patchelf Malformed input will cause invalid memory read / segfault

Malformed input will cause invalid memory read / segfault

Open hannob opened this issue 10 years ago • 1 comments

This file will generate a segfault / invalid memory read with patchelf: https://crashes.fuzzing-project.org/patchelf-0.8-invalid-memory-read-Elf64_Phdr

The error messages I get from debugging tools aren't really clear, it seems it is causing some read to some wrong memory that is neither part of the stack or the heap.

Here's the address sanitizer stack trace:

==5570==ERROR: AddressSanitizer: unknown-crash on address 0x8030afdac1201830 at pc 0x00000049ed24 bp 0x7fff61a59e10 sp 0x7fff61a595c0
READ of size 56 at 0x8030afdac1201830 thread T0
    #0 0x49ed23 in __asan_memcpy (/tmp/patchelf-0.8/src/patchelf+0x49ed23)
    #1 0x521b7b in __gnu_cxx::new_allocator<Elf64_Phdr>::construct(Elf64_Phdr*, Elf64_Phdr const&) /usr/lib/gcc/x86_64-pc-linux-gnu/5.2.0/include/g++-v5/ext/new_allocator.h:130:28
    #2 0x521b7b in void __gnu_cxx::__alloc_traits<std::allocator<Elf64_Phdr> >::construct<Elf64_Phdr>(std::allocator<Elf64_Phdr>&, Elf64_Phdr*, Elf64_Phdr const&) /usr/lib/gcc/x86_64-pc-linux-gnu/5.2.0/include/g++-v5/ext/alloc_traits.h:189
    #3 0x521b7b in std::vector<Elf64_Phdr, std::allocator<Elf64_Phdr> >::_M_insert_aux(__gnu_cxx::__normal_iterator<Elf64_Phdr*, std::vector<Elf64_Phdr, std::allocator<Elf64_Phdr> > >, Elf64_Phdr const&) /usr/lib/gcc/x86_64-pc-linux-gnu/5.2.0/include/g++-v5/bits/vector.tcc:361
    #4 0x517d8f in std::vector<Elf64_Phdr, std::allocator<Elf64_Phdr> >::push_back(Elf64_Phdr const&) /usr/lib/gcc/x86_64-pc-linux-gnu/5.2.0/include/g++-v5/bits/stl_vector.h:925:4
    #5 0x517d8f in ElfFile<Elf64_Ehdr, Elf64_Phdr, Elf64_Shdr, unsigned long, unsigned long, Elf64_Dyn, Elf64_Sym>::parse() /tmp/patchelf-0.8/src/patchelf.cc:281
    #6 0x4e5ab9 in void patchElf2<ElfFile<Elf64_Ehdr, Elf64_Phdr, Elf64_Shdr, unsigned long, unsigned long, Elf64_Dyn, Elf64_Sym> >(ElfFile<Elf64_Ehdr, Elf64_Phdr, Elf64_Shdr, unsigned long, unsigned long, Elf64_Dyn, Elf64_Sym>&, unsigned int) /tmp/patchelf-0.8/src/patchelf.cc:1105:5
    #7 0x4e5ab9 in patchElf() /tmp/patchelf-0.8/src/patchelf.cc:1156
    #8 0x4e5ab9 in main /tmp/patchelf-0.8/src/patchelf.cc:1245
    #9 0x7faa93de77af in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.21-r1/work/glibc-2.21/csu/libc-start.c:289
    #10 0x4190f8 in _start (/tmp/patchelf-0.8/src/patchelf+0x4190f8)

==5570==AddressSanitizer CHECK failed: /var/tmp/portage/sys-devel/llvm-3.7.0/work/llvm-3.7.0.src/projects/compiler-rt/lib/asan/asan_report.cc:347 "((0 && "Address is not in memory and not in shadow?")) != (0)" (0x0, 0x0)
    #0 0x4bbf2d in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/tmp/patchelf-0.8/src/patchelf+0x4bbf2d)
    #1 0x4c29c3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/tmp/patchelf-0.8/src/patchelf+0x4c29c3)
    #2 0x4b7f66 in __asan::DescribeAddressIfShadow(unsigned long, __asan::AddressDescription*, bool) (/tmp/patchelf-0.8/src/patchelf+0x4b7f66)
    #3 0x4b9306 in __asan::DescribeAddress(unsigned long, unsigned long, char const*) (/tmp/patchelf-0.8/src/patchelf+0x4b9306)
    #4 0x4bb0eb in __asan_report_error (/tmp/patchelf-0.8/src/patchelf+0x4bb0eb)
    #5 0x49ed44 in __asan_memcpy (/tmp/patchelf-0.8/src/patchelf+0x49ed44)
    #6 0x521b7b in __gnu_cxx::new_allocator<Elf64_Phdr>::construct(Elf64_Phdr*, Elf64_Phdr const&) /usr/lib/gcc/x86_64-pc-linux-gnu/5.2.0/include/g++-v5/ext/new_allocator.h:130:28
    #7 0x521b7b in void __gnu_cxx::__alloc_traits<std::allocator<Elf64_Phdr> >::construct<Elf64_Phdr>(std::allocator<Elf64_Phdr>&, Elf64_Phdr*, Elf64_Phdr const&) /usr/lib/gcc/x86_64-pc-linux-gnu/5.2.0/include/g++-v5/ext/alloc_traits.h:189
    #8 0x521b7b in std::vector<Elf64_Phdr, std::allocator<Elf64_Phdr> >::_M_insert_aux(__gnu_cxx::__normal_iterator<Elf64_Phdr*, std::vector<Elf64_Phdr, std::allocator<Elf64_Phdr> > >, Elf64_Phdr const&) /usr/lib/gcc/x86_64-pc-linux-gnu/5.2.0/include/g++-v5/bits/vector.tcc:361
    #9 0x517d8f in std::vector<Elf64_Phdr, std::allocator<Elf64_Phdr> >::push_back(Elf64_Phdr const&) /usr/lib/gcc/x86_64-pc-linux-gnu/5.2.0/include/g++-v5/bits/stl_vector.h:925:4
    #10 0x517d8f in ElfFile<Elf64_Ehdr, Elf64_Phdr, Elf64_Shdr, unsigned long, unsigned long, Elf64_Dyn, Elf64_Sym>::parse() /tmp/patchelf-0.8/src/patchelf.cc:281
    #11 0x4e5ab9 in void patchElf2<ElfFile<Elf64_Ehdr, Elf64_Phdr, Elf64_Shdr, unsigned long, unsigned long, Elf64_Dyn, Elf64_Sym> >(ElfFile<Elf64_Ehdr, Elf64_Phdr, Elf64_Shdr, unsigned long, unsigned long, Elf64_Dyn, Elf64_Sym>&, unsigned int) /tmp/patchelf-0.8/src/patchelf.cc:1105:5
    #12 0x4e5ab9 in patchElf() /tmp/patchelf-0.8/src/patchelf.cc:1156
    #13 0x4e5ab9 in main /tmp/patchelf-0.8/src/patchelf.cc:1245
    #14 0x7faa93de77af in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.21-r1/work/glibc-2.21/csu/libc-start.c:289
    #15 0x4190f8 in _start (/tmp/patchelf-0.8/src/patchelf+0x4190f8)

Sep 06 '15 11:09 hannob

Trying on 0.15.x dev branch:

$ patchelf ~/Downloads/patchelf-0.8-invalid-memory-read-Elf64_Phdr
patchelf: program header table out of bounds

looks like this got fix! :)

Aug 13 '25 00:08 Ericson2314

patchelf patchelf copied to clipboard

Malformed input will cause invalid memory read / segfault

patchelf
patchelf copied to clipboard