capa icon indicating copy to clipboard operation
capa copied to clipboard

Published 20 hours ago verified publisher icon mandiant

ELF viv segmentation violation

Open williballenthin opened this issue 2 years ago • 1 comments

this ELF file also makes vivisect pretty unhappy:

❯ python -m capa.main ~/Downloads/82dae644c7a956a41d70097b7a749ca26fc6e04f0fa3186ee72955b2b5c550b6
loading : 100%|███████████████████████████| 658/658 [00:00<00:00, 2485.65 rules/s]
..  analyzing programINFO:Elf:self._parsePheaders
INFO:Elf:self._parseDynLinkInfo
INFO:Elf:self._parseSections
INFO:Elf:self._parseDynamicsFromSections
INFO:Elf:self._parseDynStrs
INFO:Elf:no dynamic string tableinfo found: DT_STRTAB: None  DT_STRSZ: None
INFO:Elf:self._parseDynSyms
INFO:Elf:self._parseDynRelocs
INFO:Elf:self._parseDynSymsFromSections
INFO:Elf:self._parseSectionSymbols
INFO:Elf:self._parseSectionRelocs
WARNING:Elf:_parseSectionRelocs: Reloc section differs from Dynamics: 0x8e0
INFO:Elf:section reloc: reloc: @0x1 4
INFO:Elf:section reloc: reloc: @0x8 11
INFO:Elf:section reloc: reloc: @0xd 4
WARNING:Elf:_parseSectionRelocs: Reloc section differs from Dynamics: 0x928
INFO:Elf:section reloc: reloc: @0x3 11
WARNING:Elf:_parseSectionRelocs: Reloc section differs from Dynamics: 0x958
INFO:Elf:section reloc: reloc: @0x0 1
WARNING:Elf:_parseSectionRelocs: Reloc section differs from Dynamics: 0x970
INFO:Elf:section reloc: reloc: @0x4 2
INFO:Elf:section reloc: reloc: @0xc 2
WARNING:Elf:_parseSectionRelocs: Reloc section differs from Dynamics: 0x9d0
INFO:Elf:section reloc: reloc: @0x150 1
INFO:Elf:section reloc: reloc: @0x380 1
INFO:Elf:done parsing ELF
INFO:vivisect:elf: no program headers found!
WARNING:vivisect.parsers.elf:unknown reloc type: 4  (at 0x1)
WARNING:vivisect.parsers.elf:00000000 (24) Elf64Reloca: reloc: @0x1 4
00000000 (08)   r_offset: 0x00000001 (1)
00000008 (08)   r_info: 0x1300000004 (81604378628)
00000010 (08)   r_addend: 0xfffffffffffffffc (18446744073709551612)

WARNING:vivisect.parsers.elf:unknown reloc type: 11  (at 0x8)
WARNING:vivisect.parsers.elf:00000000 (24) Elf64Reloca: reloc: @0x8 11
00000000 (08)   r_offset: 0x00000008 (8)
00000008 (08)   r_info: 0x30000000b (12884901899)
00000010 (08)   r_addend: 0x00000000 (0)

WARNING:vivisect.parsers.elf:unknown reloc type: 4  (at 0xd)
WARNING:vivisect.parsers.elf:00000000 (24) Elf64Reloca: reloc: @0xd 4
00000000 (08)   r_offset: 0x0000000d (13)
00000008 (08)   r_info: 0x1500000004 (90194313220)
00000010 (08)   r_addend: 0xfffffffffffffffc (18446744073709551612)

WARNING:vivisect.parsers.elf:unknown reloc type: 11  (at 0x3)
WARNING:vivisect.parsers.elf:00000000 (24) Elf64Reloca: reloc: @0x3 11
00000000 (08)   r_offset: 0x00000003 (3)
00000008 (08)   r_info: 0x30000000b (12884901899)
00000010 (08)   r_addend: 0x00000011 (17)

WARNING:vivisect.parsers.elf:unknown reloc type: 1  (at 0x0)
WARNING:vivisect.parsers.elf:00000000 (24) Elf64Reloca: reloc: @0x0 1
00000000 (08)   r_offset: 0x00000000 (0)
00000008 (08)   r_info: 0x100000001 (4294967297)
00000010 (08)   r_addend: 0x00000000 (0)

WARNING:vivisect.parsers.elf:unknown reloc type: 2  (at 0x4)
WARNING:vivisect.parsers.elf:00000000 (24) Elf64Reloca: reloc: @0x4 2
00000000 (08)   r_offset: 0x00000004 (4)
00000008 (08)   r_info: 0x100000002 (4294967298)
00000010 (08)   r_addend: 0x00000014 (20)

WARNING:vivisect.parsers.elf:unknown reloc type: 2  (at 0xc)
WARNING:vivisect.parsers.elf:00000000 (24) Elf64Reloca: reloc: @0xc 2
00000000 (08)   r_offset: 0x0000000c (12)
00000008 (08)   r_info: 0x200000002 (8589934594)
00000010 (08)   r_addend: 0x0000000c (12)

WARNING:vivisect.parsers.elf:unknown reloc type: 1  (at 0x150)
WARNING:vivisect.parsers.elf:00000000 (24) Elf64Reloca: reloc: @0x150 1
00000000 (08)   r_offset: 0x00000150 (336)
00000008 (08)   r_info: 0x1400000001 (85899345921)
00000010 (08)   r_addend: 0x00000000 (0)

WARNING:vivisect.parsers.elf:unknown reloc type: 1  (at 0x380)
WARNING:vivisect.parsers.elf:00000000 (24) Elf64Reloca: reloc: @0x380 1
00000000 (08)   r_offset: 0x00000380 (896)
00000008 (08)   r_info: 0x1200000001 (77309411329)
00000010 (08)   r_addend: 0x00000000 (0)

INFO:vivisect.parsers.elf:sva==0, using relocation name: 1: ''
INFO:vivisect.parsers.elf:sva==0, using relocation name: 1: ''
INFO:vivisect.parsers.elf:sva==0, using relocation name: 1: ''
INFO:vivisect.parsers.elf:sva==0, using relocation name: 1: ''
INFO:vivisect.parsers.elf:sva==0, using relocation name: 1: ''
INFO:vivisect.parsers.elf:sva==0, using relocation name: 1: ''
INFO:vivisect.parsers.elf:sva==0, using relocation name: 1: ''
INFO:vivisect.parsers.elf:sva==0, using relocation name: 1: ''
INFO:vivisect.parsers.elf:sva==0, using relocation name: 1: ''
INFO:vivisect.parsers.elf:sva==0, using relocation name: 1: ''
INFO:vivisect.parsers.elf:sva==0, using relocation name: 1: ''
INFO:vivisect.parsers.elf:sva==0, using relocation name: 1: ''
INFO:vivisect.parsers.elf:sva==0, using relocation name: 1: ''
INFO:vivisect.parsers.elf:sva==0, using relocation name: 1: ''
INFO:vivisect.parsers.elf:sva==0, using relocation name: 1: ''
INFO:vivisect.parsers.elf:sva==0, using relocation name: 1: ''
INFO:vivisect.parsers.elf:sva==0, using relocation name: 1: ''
INFO:vivisect:Failed to find file for 0x00000000 (__this_module) (and filelocal == True!)
Traceback (most recent call last):
  File "/usr/lib/python3.8/runpy.py", line 194, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "/usr/lib/python3.8/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/home/user/code/capa-pub/capa/main.py", line 1095, in <module>
    sys.exit(main())
  File "/home/user/code/capa-pub/capa/main.py", line 986, in main
    extractor = get_extractor(
  File "/home/user/code/capa-pub/capa/main.py", line 463, in get_extractor
    vw = get_workspace(path, format, sigpaths)
  File "/home/user/code/capa-pub/capa/main.py", line 403, in get_workspace
    vw = viv_utils.getWorkspace(path, analyze=False, should_save=False)
  File "/home/user/code/viv-utils/viv_utils/__init__.py", line 106, in getWorkspace
    vw.loadFromFile(fp)
  File "/home/user/env/lib/python3.8/site-packages/vivisect-1.0.5-py3.8.egg/vivisect/__init__.py", line 2737, in loadFromFile
    fname = mod.parseFile(self, filename=filename, baseaddr=baseaddr)
  File "/home/user/env/lib/python3.8/site-packages/vivisect-1.0.5-py3.8.egg/vivisect/parsers/elf.py", line 31, in parseFile
    return loadElfIntoWorkspace(vw, elf, filename=filename, baseaddr=baseaddr)
  File "/home/user/env/lib/python3.8/site-packages/vivisect-1.0.5-py3.8.egg/vivisect/parsers/elf.py", line 531, in loadElfIntoWorkspace
    valu = vw.readMemoryPtr(sva)
  File "/home/user/env/lib/python3.8/site-packages/vivisect-1.0.5-py3.8.egg/envi/memory.py", line 187, in readMemoryPtr
    return self.readMemValue(va, self.imem_psize)
  File "/home/user/env/lib/python3.8/site-packages/vivisect-1.0.5-py3.8.egg/envi/memory.py", line 169, in readMemValue
    bytes = self.readMemory(addr, size)
  File "/home/user/env/lib/python3.8/site-packages/vivisect-1.0.5-py3.8.egg/envi/memory.py", line 539, in readMemory
    raise envi.SegmentationViolation(va)
envi.exc.SegmentationViolation: SegmentationViolation('Bad Memory Access: 0x0')

Originally posted by @williballenthin in https://github.com/mandiant/capa/issues/867#issuecomment-1012568034

williballenthin avatar Jan 13 '22 22:01 williballenthin

reported upstream here: https://github.com/vivisect/vivisect/issues/497

williballenthin avatar Jan 13 '22 22:01 williballenthin

fixed in vivisect 1.1.0

mr-tz avatar Nov 15 '23 07:11 mr-tz