bug-binutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/23780] New: There is an assertion abort in function displa


From: hanfangzhang9 at gmail dot com
Subject: [Bug binutils/23780] New: There is an assertion abort in function display_raw_attribute() in readelf.c in GNU Binutils of version 2.31.1.
Date: Mon, 15 Oct 2018 20:42:21 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=23780

            Bug ID: 23780
           Summary: There is an assertion abort in function
                    display_raw_attribute() in readelf.c in GNU Binutils
                    of version 2.31.1.
           Product: binutils
           Version: 2.31
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: hanfangzhang9 at gmail dot com
  Target Milestone: ---

Created attachment 11329
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11329&action=edit
The poc file of this bug

Dear all,

There is an assertion abort in function display_raw_attribute() in readelf.c in
GNU Binutils of version 2.31.1. It will lead to remote denial of service.

To reproduce:
Download the attched file poc
readelf -a poc

Normal output:
...
readelf: readelf.c:15158: display_raw_attribute: Assertion `end > p' failed.
Aborted

The GDB debugging information is as follow:
readelf: readelf.c:15158: display_raw_attribute: Assertion `end > p' failed.

Program received signal SIGABRT, Aborted.


[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x7ffff7ff7000 --> 0x6461657200001000 
RCX: 0x7ffff7a42428 (<__GI_raise+56>:   cmp    rax,0xfffffffffffff000)
RDX: 0x6 
RSI: 0x10c3d 
RDI: 0x10c3d 
RBP: 0x44d38b --> 0x70203e20646e65 ('end > p')
RSP: 0x7fffffffd9b8 --> 0x7ffff7a4402a (<__GI_abort+362>:       mov   
rdx,QWORD PTR fs:0x10)
RIP: 0x7ffff7a42428 (<__GI_raise+56>:   cmp    rax,0xfffffffffffff000)
R8 : 0x698f00 --> 0x0 
R9 : 0xffff000000000000 
R10: 0x8 
R11: 0x246 
R12: 0x3b36 ('6;')
R13: 0x476820 ("display_raw_attribute")
R14: 0x0 
R15: 0x6982fa --> 0x2e006e6f69737265 ('ersion')
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7a4241e <__GI_raise+46>:      mov    eax,0xea
   0x7ffff7a42423 <__GI_raise+51>:      movsxd rdi,ecx
   0x7ffff7a42426 <__GI_raise+54>:      syscall 
=> 0x7ffff7a42428 <__GI_raise+56>:      cmp    rax,0xfffffffffffff000
   0x7ffff7a4242e <__GI_raise+62>:      ja     0x7ffff7a42450 <__GI_raise+96>
   0x7ffff7a42430 <__GI_raise+64>:      repz ret 
   0x7ffff7a42432 <__GI_raise+66>:      nop    WORD PTR [rax+rax*1+0x0]
   0x7ffff7a42438 <__GI_raise+72>:      test   ecx,ecx
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd9b8 --> 0x7ffff7a4402a (<__GI_abort+362>:      mov   
rdx,QWORD PTR fs:0x10)
0008| 0x7fffffffd9c0 --> 0x20 (' ')
0016| 0x7fffffffd9c8 --> 0x0 
0024| 0x7fffffffd9d0 --> 0x0 
0032| 0x7fffffffd9d8 --> 0x0 
0040| 0x7fffffffd9e0 --> 0x0 
0048| 0x7fffffffd9e8 --> 0x0 
0056| 0x7fffffffd9f0 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
0x00007ffff7a42428 in __GI_raise (address@hidden) at
../sysdeps/unix/sysv/linux/raise.c:54
54      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
gdb-peda$ bt
#0  0x00007ffff7a42428 in __GI_raise (address@hidden) at
../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff7a4402a in __GI_abort () at abort.c:89
#2  0x00007ffff7a3abd7 in __assert_fail_base (fmt=<optimized out>,
address@hidden "end > p", address@hidden
"readelf.c", address@hidden, 
    address@hidden <__PRETTY_FUNCTION__.21845>
"display_raw_attribute") at assert.c:92
#3  0x00007ffff7a3ac82 in __GI___assert_fail
(address@hidden "end > p", address@hidden
"readelf.c", address@hidden, 
    address@hidden <__PRETTY_FUNCTION__.21845>
"display_raw_attribute") at assert.c:101
#4  0x0000000000404fac in display_raw_attribute (p=<optimized out>,
address@hidden "") at readelf.c:15158
#5  0x0000000000404ff9 in display_public_gnu_attributes (start=<optimized out>,
end=0x698310 "") at readelf.c:18509
#6  0x000000000040aea9 in process_attributes (address@hidden,
address@hidden "gnu",
address@hidden, 
    address@hidden
<display_public_gnu_attributes>,
address@hidden
<display_generic_attribute>)
    at readelf.c:15460
#7  0x0000000000428373 in process_arch_specific (filedata=0x697000) at
readelf.c:18578
#8  process_object (address@hidden) at readelf.c:18856
#9  0x000000000040226d in process_file (file_name=<optimized out>) at
readelf.c:19259
#10 main (address@hidden, address@hidden) at
readelf.c:19318
#11 0x00007ffff7a2d830 in __libc_start_main (main=0x401b80 <main>, argc=0x3,
argv=0x7fffffffe018, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffe008)
    at ../csu/libc-start.c:291
#12 0x0000000000402449 in _start ()

Credits: Hanfang Zhang, Sichuan University

Best regards,
Hanfang Zhang

-- 
You are receiving this mail because:
You are on the CC list for the bug.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]