SEGV in function elf::segment::segment at elf/elf.cc:180

[bladchan]

Hi,

I am running some experiments for AFLAPI and it has found a SEGV in function elf::segment::segment at elf/elf.cc:180. This bug may allows attackers to cause DoS, so I report it here.

Environment: Ubuntu 18.04 + Clang 6.0

Test target: examples/dump-lines

Testcase here: badelf.zip

To reproduce: • Complie the hole project and examples with ASAN

You can use like this: ./dump-lines badelf

ASAN says:

AddressSanitizer:DEADLYSIGNAL ================================================================= ==83554==ERROR: AddressSanitizer: SEGV on unknown address 0x7f7351aeefff (pc 0x0000005fba70 bp 0x7ffe73841ea0 sp 0x7ffe73841df0 T0) ==83554==The signal is caused by a READ memory access. #0 0x5fba6f in elf::segment::segment(elf::elf const&, void const*) /home/ubuntu/libelfin/elf/elf.cc:180 #1 0x5fc54d in elf::(elf)::elf(std::shared_ptrelf::loader const&) /home/ubuntu/libelfin/elf/elf.cc:100 #2 0x519098 in main /home/ubuntu/libelfin/examples/dump-lines.cc:36:18 #3 0x7f735067cc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310 #4 0x41bf29 in _start (/home/ubuntu/libelfin/examples/dump-lines+0x41bf29) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/ubuntu/libelfin/elf/elf.cc:180 in elf::segment::segment(elf::elf const&, void const*) ==83554==ABORTING

Impact: An attacker can exploit this vulnerability by submitting a malicious elf file that exploits this bug which will result in a DoS.