Closed fatihhcelik closed 4 months ago
We did not have the opportunity to examine the crash in depth, but I think the seekg() function should not exceed the file size (Checks eofbit). Could the cause of this crash be a corrupted heap/stack? Also, the program does not crash every time it is run.
Please give a try to commit a428b72.
Also, the program does not crash every time it is run.
I could not reproduce the crash with the provided file. So, please, confirm the fix. Thank you!
Thank you for your interest and solution. We could not trigger the same crash again with the files we had.
Thank you for confirmation. I am closing the issue for now
Description:
While fuzzing the Elfio library, we discovered a crash due to an out-of-bounds read in the "load_data" function inside the "pstream->seekg" function. The crash occurs when reading an ELF file and calling the "load_data" function at line 289 in "elfio/elfio_section.hpp". In this function, the "pstream->seekg" method is passed a value larger than the file size, which is conveyed in "header.sh_offset", causing the program to crash.
As can be seen below, the "header.sh_offset" value undergoes a translation and is passed to "seekg" without size checking.
Here is the backtrace of the crash:
Compiled with ASAN:
Here is the Valgrind output:
The elfio library does not check whether the values (header, size, offset etc.) it reads from an elf file exceed the file size. You can see some of the values below:
We use the the "examples/tutorial/tutorial.cpp" file to test the library. Here is our crash file:
crash_elfio.zip