Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crash in ELF version parse #8764

Closed
gsharpsh00ter opened this issue Oct 31, 2017 · 3 comments
Closed

Crash in ELF version parse #8764

gsharpsh00ter opened this issue Oct 31, 2017 · 3 comments

Comments

@gsharpsh00ter
Copy link

gsharpsh00ter commented Oct 31, 2017
edited
Loading

This issue looks like #8731, but it should be a different one.

ctf@ubuntu:/home/g$ gdb -q /usr/bin/radare2
Reading symbols from /usr/bin/radare2...done.
(gdb) r -qc ia ./segsegv-store_versioninfo_gnu_verdef 
Starting program: /usr/bin/radare2 -qc ia ./crash-in-elf-version-parse-poc2
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
Warning: Cannot initialize dynamic strings
Warning: Cannot initialize dynamic section

Program received signal SIGSEGV, Segmentation fault.
0xb7caff77 in r_read_le32 (src=0x16893808) at /home/ctf/source/radare2/libr/include/r_endian.h:176
176		return (((ut32)s[3]) << 24) | (((ut32)s[2]) << 16) |
(gdb) bt
#0  0xb7caff77 in r_read_le32 (src=0x16893808) at /home/ctf/source/radare2/libr/include/r_endian.h:176
#1  0xb7cb0018 in r_read_ble32 (src=0x16893808, big_endian=false) at /home/ctf/source/radare2/libr/include/r_endian.h:321
#2  0xb7cb3531 in store_versioninfo_gnu_verdef (bin=0x8012b7a0, shdr=0x801532e8, sz=6541) at /home/ctf/source/radare2/libr/..//libr/bin/p/../format/elf/elf.c:763
#3  0xb7cb4626 in store_versioninfo (bin=0x8012b7a0) at /home/ctf/source/radare2/libr/..//libr/bin/p/../format/elf/elf.c:996
#4  0xb7cb4d3b in elf_init (bin=0x8012b7a0) at /home/ctf/source/radare2/libr/..//libr/bin/p/../format/elf/elf.c:1097
#5  0xb7cbcda3 in Elf32_r_bin_elf_new_buf (buf=0x8012b768, verbose=true) at /home/ctf/source/radare2/libr/..//libr/bin/p/../format/elf/elf.c:3078
#6  0xb7cab893 in load_bytes (bf=0x8012b408, buf=0x8013dc80 "\177ELFF\001\001", sz=7901, loadaddr=0, sdb=0x8013fb68) at /home/ctf/source/radare2/libr/..//libr/bin/p/bin_elf.c:55
#7  0xb7c84ab4 in r_bin_object_new (binfile=0x8012b408, plugin=0x800c5df8, baseaddr=18446744073709551615, loadaddr=0, offset=0, sz=7901) at bin.c:1336
#8  0xb7c853dd in r_bin_file_new_from_bytes (bin=0x800c1690, file=0x8012b300 "./segsegv-store_versioninfo_gnu_verdef", bytes=0x8013dc80 "\177ELFF\001\001", sz=7901, file_sz=7901, rawstr=0, baseaddr=18446744073709551615, loadaddr=0, fd=3, pluginname=0x0, xtrname=0x0, 
    offset=0, steal_ptr=true) at bin.c:1563
#9  0xb7c840c0 in r_bin_load_io_at_offset_as_sz (bin=0x800c1690, fd=3, baseaddr=18446744073709551615, loadaddr=0, xtr_idx=0, offset=0, name=0x0, sz=7901) at bin.c:1114
#10 0xb7c8415b in r_bin_load_io_at_offset_as (bin=0x800c1690, fd=3, baseaddr=18446744073709551615, loadaddr=0, xtr_idx=0, offset=0, name=0x0) at bin.c:1128
#11 0xb7c83b7e in r_bin_load_io (bin=0x800c1690, fd=3, baseaddr=18446744073709551615, loadaddr=0, xtr_idx=0) at bin.c:1021
#12 0xb7ed49ad in r_core_file_do_load_for_io_plugin (r=0x8000a2e0 <r>, baseaddr=18446744073709551615, loadaddr=0) at file.c:406
#13 0xb7ed5157 in r_core_bin_load (r=0x8000a2e0 <r>, filenameuri=0x8012b300 "./segsegv-store_versioninfo_gnu_verdef", baddr=18446744073709551615) at file.c:563
#14 0x80005098 in main (argc=4, argv=0xbffff6c4, envp=0xbffff6d8) at radare2.c:1007
(gdb) q
A debugging session is active.

	Inferior 1 [process 18554] will be killed.

Quit anyway? (y or n) y

Build information and enviroment:

ctf@ubuntu:/home/g$ radare2 -v
radare2 2.1.0-git 16425 @ linux-x86-32 git.2.0.1-131-g56228aa
commit: 56228aa5ec876c7fbd01f22a4c89ee6f01b8234b build: 2017-10-31__02:59:46
ctf@ubuntu:/home/g$ uname -a
Linux ubuntu 4.8.0-59-generic #64-Ubuntu SMP Thu Jun 29 19:37:59 UTC 2017 i686 i686 i686 GNU/Linux

crash-in-elf-version-parse-poc2.zip
@radare
Copy link
Collaborator

radare commented Oct 31, 2017

cant reproduce

@radare
Copy link
Collaborator

radare commented Oct 31, 2017

anyone else can reproduce this? i tried on 32/64bits with valgrind on linux and mac

@kazarmy
Copy link
Contributor

kazarmy commented Oct 31, 2017

At this rate, every pointer addition especially those that involve values from outside r2 will need to be guarded against pointer overflow.

kazarmy added a commit that referenced this issue Oct 31, 2017
@kazarmy
Fix #8764 differently since ptr diff might not fit in ptrdiff_t
d21e91f
kazarmy added a commit that referenced this issue Nov 1, 2017
@kazarmy
Fix #8764 a 3rd time since 2nd time is UB and can be optimized away
fbaf24b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@radare @kazarmy @gsharpsh00ter