fileinfo crashes in ElfFormat::addSymbolTable() due to invalid memory read

[bansan85]

fileinfo crashes in ElfFormat::addSymbolTable

Input

fileinfo FILE
addSymbolTable.zip

Output

Backtrace:

#0  __memmove_sse2_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:427
#1  0x0000555555c7b966 in std::__copy_move<false, true, std::random_access_iterator_tag>::__copy_m<char> (__result=<optimized out>, __last=<optimized out>, __first=<optimized out>) at /usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7/bits/stl_algobase.h:368
#2  std::__copy_move_a<false, char const*, char*> (__result=<optimized out>, __last=<optimized out>, __first=<optimized out>) at /usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7/bits/stl_algobase.h:386
#3  std::__copy_move_a2<false, char const*, char*> (__result=<optimized out>, __last=<optimized out>, __first=<optimized out>) at /usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7/bits/stl_algobase.h:424
#4  std::copy<char const*, char*> (__result=<optimized out>, __last=0x100 <error: Cannot access memory at address 0x100>, __first=0x50 <error: Cannot access memory at address 0x50>) at /usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7/bits/stl_algobase.h:456
#5  ELFIO::section_impl<ELFIO::Elf32_Shdr>::set_data (this=0x555557050680, raw_data=0x50 <error: Cannot access memory at address 0x50>, size=176) at /home/legarrec/info/programmation/retdec/build/external/src/elfio-project/include/elfio/elfio_section.hpp:173
#6  0x0000555555c60dec in retdec::fileformat::ElfFormat::addSymbolTable (this=this@entry=0x555557047fb0, dynamicSection=dynamicSection@entry=0x555557042370, table=..., stringTable=stringTable@entry=0x555557042250) at /home/legarrec/info/programmation/retdec/src/fileformat/file_format/elf/elf_format.cpp:1232
#7  0x0000555555c70674 in retdec::fileformat::ElfFormat::loadInfoFromDynamicTables (this=this@entry=0x555557047fb0, noOfTables=noOfTables@entry=1) at /home/legarrec/info/programmation/retdec/src/fileformat/file_format/elf/elf_format.cpp:1965
#8  0x0000555555c712c7 in retdec::fileformat::ElfFormat::loadInfoFromDynamicSegment (this=this@entry=0x555557047fb0) at /home/legarrec/info/programmation/retdec/src/fileformat/file_format/elf/elf_format.cpp:2025
#9  0x0000555555c71b50 in retdec::fileformat::ElfFormat::initStructures (this=this@entry=0x555557047fb0) at /home/legarrec/info/programmation/retdec/src/fileformat/file_format/elf/elf_format.cpp:1091
#10 0x0000555555c74fa8 in retdec::fileformat::ElfFormat::initStructures (this=0x555557047fb0) at /home/legarrec/info/programmation/retdec/src/fileformat/file_format/elf/elf_format.cpp:1076
#11 retdec::fileformat::ElfFormat::ElfFormat (this=0x555557047fb0, pathToFile=..., loadFlags=<optimized out>) at /home/legarrec/info/programmation/retdec/src/fileformat/file_format/elf/elf_format.cpp:1033
#12 0x000055555596196a in fileinfo::ElfWrapper::ElfWrapper (this=0x555557047fb0, pathToFile=..., loadFlags=retdec::fileformat::NONE) at /home/legarrec/info/programmation/retdec/src/fileinfo/file_wrapper/elf_wrapper.cpp:18
#13 0x0000555555638997 in __gnu_cxx::new_allocator<fileinfo::ElfWrapper>::construct<fileinfo::ElfWrapper, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> (this=<optimized out>, __p=0x555557047fb0)
    at /usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7/ext/new_allocator.h:136
#14 std::allocator_traits<std::allocator<fileinfo::ElfWrapper> >::construct<fileinfo::ElfWrapper, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> (__a=..., __p=<optimized out>)
    at /usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7/bits/alloc_traits.h:475
#15 std::_Sp_counted_ptr_inplace<fileinfo::ElfWrapper, std::allocator<fileinfo::ElfWrapper>, (__gnu_cxx::_Lock_policy)2>::_Sp_counted_ptr_inplace<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> (__a=..., this=0x555557047fa0)
    at /usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7/bits/shared_ptr_base.h:526
#16 std::__shared_count<(__gnu_cxx::_Lock_policy)2>::__shared_count<fileinfo::ElfWrapper, std::allocator<fileinfo::ElfWrapper>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> (__a=..., this=<optimized out>)
    at /usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7/bits/shared_ptr_base.h:637
#17 std::__shared_ptr<fileinfo::ElfWrapper, (__gnu_cxx::_Lock_policy)2>::__shared_ptr<std::allocator<fileinfo::ElfWrapper>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> (__a=..., __tag=..., this=<optimized out>)
    at /usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7/bits/shared_ptr_base.h:1295
#18 std::shared_ptr<fileinfo::ElfWrapper>::shared_ptr<std::allocator<fileinfo::ElfWrapper>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> (__a=..., __tag=..., this=<optimized out>)
    at /usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7/bits/shared_ptr.h:344
#19 std::allocate_shared<fileinfo::ElfWrapper, std::allocator<fileinfo::ElfWrapper>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> (__a=...) at /usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7/bits/shared_ptr.h:691
#20 std::make_shared<fileinfo::ElfWrapper, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> () at /usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7/bits/shared_ptr.h:707
#21 fileinfo::ElfDetector::ElfDetector (this=0x555557047bc0, pathToInputFile=..., finfo=..., searchPar=..., loadFlags=retdec::fileformat::NONE) at /home/legarrec/info/programmation/retdec/src/fileinfo/file_detector/elf_detector.cpp:399
#22 0x0000555555616195 in fileinfo::createFileDetector (pathToInputFile=..., fileFormat=<optimized out>, finfo=..., searchPar=..., loadFlags=retdec::fileformat::NONE) at /home/legarrec/info/programmation/retdec/src/fileinfo/file_detector/detector_factory.cpp:38
#23 0x00005555555db463 in main (argc=<optimized out>, argv=<optimized out>) at /home/legarrec/info/programmation/retdec/src/fileinfo/fileinfo.cpp:395

From master (63f1a3de)

[s3rvac]

Thank you for the report. I can confirm that fileinfo crashes when analyzing the attached file. Output from valgrind:

Invalid read of size 8
   at 0x4C33BB0: memmove (vg_replace_strmem.c:1258)
   by 0x23CB0D: char* std::__copy_move<...>::__copy_m<char>(...) (stl_algobase.h:368)
   by 0x23C7F5: char* std::__copy_move_a<...>(...) (stl_algobase.h:386)
   by 0x23CD0E: char* std::__copy_move_a2<...>(...) (stl_algobase.h:424)
   by 0x23CAC2: char* std::copy<...>(...) (stl_algobase.h:456)
   by 0x3148D4: ELFIO::section_impl<ELFIO::Elf32_Shdr>::set_data(...) (elfio_section.hpp:173)
   by 0x300FBA: retdec::fileformat::ElfFormat::addSymbolTable(...) (elf_format.cpp:1232)
   by 0x304C44: retdec::fileformat::ElfFormat::loadInfoFromDynamicTables(...) (elf_format.cpp:1965)
   by 0x305230: retdec::fileformat::ElfFormat::loadInfoFromDynamicSegment() (elf_format.cpp:2025)
   by 0x3003AA: retdec::fileformat::ElfFormat::initStructures() (elf_format.cpp:1091)
   by 0x2FFFE5: retdec::fileformat::ElfFormat::ElfFormat(...) (elf_format.cpp:1033)
   by 0x20B50B: fileinfo::ElfWrapper::ElfWrapper(...) (elf_wrapper.cpp:18)
 Address 0x50 is not stack'd, malloc'd or (recently) free'd

[mbandzi]

This was fixed in 920ea0d by adding check for nullptr.