[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/23780] New: There is an assertion abort in function displa
From: |
hanfangzhang9 at gmail dot com |
Subject: |
[Bug binutils/23780] New: There is an assertion abort in function display_raw_attribute() in readelf.c in GNU Binutils of version 2.31.1. |
Date: |
Mon, 15 Oct 2018 20:42:21 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=23780
Bug ID: 23780
Summary: There is an assertion abort in function
display_raw_attribute() in readelf.c in GNU Binutils
of version 2.31.1.
Product: binutils
Version: 2.31
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: hanfangzhang9 at gmail dot com
Target Milestone: ---
Created attachment 11329
--> https://sourceware.org/bugzilla/attachment.cgi?id=11329&action=edit
The poc file of this bug
Dear all,
There is an assertion abort in function display_raw_attribute() in readelf.c in
GNU Binutils of version 2.31.1. It will lead to remote denial of service.
To reproduce:
Download the attched file poc
readelf -a poc
Normal output:
...
readelf: readelf.c:15158: display_raw_attribute: Assertion `end > p' failed.
Aborted
The GDB debugging information is as follow:
readelf: readelf.c:15158: display_raw_attribute: Assertion `end > p' failed.
Program received signal SIGABRT, Aborted.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x7ffff7ff7000 --> 0x6461657200001000
RCX: 0x7ffff7a42428 (<__GI_raise+56>: cmp rax,0xfffffffffffff000)
RDX: 0x6
RSI: 0x10c3d
RDI: 0x10c3d
RBP: 0x44d38b --> 0x70203e20646e65 ('end > p')
RSP: 0x7fffffffd9b8 --> 0x7ffff7a4402a (<__GI_abort+362>: mov
rdx,QWORD PTR fs:0x10)
RIP: 0x7ffff7a42428 (<__GI_raise+56>: cmp rax,0xfffffffffffff000)
R8 : 0x698f00 --> 0x0
R9 : 0xffff000000000000
R10: 0x8
R11: 0x246
R12: 0x3b36 ('6;')
R13: 0x476820 ("display_raw_attribute")
R14: 0x0
R15: 0x6982fa --> 0x2e006e6f69737265 ('ersion')
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff7a4241e <__GI_raise+46>: mov eax,0xea
0x7ffff7a42423 <__GI_raise+51>: movsxd rdi,ecx
0x7ffff7a42426 <__GI_raise+54>: syscall
=> 0x7ffff7a42428 <__GI_raise+56>: cmp rax,0xfffffffffffff000
0x7ffff7a4242e <__GI_raise+62>: ja 0x7ffff7a42450 <__GI_raise+96>
0x7ffff7a42430 <__GI_raise+64>: repz ret
0x7ffff7a42432 <__GI_raise+66>: nop WORD PTR [rax+rax*1+0x0]
0x7ffff7a42438 <__GI_raise+72>: test ecx,ecx
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd9b8 --> 0x7ffff7a4402a (<__GI_abort+362>: mov
rdx,QWORD PTR fs:0x10)
0008| 0x7fffffffd9c0 --> 0x20 (' ')
0016| 0x7fffffffd9c8 --> 0x0
0024| 0x7fffffffd9d0 --> 0x0
0032| 0x7fffffffd9d8 --> 0x0
0040| 0x7fffffffd9e0 --> 0x0
0048| 0x7fffffffd9e8 --> 0x0
0056| 0x7fffffffd9f0 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
0x00007ffff7a42428 in __GI_raise (address@hidden) at
../sysdeps/unix/sysv/linux/raise.c:54
54 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
gdb-peda$ bt
#0 0x00007ffff7a42428 in __GI_raise (address@hidden) at
../sysdeps/unix/sysv/linux/raise.c:54
#1 0x00007ffff7a4402a in __GI_abort () at abort.c:89
#2 0x00007ffff7a3abd7 in __assert_fail_base (fmt=<optimized out>,
address@hidden "end > p", address@hidden
"readelf.c", address@hidden,
address@hidden <__PRETTY_FUNCTION__.21845>
"display_raw_attribute") at assert.c:92
#3 0x00007ffff7a3ac82 in __GI___assert_fail
(address@hidden "end > p", address@hidden
"readelf.c", address@hidden,
address@hidden <__PRETTY_FUNCTION__.21845>
"display_raw_attribute") at assert.c:101
#4 0x0000000000404fac in display_raw_attribute (p=<optimized out>,
address@hidden "") at readelf.c:15158
#5 0x0000000000404ff9 in display_public_gnu_attributes (start=<optimized out>,
end=0x698310 "") at readelf.c:18509
#6 0x000000000040aea9 in process_attributes (address@hidden,
address@hidden "gnu",
address@hidden,
address@hidden
<display_public_gnu_attributes>,
address@hidden
<display_generic_attribute>)
at readelf.c:15460
#7 0x0000000000428373 in process_arch_specific (filedata=0x697000) at
readelf.c:18578
#8 process_object (address@hidden) at readelf.c:18856
#9 0x000000000040226d in process_file (file_name=<optimized out>) at
readelf.c:19259
#10 main (address@hidden, address@hidden) at
readelf.c:19318
#11 0x00007ffff7a2d830 in __libc_start_main (main=0x401b80 <main>, argc=0x3,
argv=0x7fffffffe018, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffe008)
at ../csu/libc-start.c:291
#12 0x0000000000402449 in _start ()
Credits: Hanfang Zhang, Sichuan University
Best regards,
Hanfang Zhang
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/23780] New: There is an assertion abort in function display_raw_attribute() in readelf.c in GNU Binutils of version 2.31.1.,
hanfangzhang9 at gmail dot com <=