search

serge1 / ELFIO

ELFIO - ELF (Executable and Linkable Format) reader and producer implemented as a header only C++ library
http://serge1.github.io/ELFIO
MIT License
720 stars 155 forks source link

segmentation fault examples\elfdump #42

Closed orbitcowboy closed 4 years ago

orbitcowboy commented 4 years ago

I was able to crash the example/elfdump with an invalid input (generated by afl-fuzz):

The file is available at https://filebin.net/1n9a3p3m6h4qpnp9

$ ./elfdump crash.elf > /dev/null
Segmentation fault
$

gdb backtrace

backtrace:
#0  0x0000000000420983 in ELFIO::symbol_section_accessor_template<ELFIO::section>::generic_get_symbol<ELFIO::Elf64_Sym> (this=<optimized out>, index=0, name=Python Exception <class 'gdb.error'> There is no member named _M_dataplus.: 
, value=@0x7fffffffdc58: 0, size=@0x7fffffffdc50: 0, bind=@0x7fffffffdc4f: 0 '\000', type=@0x7fffffffdc4e: 0 '\000', section_index=@0x7fffffffdc4c: 0, other=@0x7fffffffdc4b: 0 '\000') at ../../elfio/elfio_strings.hpp:48
        convertor = <optimized out>
        string_section = 0x4549e0
        pStr = <optimized out>
        pSym = <optimized out>
        str_reader = <optimized out>
        ret = false
#1  0x0000000000406b06 in ELFIO::symbol_section_accessor_template<ELFIO::section>::get_symbol (this=<optimized out>, index=<optimized out>, name=..., value=<optimized out>, size=<optimized out>, bind=<optimized out>, type=<optimized out>, section_index=<optimized out>, other=<optimized out>) at ../../elfio/elfio_symbols.hpp:71
No locals.
#2  ELFIO::dump::symbol_tables (out=..., reader=...) at ../../elfio/elfio_dump.hpp:619
        value = 0
        type = 0 '\000'
        section = 0
        size = 0
        bind = 0 '\000'
        other = 0 '\000'
        name = <optimized out>
        i = <optimized out>
        sym_no = <optimized out>
        symbols = <optimized out>
        sec = 0x454940
        i = <optimized out>
        n = <optimized out>
#3  0x00000000004028ec in main (argc=<optimized out>, argv=0x7fffffffde78) at elfdump.cpp:52
        reader = {sections = {parent = 0x7fffffffdce8}, segments = {parent = 0x7fffffffdce8}, header = 0x454280, sections_ = std::vector of length 41, capacity 64 = {0x4542e0, 0x454380, 0x454450, 0x454550, 0x454840, 0x454940, 0x4549e0, 0x455240, 0x455380, 0x455520, 0x4556e0, 0x455d50, 0x455df0, 0x456280, 0x456320, 0x4563c0, 0x458530, 0x458f00, 0x45ae00, 0x45be90, 0x45bf30, 0x45c000, 0x45c0a0, 0x45c360, 0x45c630, 0x45c700, 0x45c9b0, 0x45dcd0, 0x45dd70, 0x45deb0, 0x465ac0, 0x465b60, 0x466510, 0x476c50, 0x48c390, 0x48c430, 0x48c4d0, 0x48e3e0, 0x49c140, 0x49eec0, 0x4a4420}, segments_ = std::vector of length 12, capacity 16 = {0x451fb0, 0x451f00, 0x4a49d0, 0x4a6770, 0x4a6800, 0x4abfa0, 0x4ad950, 0x4adc10, 0x4adcd0, 0x4ade10, 0x4ae6e0, 0x4ae770}, convertor = {need_conversion = false}, current_file_pos = 0}

registers:
rax            0x6                 6
rbx            0x0                 0
rcx            0x4665b0            4613552
rdx            0xadcd              44493
rsi            0x42f5a0            4388256
rdi            0x454940            4540736
rbp            0x7fffffffdd30      0x7fffffffdd30
rsp            0x7fffffffdb80      0x7fffffffdb80
r8             0x7fffffffdc50      140737488346192
r9             0x7fffffffdc4f      140737488346191
r10            0x30                48
r11            0x246               582
r12            0xfffffffffffffffc  -4
r13            0x0                 0
r14            0x4549e0            4540896
r15            0x0                 0
rip            0x420983            0x420983 <ELFIO::symbol_section_accessor_template<ELFIO::section>::generic_get_symbol<ELFIO::Elf64_Sym>(unsigned long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, unsigned long&, unsigned long&, unsigned char&, unsigned char&, unsigned short&, unsigned char&) const+355>
eflags         0x10202             [ IF RF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0

current instructions:
=> 0x420983 <ELFIO::symbol_section_accessor_template<ELFIO::section>::generic_get_symbol<ELFIO::Elf64_Sym>(unsigned long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, unsigned long&, unsigned long&, unsigned char&, unsigned char&, unsigned short&, unsigned char&) const+355>:    mov    0x0(%r13,%rbx,1),%eax
   0x420988 <ELFIO::symbol_section_accessor_template<ELFIO::section>::generic_get_symbol<ELFIO::Elf64_Sym>(unsigned long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, unsigned long&, unsigned long&, unsigned char&, unsigned char&, unsigned short&, unsigned char&) const+360>:    movslq %fs:(%r12),%rcx
   0x42098d <ELFIO::symbol_section_accessor_template<ELFIO::section>::generic_get_symbol<ELFIO::Elf64_Sym>(unsigned long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, unsigned long&, unsigned long&, unsigned char&, unsigned char&, unsigned short&, unsigned char&) const+365>:    mov    0xeacc(%rip),%rdx        # 0x42f460 <__afl_area_ptr>
   0x420994 <ELFIO::symbol_section_accessor_template<ELFIO::section>::generic_get_symbol<ELFIO::Elf64_Sym>(unsigned long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, unsigned long&, unsigned long&, unsigned char&, unsigned char&, unsigned short&, unsigned char&) const+372>:    xor    $0x9a54,%rcx
   0x42099b <ELFIO::symbol_section_accessor_template<ELFIO::section>::generic_get_symbol<ELFIO::Elf64_Sym>(unsigned long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, unsigned long&, unsigned long&, unsigned char&, unsigned char&, unsigned short&, unsigned char&) const+379>:    addb   $0x1,(%rdx,%rcx,1)
   0x42099f <ELFIO::symbol_section_accessor_template<ELFIO::section>::generic_get_symbol<ELFIO::Elf64_Sym>(unsigned long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, unsigned long&, unsigned long&, unsigned char&, unsigned char&, unsigned short&, unsigned char&) const+383>:    movl   $0x4d2a,%fs:(%r12)
   0x4209a8 <ELFIO::symbol_section_accessor_template<ELFIO::section>::generic_get_symbol<ELFIO::Elf64_Sym>(unsigned long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, unsigned long&, unsigned long&, unsigned char&, unsigned char&, unsigned short&, unsigned char&) const+392>:    cmpb   $0x0,0x0(%rbp)
   0x4209ac <ELFIO::symbol_section_accessor_template<ELFIO::section>::generic_get_symbol<ELFIO::Elf64_Sym>(unsigned long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, unsigned long&, unsigned long&, unsigned char&, unsigned char&, unsigned short&, unsigned char&) const+396>:    mov    %eax,%r15d
   0x4209af <ELFIO::symbol_section_accessor_template<ELFIO::section>::generic_get_symbol<ELFIO::Elf64_Sym>(unsigned long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, unsigned long&, unsigned long&, unsigned char&, unsigned char&, unsigned short&, unsigned char&) const+399>:    bswap  %r15d
   0x4209b2 <ELFIO::symbol_section_accessor_template<ELFIO::section>::generic_get_symbol<ELFIO::Elf64_Sym>(unsigned long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, unsigned long&, unsigned long&, unsigned char&, unsigned char&, unsigned short&, unsigned char&) const+402>:    cmove  %eax,%r15d
   0x4209b6 <ELFIO::symbol_section_accessor_template<ELFIO::section>::generic_get_symbol<ELFIO::Elf64_Sym>(unsigned long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, unsigned long&, unsigned long&, unsigned char&, unsigned char&, unsigned short&, unsigned char&) const+406>:    mov    (%r14),%rax
   0x4209b9 <ELFIO::symbol_section_accessor_template<ELFIO::section>::generic_get_symbol<ELFIO::Elf64_Sym>(unsigned long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, unsigned long&, unsigned long&, unsigned char&, unsigned char&, unsigned short&, unsigned char&) const+409>:    mov    %r14,%rdi
   0x4209bc <ELFIO::symbol_section_accessor_template<ELFIO::section>::generic_get_symbol<ELFIO::Elf64_Sym>(unsigned long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, unsigned long&, unsigned long&, unsigned char&, unsigned char&, unsigned short&, unsigned char&) const+412>:    callq  *0x98(%rax)
   0x4209c2 <ELFIO::symbol_section_accessor_template<ELFIO::section>::generic_get_symbol<ELFIO::Elf64_Sym>(unsigned long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, unsigned long&, unsigned long&, unsigned char&, unsigned char&, unsigned short&, unsigned char&) const+418>:    cmp    %r15,%rax
   0x4209c5 <ELFIO::symbol_section_accessor_template<ELFIO::section>::generic_get_symbol<ELFIO::Elf64_Sym>(unsigned long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, unsigned long&, unsigned long&, unsigned char&, unsigned char&, unsigned short&, unsigned char&) const+421>:    jbe    0x420a79 <ELFIO::symbol_section_accessor_template<ELFIO::section>::generic_get_symbol<ELFIO::Elf64_Sym>(unsigned long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, unsigned long&, unsigned long&, unsigned char&, unsigned char&, unsigned short&, unsigned char&) const+601>
   0x4209cb <ELFIO::symbol_section_accessor_template<ELFIO::section>::generic_get_symbol<ELFIO::Elf64_Sym>(unsigned long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, unsigned long&, unsigned long&, unsigned char&, unsigned char&, unsigned short&, unsigned char&) const+427>:    movslq %fs:(%r12),%rax

threads backtrace:

Thread 1 (process 12108):
#0  0x0000000000420983 in ELFIO::symbol_section_accessor_template<ELFIO::section>::generic_get_symbol<ELFIO::Elf64_Sym> (this=<optimized out>, index=0, name=Python Exception <class 'gdb.error'> There is no member named _M_dataplus.: 
, value=@0x7fffffffdc58: 0, size=@0x7fffffffdc50: 0, bind=@0x7fffffffdc4f: 0 '\000', type=@0x7fffffffdc4e: 0 '\000', section_index=@0x7fffffffdc4c: 0, other=@0x7fffffffdc4b: 0 '\000') at ../../elfio/elfio_strings.hpp:48
#1  0x0000000000406b06 in ELFIO::symbol_section_accessor_template<ELFIO::section>::get_symbol (this=<optimized out>, index=<optimized out>, name=..., value=<optimized out>, size=<optimized out>, bind=<optimized out>, type=<optimized out>, section_index=<optimized out>, other=<optimized out>) at ../../elfio/elfio_symbols.hpp:71
#2  ELFIO::dump::symbol_tables (out=..., reader=...) at ../../elfio/elfio_dump.hpp:619
#3  0x00000000004028ec in main (argc=<optimized out>, argv=0x7fffffffde78) at elfdump.cpp:52
serge1 commented 4 years ago

The issue is addressed in the commit 9cf8821. Thank you