[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug libctf/30432] New: readelf with option --ctf=1, received signal SIG
|
From: |
xing_ruopeng at bupt dot edu.cn |
|
Subject: |
[Bug libctf/30432] New: readelf with option --ctf=1, received signal SIGSEGV when opening testcases generated from fuzz testing |
|
Date: |
Tue, 09 May 2023 13:30:26 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=30432
Bug ID: 30432
Summary: readelf with option --ctf=1, received signal SIGSEGV
when opening testcases generated from fuzz testing
Product: binutils
Version: 2.39
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: libctf
Assignee: unassigned at sourceware dot org
Reporter: xing_ruopeng at bupt dot edu.cn
Target Milestone: ---
Created attachment 14868
--> https://sourceware.org/bugzilla/attachment.cgi?id=14868&action=edit
3 pocs generated by AFL plus plus
I tested readelf with AFL plus plus, then found this crash.
Opening testcases with readelf and option --ctf=1 can reproduce it.
There are 3 pocs in attachment. You can reproduce this crash with them.
There are outputs when I debuged with gdb:
Starting program: /home/xrp/aflpp/poc/readelf/readelf --ctf=1 ./poc1
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
readelf:警告: Section 1 has an out of range sh_link value of 1415536384
readelf:警告: Section 12 has an out of range sh_link value of 2130706432
readelf:警告: Section 27 has an out of range sh_link value of 1882092655
readelf:错误: Section 27 has invalid sh_entsize of 73622e00
readelf:错误: (Using the expected size of 10 for the rest of this dump)
readelf:错误: Reading 2019634795 bytes extends past end of file for section
contents
Program received signal SIGSEGV, Segmentation fault.
0x00005555555be58c in ctf_arc_bufopen (ctfsect=ctfsect@entry=0x7fffffffdbe0,
symsect=symsect@entry=0x7fffffffdc00, strsect=strsect@entry=0x7fffffffdc20,
errp=errp@entry=0x7fffffffdbc4) at ../../libctf/ctf-archive.c:427
427 if (ctfsect->cts_size > sizeof (uint64_t) &&
(gdb) info threads
Id Target Id Frame
* 1 Thread 0x7ffff7fa3740 (LWP 76764) "readelf" 0x00005555555be58c in
ctf_arc_bufopen (ctfsect=ctfsect@entry=0x7fffffffdbe0,
symsect=symsect@entry=0x7fffffffdc00, strsect=strsect@entry=0x7fffffffdc20,
errp=errp@entry=0x7fffffffdbc4) at ../../libctf/ctf-archive.c:427
(gdb) bt
#0 0x00005555555be58c in ctf_arc_bufopen
(ctfsect=ctfsect@entry=0x7fffffffdbe0, symsect=symsect@entry=0x7fffffffdc00,
strsect=strsect@entry=0x7fffffffdc20,
errp=errp@entry=0x7fffffffdbc4) at ../../libctf/ctf-archive.c:427
#1 0x0000555555594533 in dump_section_as_ctf (filedata=0x5555556604b0,
section=0x555555663b60) at ../../binutils/readelf.c:15889
#2 process_section_contents (filedata=filedata@entry=0x5555556604b0) at
../../binutils/readelf.c:16477
#3 0x0000555555595a17 in process_section_contents (filedata=0x5555556604b0) at
../../binutils/readelf.c:6560
#4 process_object (filedata=filedata@entry=0x5555556604b0) at
../../binutils/readelf.c:22502
#5 0x00005555555604e6 in process_object (filedata=0x5555556604b0) at
../../binutils/readelf.c:22426
#6 process_file (file_name=<optimized out>) at ../../binutils/readelf.c:22925
#7 main (argc=<optimized out>, argv=<optimized out>) at
../../binutils/readelf.c:22996
I guess there may be a bug or bugs located in libctf/ctf-archive.c.
Binutils 2.40 Build on Ubuntu 22.04
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug libctf/30432] New: readelf with option --ctf=1, received signal SIGSEGV when opening testcases generated from fuzz testing,
xing_ruopeng at bupt dot edu.cn <=