← Back to team overview

touch-packages team mailing list archive

[Bug 1476790] Re: SIGSEGV in elf.c

 

Hello and thanks for reporting this bug! This issue has been fixed in
the upstream binutils-gdb.git repo:

  https://sourceware.org/git/gitweb.cgi?p=binutils-
gdb.git;a=commit;h=06614111d1be94b43ea8dd83805184d4e177bcea

  Subject: More fixes for memory access violations exposed by fuzzed
binaries.

The upstream bug report, with many reproducers, is here:

  https://sourceware.org/bugzilla/show_bug.cgi?id=17512

I'm going to go ahead and make this bug public.


** Bug watch added: Sourceware.org Bugzilla #17512
   http://sourceware.org/bugzilla/show_bug.cgi?id=17512

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to binutils in Ubuntu.
https://bugs.launchpad.net/bugs/1476790

Title:
  SIGSEGV in elf.c

Status in binutils package in Ubuntu:
  Triaged

Bug description:
  -=Binary=-
  size

  -=Package=-
  binutils 2.25-10ubuntu1

  -=Title=-
  Program received signal SIGSEGV, Segmentation fault.

  
  -=Input file=-
  root@exploitdev-wily:~/Desktop/Reported crashes/size# xxd size-SIGSEGV 
  00000000: 7f45 4c46 0101 0130 3030 3030 3030 3030  .ELF...000000000
  00000010: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
  00000020: 4000 0000 3030 3030 3030 3030 0000 3030  @...00000000..00
  00000030: 0000 0400 3030 3030 3030 3030 3030 3030  ....000000000000
  00000040: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
  00000050: 3030 3030 0700 0000 3030 3030 3030 3030  0000....00000000
  00000060: 3030 3030 3030 3030 3000 0000 3030 3030  000000000...0000
  00000070: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
  00000080: 0000 0000 3030 3030 3030 3030 3030 3030  ....000000000000
  00000090: 3000 0000 3030 3030 3030 3030 3030 3030  0...000000000000
  000000a0: 3030 3030 3030 3030 0000 0000 3030 3030  00000000....0000
  000000b0: 3030 3030 3030 3030 3000 0000 3030 3030  000000000...0000
  000000c0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
  000000d0: 0000 0000 3030 3030 3030 3030 3030 3030  ....000000000000
  000000e0: 3000 0000 1100 0000 3030 3030 3030 3030  0.......00000000
  000000f0: 0002 0000 3019 0000 0000 0000 3030 3030  ....0.......0000
  00000100: 3030 3030 0400 0000 3030 3030 3030 3030  0000....00000000
  00000110: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
  00000120: 0000 0000 3030 3030 3030 3030 3030 3030  ....000000000000
  00000130: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
  00000140: 3030 3030 3030 3030 0000 0000 3030 3030  00000000....0000
  00000150: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
  ....
  ....
  ....
  00001b00: 3030 3030 3030 3030 3130 3030 3030 3030  0000000010000000
  00001b10: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
  00001b20: 3030 3030 3030 3030 3030 3030 efbe adde  000000000000....


  -=happens here=-
  bfd_section_from_shdr (abfd=0x811a9f0, shindex=4) at elf.c:2030
  2030			  && (s = idx->shdr->bfd_section) != NULL

  
  -=stacktrace=-
  (gdb) backtrace
  #0  bfd_section_from_shdr (abfd=0x811a9f0, shindex=4) at elf.c:2030
  #1  0x08070b39 in bfd_elf32_object_p (abfd=0x811a9f0) at elfcode.h:800
  #2  0x08055742 in bfd_check_format_matches (abfd=0x811a9f0, format=bfd_object, matching=0xbffff338) at format.c:305
  #3  0x0804a8f0 in display_bfd (abfd=abfd@entry=0x811a9f0) at size.c:302
  #4  0x0804aaaf in display_file (filename=0xbffff5d2 "size-SIGSEGV") at size.c:398
  #5  0x08049fd4 in main (argc=2, argv=0xbffff434) at size.c:239

  
  -=registers=-
  (gdb) i r
  eax            0x64b	1611
  ecx            0x811d5a8	135386536
  edx            0xdeadbeef	-559038737        <===== CONTROL OVER EDX .. LAST 4 BYTES OF INPUT FILE
  ebx            0x811a9f0	135375344
  esp            0xbffff130	0xbffff130
  ebp            0x811b4c8	0x811b4c8
  esi            0x811cc48	135384136
  edi            0x811d5d8	135386584
  eip            0x807f268	0x807f268 <bfd_section_from_shdr+2920>
  eflags         0x10282	[ SF IF RF ]
  cs             0x73	115
  ss             0x7b	123
  ds             0x7b	123
  es             0x7b	123
  fs             0x0	0
  gs             0x33	51
  (gdb)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1476790/+subscriptions