileinfo crashes in ElfFormat::addRelocationTable() #248

Closed bansan85 closed 6 years ago

bansan85 commented 6 years ago

With theses new commits, I ran again with crash's file I previous found by fuzzing. It looks I missed this case.

fileinfo crashes in ElfFormat::addRelocationTable

Input

fileinfo FILE

addRelocationTable.zip

Output

Backtrace:

#0  __memmove_sse2_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:356
#1  0x0000555555c94eb6 in std::__copy_move<false, true, std::random_access_iterator_tag>::__copy_m<char> (__result=<optimized out>, __last=<optimized out>, 
    __first=<optimized out>) at /usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7/bits/stl_algobase.h:368
#2  std::__copy_move_a<false, char const*, char*> (__result=<optimized out>, __last=<optimized out>, __first=<optimized out>)
    at /usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7/bits/stl_algobase.h:386
#3  std::__copy_move_a2<false, char const*, char*> (__result=<optimized out>, __last=<optimized out>, __first=<optimized out>)
    at /usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7/bits/stl_algobase.h:424
#4  std::copy<char const*, char*> (__result=<optimized out>, __last=0x330 <error: Cannot access memory at address 0x330>, 
    __first=0x300 <error: Cannot access memory at address 0x300>) at /usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7/bits/stl_algobase.h:456
#5  ELFIO::section_impl<ELFIO::Elf64_Shdr>::set_data (this=0x555556cd89d0, raw_data=0x300 <error: Cannot access memory at address 0x300>, size=48)
    at /home/legarrec/info/programmation/retdec2/build/external/src/elfio-project/include/elfio/elfio_section.hpp:173
#6  0x0000555555c7b732 in retdec::fileformat::ElfFormat::addRelocationTable (this=this@entry=0x555556ccc2c0, 
    dynamicSection=dynamicSection@entry=0x555556cd7ad0, info=..., symbolTable=symbolTable@entry=0x555556cd8930)
    at /home/legarrec/info/programmation/retdec2/src/fileformat/file_format/elf/elf_format.cpp:1284
#7  0x0000555555c7be72 in retdec::fileformat::ElfFormat::addRelaRelocationTable (this=0x555556ccc2c0, dynamicSection=0x555556cd7ad0, table=..., 
    symbolTable=0x555556cd8930) at /home/legarrec/info/programmation/retdec2/src/fileformat/file_format/elf/elf_format.cpp:1355
#8  0x0000555555c89efa in retdec::fileformat::ElfFormat::loadInfoFromDynamicTables (this=this@entry=0x555556ccc2c0, noOfTables=noOfTables@entry=1)
    at /home/legarrec/info/programmation/retdec2/src/fileformat/file_format/elf/elf_format.cpp:1972
#9  0x0000555555c8ab67 in retdec::fileformat::ElfFormat::loadInfoFromDynamicSegment (this=this@entry=0x555556ccc2c0)
    at /home/legarrec/info/programmation/retdec2/src/fileformat/file_format/elf/elf_format.cpp:2025
#10 0x0000555555c8b4c0 in retdec::fileformat::ElfFormat::initStructures (this=this@entry=0x555556ccc2c0)
    at /home/legarrec/info/programmation/retdec2/src/fileformat/file_format/elf/elf_format.cpp:1091
#11 0x0000555555c8e9a8 in retdec::fileformat::ElfFormat::initStructures (this=0x555556ccc2c0)
    at /home/legarrec/info/programmation/retdec2/src/fileformat/file_format/elf/elf_format.cpp:1076
#12 retdec::fileformat::ElfFormat::ElfFormat (this=0x555556ccc2c0, pathToFile=..., loadFlags=<optimized out>)
    at /home/legarrec/info/programmation/retdec2/src/fileformat/file_format/elf/elf_format.cpp:1033
#13 0x000055555597160a in fileinfo::ElfWrapper::ElfWrapper (this=0x555556ccc2c0, pathToFile=..., loadFlags=retdec::fileformat::NONE)
    at /home/legarrec/info/programmation/retdec2/src/fileinfo/file_wrapper/elf_wrapper.cpp:18
#14 0x000055555563e677 in __gnu_cxx::new_allocator<fileinfo::ElfWrapper>::construct<fileinfo::ElfWrapper, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> (this=<optimized out>, __p=0x555556ccc2c0)
    at /usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7/ext/new_allocator.h:136
#15 std::allocator_traits<std::allocator<fileinfo::ElfWrapper> >::construct<fileinfo::ElfWrapper, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> (__a=..., __p=<optimized out>)
    at /usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7/bits/alloc_traits.h:475
#16 std::_Sp_counted_ptr_inplace<fileinfo::ElfWrapper, std::allocator<fileinfo::ElfWrapper>, (__gnu_cxx::_Lock_policy)2>::_Sp_counted_ptr_inplace<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> (__a=..., this=0x555556ccc2b0)
    at /usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7/bits/shared_ptr_base.h:526
#17 std::__shared_count<(__gnu_cxx::_Lock_policy)2>::__shared_count<fileinfo::ElfWrapper, std::allocator<fileinfo::ElfWrapper>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> (__a=..., this=<optimized out>)
    at /usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7/bits/shared_ptr_base.h:637
#18 std::__shared_ptr<fileinfo::ElfWrapper, (__gnu_cxx::_Lock_policy)2>::__shared_ptr<std::allocator<fileinfo::ElfWrapper>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> (__a=..., __tag=..., this=<optimized out>)
    at /usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7/bits/shared_ptr_base.h:1295
#19 std::shared_ptr<fileinfo::ElfWrapper>::shared_ptr<std::allocator<fileinfo::ElfWrapper>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> (__a=..., __tag=..., this=<optimized out>)
    at /usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7/bits/shared_ptr.h:344
#20 std::allocate_shared<fileinfo::ElfWrapper, std::allocator<fileinfo::ElfWrapper>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> (__a=...) at /usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7/bits/shared_ptr.h:691
#21 std::make_shared<fileinfo::ElfWrapper, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> ()
    at /usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7/bits/shared_ptr.h:707
#22 fileinfo::ElfDetector::ElfDetector (this=0x555556ccbef0, pathToInputFile=..., finfo=..., searchPar=..., loadFlags=retdec::fileformat::NONE)
    at /home/legarrec/info/programmation/retdec2/src/fileinfo/file_detector/elf_detector.cpp:399
#23 0x000055555561b635 in fileinfo::createFileDetector (pathToInputFile=..., fileFormat=<optimized out>, finfo=..., searchPar=..., 
    loadFlags=retdec::fileformat::NONE) at /home/legarrec/info/programmation/retdec2/src/fileinfo/file_detector/detector_factory.cpp:38
#24 0x00005555555dbdc3 in main (argc=<optimized out>, argv=<optimized out>) at /home/legarrec/info/programmation/retdec2/src/fileinfo/fileinfo.cpp:395

valgrind

==20810== Invalid read of size 8
==20810==    at 0x4032B5E: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1021)
==20810==    by 0x848EB5: __copy_m<char> (stl_algobase.h:368)
==20810==    by 0x848EB5: __copy_move_a<false, char const*, char*> (stl_algobase.h:386)
==20810==    by 0x848EB5: __copy_move_a2<false, char const*, char*> (stl_algobase.h:424)
==20810==    by 0x848EB5: copy<char const*, char*> (stl_algobase.h:456)
==20810==    by 0x848EB5: ELFIO::section_impl<ELFIO::Elf64_Shdr>::set_data(char const*, unsigned int) (elfio_section.hpp:173)
==20810==    by 0x82F731: retdec::fileformat::ElfFormat::addRelocationTable(ELFIO::section*, retdec::fileformat::ElfFormat::RelocationTableInfo const&, ELFIO::section*) (elf_format.cpp:1284)
==20810==    by 0x82FE71: retdec::fileformat::ElfFormat::addRelaRelocationTable(ELFIO::section*, retdec::fileformat::DynamicTable const&, ELFIO::section*) (elf_format.cpp:1355)
==20810==    by 0x83DEF9: retdec::fileformat::ElfFormat::loadInfoFromDynamicTables(unsigned long) (elf_format.cpp:1972)
==20810==    by 0x83EB66: retdec::fileformat::ElfFormat::loadInfoFromDynamicSegment() (elf_format.cpp:2025)
==20810==    by 0x83F4BF: retdec::fileformat::ElfFormat::initStructures() [clone .part.463] (elf_format.cpp:1091)
==20810==    by 0x8429A7: initStructures (elf_format.cpp:1076)
==20810==    by 0x8429A7: retdec::fileformat::ElfFormat::ElfFormat(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags) (elf_format.cpp:1033)
==20810==    by 0x525609: fileinfo::ElfWrapper::ElfWrapper(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags) (elf_wrapper.cpp:18)
==20810==    by 0x1F2676: construct<fileinfo::ElfWrapper, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> (new_allocator.h:136)
==20810==    by 0x1F2676: construct<fileinfo::ElfWrapper, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> (alloc_traits.h:475)
==20810==    by 0x1F2676: _Sp_counted_ptr_inplace<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> (shared_ptr_base.h:526)
==20810==    by 0x1F2676: __shared_count<fileinfo::ElfWrapper, std::allocator<fileinfo::ElfWrapper>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> (shared_ptr_base.h:637)
==20810==    by 0x1F2676: __shared_ptr<std::allocator<fileinfo::ElfWrapper>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> (shared_ptr_base.h:1295)
==20810==    by 0x1F2676: shared_ptr<std::allocator<fileinfo::ElfWrapper>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> (shared_ptr.h:344)
==20810==    by 0x1F2676: allocate_shared<fileinfo::ElfWrapper, std::allocator<fileinfo::ElfWrapper>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> (shared_ptr.h:691)
==20810==    by 0x1F2676: make_shared<fileinfo::ElfWrapper, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> (shared_ptr.h:707)
==20810==    by 0x1F2676: fileinfo::ElfDetector::ElfDetector(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, fileinfo::FileInformation&, retdec::cpdetect::DetectParams&, retdec::fileformat::LoadFlags) (elf_detector.cpp:399)
==20810==    by 0x1CF634: fileinfo::createFileDetector(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::Format, fileinfo::FileInformation&, retdec::cpdetect::DetectParams&, retdec::fileformat::LoadFlags) (detector_factory.cpp:38)
==20810==    by 0x18FDC2: main (fileinfo.cpp:395)
==20810==  Address 0x300 is not stack'd, malloc'd or (recently) free'd

From master (8cc759b70f)

s3rvac commented 6 years ago

Thanks for the report. I confirm that fileinfo crashes when analyzing the attached file, even in the current master.

mbandzi commented 6 years ago

Fixed in 2d53f9d4.