This is the mail archive of the
elfutils-devel@sourceware.org
mailing list for the elfutils project.
Re: malformed elf file causes readelf -e to hang forever
- From: Josh Stone <jistone at redhat dot com>
- To: elfutils-devel at lists dot fedorahosted dot org
- Date: Sun, 25 Jan 2015 15:05:42 -0800
- Subject: Re: malformed elf file causes readelf -e to hang forever
On 01/25/2015 11:39 AM, Hanno Böck wrote:
> Hi,
>
> Please see attached file, which is a malformed (fuzzed) elf file that
> causes elfutil's readelf -e to hang, testet with the latest version
> 0.161.
>
> This was found with zzuf.
You should be fuzzing with git master, as Mark is still making a lot of
commits for robustness. That said, I can reproduce this on master.
I'm not sure it's a hang, exactly, but it's a least a really huge loop.
:) I see it stuck in __libdwfl_addrsym::search_table with the end value
of 1073741862, from the call "search_table (1, first_global)".
Debugging earlier, I see this comes from load_symtab, where the shdr is:
(gdb) p *shdr
$4 = {
sh_name = 1,
sh_type = 2,
sh_flags = 0,
sh_addr = 0,
sh_offset = 7200,
sh_size = 1392,
sh_link = 33,
sh_info = 1073741862,
sh_addralign = 8,
sh_entsize = 24
}
These are used as:
*syments = shdr->sh_size / shdr->sh_entsize;
*first_global = shdr->sh_info;
I guess it should be an error for first_global to be out of range, or at
least clamp it to at most syments.