Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fileinfo crashes in ElfFormat::addRelocationTable() #248

Closed
bansan85 opened this issue Mar 17, 2018 · 2 comments
Closed

fileinfo crashes in ElfFormat::addRelocationTable() #248

bansan85 opened this issue Mar 17, 2018 · 2 comments
Labels
bug C-fileformat C-fileinfo P-run

Comments

@bansan85
Copy link

With theses new commits, I ran again with crash's file I previous found by fuzzing. It looks I missed this case.

fileinfo crashes in ElfFormat::addRelocationTable

Input

fileinfo FILE

addRelocationTable.zip

Output

Backtrace:

#0  __memmove_sse2_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:356
#1  0x0000555555c94eb6 in std::__copy_move<false, true, std::random_access_iterator_tag>::__copy_m<char> (__result=<optimized out>, __last=<optimized out>, 
    __first=<optimized out>) at /usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7/bits/stl_algobase.h:368
#2  std::__copy_move_a<false, char const*, char*> (__result=<optimized out>, __last=<optimized out>, __first=<optimized out>)
    at /usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7/bits/stl_algobase.h:386
#3  std::__copy_move_a2<false, char const*, char*> (__result=<optimized out>, __last=<optimized out>, __first=<optimized out>)
    at /usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7/bits/stl_algobase.h:424
#4  std::copy<char const*, char*> (__result=<optimized out>, __last=0x330 <error: Cannot access memory at address 0x330>, 
    __first=0x300 <error: Cannot access memory at address 0x300>) at /usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7/bits/stl_algobase.h:456
#5  ELFIO::section_impl<ELFIO::Elf64_Shdr>::set_data (this=0x555556cd89d0, raw_data=0x300 <error: Cannot access memory at address 0x300>, size=48)
    at /home/legarrec/info/programmation/retdec2/build/external/src/elfio-project/include/elfio/elfio_section.hpp:173
#6  0x0000555555c7b732 in retdec::fileformat::ElfFormat::addRelocationTable (this=this@entry=0x555556ccc2c0, 
    dynamicSection=dynamicSection@entry=0x555556cd7ad0, info=..., symbolTable=symbolTable@entry=0x555556cd8930)
    at /home/legarrec/info/programmation/retdec2/src/fileformat/file_format/elf/elf_format.cpp:1284
#7  0x0000555555c7be72 in retdec::fileformat::ElfFormat::addRelaRelocationTable (this=0x555556ccc2c0, dynamicSection=0x555556cd7ad0, table=..., 
    symbolTable=0x555556cd8930) at /home/legarrec/info/programmation/retdec2/src/fileformat/file_format/elf/elf_format.cpp:1355
#8  0x0000555555c89efa in retdec::fileformat::ElfFormat::loadInfoFromDynamicTables (this=this@entry=0x555556ccc2c0, noOfTables=noOfTables@entry=1)
    at /home/legarrec/info/programmation/retdec2/src/fileformat/file_format/elf/elf_format.cpp:1972
#9  0x0000555555c8ab67 in retdec::fileformat::ElfFormat::loadInfoFromDynamicSegment (this=this@entry=0x555556ccc2c0)
    at /home/legarrec/info/programmation/retdec2/src/fileformat/file_format/elf/elf_format.cpp:2025
#10 0x0000555555c8b4c0 in retdec::fileformat::ElfFormat::initStructures (this=this@entry=0x555556ccc2c0)
    at /home/legarrec/info/programmation/retdec2/src/fileformat/file_format/elf/elf_format.cpp:1091
#11 0x0000555555c8e9a8 in retdec::fileformat::ElfFormat::initStructures (this=0x555556ccc2c0)
    at /home/legarrec/info/programmation/retdec2/src/fileformat/file_format/elf/elf_format.cpp:1076
#12 retdec::fileformat::ElfFormat::ElfFormat (this=0x555556ccc2c0, pathToFile=..., loadFlags=<optimized out>)
    at /home/legarrec/info/programmation/retdec2/src/fileformat/file_format/elf/elf_format.cpp:1033
#13 0x000055555597160a in fileinfo::ElfWrapper::ElfWrapper (this=0x555556ccc2c0, pathToFile=..., loadFlags=retdec::fileformat::NONE)
    at /home/legarrec/info/programmation/retdec2/src/fileinfo/file_wrapper/elf_wrapper.cpp:18
#14 0x000055555563e677 in __gnu_cxx::new_allocator<fileinfo::ElfWrapper>::construct<fileinfo::ElfWrapper, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> (this=<optimized out>, __p=0x555556ccc2c0)
    at /usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7/ext/new_allocator.h:136
#15 std::allocator_traits<std::allocator<fileinfo::ElfWrapper> >::construct<fileinfo::ElfWrapper, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> (__a=..., __p=<optimized out>)
    at /usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7/bits/alloc_traits.h:475
#16 std::_Sp_counted_ptr_inplace<fileinfo::ElfWrapper, std::allocator<fileinfo::ElfWrapper>, (__gnu_cxx::_Lock_policy)2>::_Sp_counted_ptr_inplace<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> (__a=..., this=0x555556ccc2b0)
    at /usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7/bits/shared_ptr_base.h:526
#17 std::__shared_count<(__gnu_cxx::_Lock_policy)2>::__shared_count<fileinfo::ElfWrapper, std::allocator<fileinfo::ElfWrapper>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> (__a=..., this=<optimized out>)
    at /usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7/bits/shared_ptr_base.h:637
#18 std::__shared_ptr<fileinfo::ElfWrapper, (__gnu_cxx::_Lock_policy)2>::__shared_ptr<std::allocator<fileinfo::ElfWrapper>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> (__a=..., __tag=..., this=<optimized out>)
    at /usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7/bits/shared_ptr_base.h:1295
#19 std::shared_ptr<fileinfo::ElfWrapper>::shared_ptr<std::allocator<fileinfo::ElfWrapper>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> (__a=..., __tag=..., this=<optimized out>)
    at /usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7/bits/shared_ptr.h:344
#20 std::allocate_shared<fileinfo::ElfWrapper, std::allocator<fileinfo::ElfWrapper>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> (__a=...) at /usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7/bits/shared_ptr.h:691
#21 std::make_shared<fileinfo::ElfWrapper, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> ()
    at /usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7/bits/shared_ptr.h:707
#22 fileinfo::ElfDetector::ElfDetector (this=0x555556ccbef0, pathToInputFile=..., finfo=..., searchPar=..., loadFlags=retdec::fileformat::NONE)
    at /home/legarrec/info/programmation/retdec2/src/fileinfo/file_detector/elf_detector.cpp:399
#23 0x000055555561b635 in fileinfo::createFileDetector (pathToInputFile=..., fileFormat=<optimized out>, finfo=..., searchPar=..., 
    loadFlags=retdec::fileformat::NONE) at /home/legarrec/info/programmation/retdec2/src/fileinfo/file_detector/detector_factory.cpp:38
#24 0x00005555555dbdc3 in main (argc=<optimized out>, argv=<optimized out>) at /home/legarrec/info/programmation/retdec2/src/fileinfo/fileinfo.cpp:395

valgrind

==20810== Invalid read of size 8
==20810==    at 0x4032B5E: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1021)
==20810==    by 0x848EB5: __copy_m<char> (stl_algobase.h:368)
==20810==    by 0x848EB5: __copy_move_a<false, char const*, char*> (stl_algobase.h:386)
==20810==    by 0x848EB5: __copy_move_a2<false, char const*, char*> (stl_algobase.h:424)
==20810==    by 0x848EB5: copy<char const*, char*> (stl_algobase.h:456)
==20810==    by 0x848EB5: ELFIO::section_impl<ELFIO::Elf64_Shdr>::set_data(char const*, unsigned int) (elfio_section.hpp:173)
==20810==    by 0x82F731: retdec::fileformat::ElfFormat::addRelocationTable(ELFIO::section*, retdec::fileformat::ElfFormat::RelocationTableInfo const&, ELFIO::section*) (elf_format.cpp:1284)
==20810==    by 0x82FE71: retdec::fileformat::ElfFormat::addRelaRelocationTable(ELFIO::section*, retdec::fileformat::DynamicTable const&, ELFIO::section*) (elf_format.cpp:1355)
==20810==    by 0x83DEF9: retdec::fileformat::ElfFormat::loadInfoFromDynamicTables(unsigned long) (elf_format.cpp:1972)
==20810==    by 0x83EB66: retdec::fileformat::ElfFormat::loadInfoFromDynamicSegment() (elf_format.cpp:2025)
==20810==    by 0x83F4BF: retdec::fileformat::ElfFormat::initStructures() [clone .part.463] (elf_format.cpp:1091)
==20810==    by 0x8429A7: initStructures (elf_format.cpp:1076)
==20810==    by 0x8429A7: retdec::fileformat::ElfFormat::ElfFormat(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags) (elf_format.cpp:1033)
==20810==    by 0x525609: fileinfo::ElfWrapper::ElfWrapper(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags) (elf_wrapper.cpp:18)
==20810==    by 0x1F2676: construct<fileinfo::ElfWrapper, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> (new_allocator.h:136)
==20810==    by 0x1F2676: construct<fileinfo::ElfWrapper, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> (alloc_traits.h:475)
==20810==    by 0x1F2676: _Sp_counted_ptr_inplace<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> (shared_ptr_base.h:526)
==20810==    by 0x1F2676: __shared_count<fileinfo::ElfWrapper, std::allocator<fileinfo::ElfWrapper>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> (shared_ptr_base.h:637)
==20810==    by 0x1F2676: __shared_ptr<std::allocator<fileinfo::ElfWrapper>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> (shared_ptr_base.h:1295)
==20810==    by 0x1F2676: shared_ptr<std::allocator<fileinfo::ElfWrapper>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> (shared_ptr.h:344)
==20810==    by 0x1F2676: allocate_shared<fileinfo::ElfWrapper, std::allocator<fileinfo::ElfWrapper>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> (shared_ptr.h:691)
==20810==    by 0x1F2676: make_shared<fileinfo::ElfWrapper, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::LoadFlags&> (shared_ptr.h:707)
==20810==    by 0x1F2676: fileinfo::ElfDetector::ElfDetector(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, fileinfo::FileInformation&, retdec::cpdetect::DetectParams&, retdec::fileformat::LoadFlags) (elf_detector.cpp:399)
==20810==    by 0x1CF634: fileinfo::createFileDetector(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, retdec::fileformat::Format, fileinfo::FileInformation&, retdec::cpdetect::DetectParams&, retdec::fileformat::LoadFlags) (detector_factory.cpp:38)
==20810==    by 0x18FDC2: main (fileinfo.cpp:395)
==20810==  Address 0x300 is not stack'd, malloc'd or (recently) free'd

From master (8cc759b70f)
@s3rvac
Copy link
Member

s3rvac commented Mar 17, 2018

Thanks for the report. I confirm that fileinfo crashes when analyzing the attached file, even in the current master.

@mbandzi mbandzi self-assigned this Mar 17, 2018
@mbandzi
Copy link
Contributor

mbandzi commented Mar 25, 2018

Fixed in 2d53f9d4.

@mbandzi mbandzi closed this as completed Mar 25, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug C-fileformat C-fileinfo P-run
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@s3rvac @bansan85 @mbandzi