https://sourceware.org/bugzilla/show_bug.cgi?id=21149
Bug ID: 21149 Summary: readelf - several invalid read Product: binutils Version: 2.29 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: thuanpv at comp dot nus.edu.sg Target Milestone: --- Created attachment 9816 --> https://sourceware.org/bugzilla/attachment.cgi?id=9816&action=edit Bug triggering input Dear all, This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks also to Marcel Böhme. This bug was found on Ubuntu 14.04 64-bit & binutils was checkout from main repository at git://sourceware.org/git/binutils-gdb.git. Its commit is 53f7e8ea7fad1fcff1b58f4cbd74e192e0bcbc1d (Fri Feb 10 00:00:16 2017) binutils was built with ASAN using gcc-6.2 and clang-3.4. The configure command was: CC=clang CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=undefined,address -fno-omit-frame-pointer -g -Wno-error" ../configure --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim To reproduce: Download the attached file - bug_15 readelf -zxt bug_15 Valgrind says: ==81060== Invalid read of size 1 ==81060== at 0x438D7C: byte_get_little_endian (elfcomm.c:211) ==81060== by 0x408707: get_compression_header (readelf.c:5735) ==81060== by 0x40EADA: dump_section_as_bytes (readelf.c:12700) ==81060== by 0x42332E: process_section_contents (readelf.c:13082) ==81060== by 0x42332E: process_object (readelf.c:16780) ==81060== by 0x402111: process_file (readelf.c:17154) ==81060== by 0x402111: main (readelf.c:17225) ==81060== Address 0x5203c62 is 0 bytes after a block of size 18 alloc'd ==81060== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==81060== by 0x40566E: get_data (readelf.c:393) ==81060== by 0x40E7EB: dump_section_as_bytes (readelf.c:12685) ==81060== by 0x42332E: process_section_contents (readelf.c:13082) ==81060== by 0x42332E: process_object (readelf.c:16780) ==81060== by 0x402111: process_file (readelf.c:17154) ==81060== by 0x402111: main (readelf.c:17225) ==81060== ==81060== Invalid read of size 1 ==81060== at 0x438D92: byte_get_little_endian (elfcomm.c:212) ==81060== by 0x408707: get_compression_header (readelf.c:5735) ==81060== by 0x40EADA: dump_section_as_bytes (readelf.c:12700) ==81060== by 0x42332E: process_section_contents (readelf.c:13082) ==81060== by 0x42332E: process_object (readelf.c:16780) ==81060== by 0x402111: process_file (readelf.c:17154) ==81060== by 0x402111: main (readelf.c:17225) ==81060== Address 0x5203c63 is 1 bytes after a block of size 18 alloc'd ==81060== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==81060== by 0x40566E: get_data (readelf.c:393) ==81060== by 0x40E7EB: dump_section_as_bytes (readelf.c:12685) ==81060== by 0x42332E: process_section_contents (readelf.c:13082) ==81060== by 0x42332E: process_object (readelf.c:16780) ==81060== by 0x402111: process_file (readelf.c:17154) ==81060== by 0x402111: main (readelf.c:17225) ==81060== ==81060== Invalid read of size 1 ==81060== at 0x438D9D: byte_get_little_endian (elfcomm.c:213) ==81060== by 0x408707: get_compression_header (readelf.c:5735) ==81060== by 0x40EADA: dump_section_as_bytes (readelf.c:12700) ==81060== by 0x42332E: process_section_contents (readelf.c:13082) ==81060== by 0x42332E: process_object (readelf.c:16780) ==81060== by 0x402111: process_file (readelf.c:17154) ==81060== by 0x402111: main (readelf.c:17225) ==81060== Address 0x5203c64 is 2 bytes after a block of size 18 alloc'd ==81060== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==81060== by 0x40566E: get_data (readelf.c:393) ==81060== by 0x40E7EB: dump_section_as_bytes (readelf.c:12685) ==81060== by 0x42332E: process_section_contents (readelf.c:13082) ==81060== by 0x42332E: process_object (readelf.c:16780) ==81060== by 0x402111: process_file (readelf.c:17154) ==81060== by 0x402111: main (readelf.c:17225) ==81060== ==81060== Invalid read of size 1 ==81060== at 0x438DA8: byte_get_little_endian (elfcomm.c:214) ==81060== by 0x408707: get_compression_header (readelf.c:5735) ==81060== by 0x40EADA: dump_section_as_bytes (readelf.c:12700) ==81060== by 0x42332E: process_section_contents (readelf.c:13082) ==81060== by 0x42332E: process_object (readelf.c:16780) ==81060== by 0x402111: process_file (readelf.c:17154) ==81060== by 0x402111: main (readelf.c:17225) ==81060== Address 0x5203c65 is 3 bytes after a block of size 18 alloc'd ==81060== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==81060== by 0x40566E: get_data (readelf.c:393) ==81060== by 0x40E7EB: dump_section_as_bytes (readelf.c:12685) ==81060== by 0x42332E: process_section_contents (readelf.c:13082) ==81060== by 0x42332E: process_object (readelf.c:16780) ==81060== by 0x402111: process_file (readelf.c:17154) ==81060== by 0x402111: main (readelf.c:17225) ==81060== ==81060== Invalid read of size 1 ==81060== at 0x438DB3: byte_get_little_endian (elfcomm.c:215) ==81060== by 0x408707: get_compression_header (readelf.c:5735) ==81060== by 0x40EADA: dump_section_as_bytes (readelf.c:12700) ==81060== by 0x42332E: process_section_contents (readelf.c:13082) ==81060== by 0x42332E: process_object (readelf.c:16780) ==81060== by 0x402111: process_file (readelf.c:17154) ==81060== by 0x402111: main (readelf.c:17225) ==81060== Address 0x5203c66 is 4 bytes after a block of size 18 alloc'd ==81060== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==81060== by 0x40566E: get_data (readelf.c:393) ==81060== by 0x40E7EB: dump_section_as_bytes (readelf.c:12685) ==81060== by 0x42332E: process_section_contents (readelf.c:13082) ==81060== by 0x42332E: process_object (readelf.c:16780) ==81060== by 0x402111: process_file (readelf.c:17154) ==81060== by 0x402111: main (readelf.c:17225) ==81060== ==81060== Invalid read of size 1 ==81060== at 0x438DBE: byte_get_little_endian (elfcomm.c:216) ==81060== by 0x408707: get_compression_header (readelf.c:5735) ==81060== by 0x40EADA: dump_section_as_bytes (readelf.c:12700) ==81060== by 0x42332E: process_section_contents (readelf.c:13082) ==81060== by 0x42332E: process_object (readelf.c:16780) ==81060== by 0x402111: process_file (readelf.c:17154) ==81060== by 0x402111: main (readelf.c:17225) ==81060== Address 0x5203c67 is 5 bytes after a block of size 18 alloc'd ==81060== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==81060== by 0x40566E: get_data (readelf.c:393) ==81060== by 0x40E7EB: dump_section_as_bytes (readelf.c:12685) ==81060== by 0x42332E: process_section_contents (readelf.c:13082) ==81060== by 0x42332E: process_object (readelf.c:16780) ==81060== by 0x402111: process_file (readelf.c:17154) ==81060== by 0x402111: main (readelf.c:17225) ASAN says: ==71214==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000ef92 at pc 0x7269ba bp 0x7fff700914d0 sp 0x7fff700914c8 READ of size 1 at 0x60300000ef92 thread T0 #0 0x7269b9 in byte_get_little_endian /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/elfcomm.c:209 #1 0x5662f4 in get_compression_header /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:5735 #2 0x55c685 in dump_section_as_bytes /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:12701 #3 0x4e1320 in process_section_contents /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:13082 #4 0x48d610 in process_object /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:16780 #5 0x488365 in process_file /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:17154 #6 0x4855c3 in main /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:17225 #7 0x7f838215af44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) #8 0x47ddfc in _start (/home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/readelf+0x47ddfc) -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils