Skip to content

llvm-objdump can crash due to ELFFile<ELFT>::dynamicEntries() not checking p_offset #85568

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
emaste opened this issue Mar 17, 2024 · 1 comment
Closed

llvm-objdump can crash due to ELFFile<ELFT>::dynamicEntries() not checking p_offset #85568

emaste opened this issue Mar 17, 2024 · 1 comment
Labels
crash-on-invalid llvm:support

Comments

@emaste
Copy link
Member

emaste commented Mar 17, 2024

Reported against FreeBSD in https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277736 which has an attached reproducer

Copied from the FreeBSD bug report:

# uname -a
FreeBSD stock14 15.0-CURRENT FreeBSD 15.0-CURRENT #19 main-n268743-a58813fd701e: Sat Mar  9 07:18:21 AST 2024     root@stock14:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64
# objdump --version
LLVM (http://llvm.org/):
  LLVM version 17.0.6
  Optimized build with assertions.
...
# objdump -p ldd1b.exe 
...
PLEASE submit a bug report to https://bugs.freebsd.org/submit/ and include the crash backtrace.
Stack dump:
0.      Program arguments: objdump -p ldd1b.exe
 #0 0x0000000001230c41 PrintStackTrace /usr/src/contrib/llvm-project/llvm/lib/Support/Unix/Signals.inc:602:13
 #1 0x000000000122f0b5 RunSignalHandlers /usr/src/contrib/llvm-project/llvm/lib/Support/Signals.cpp:105:18
 #2 0x0000000001231365 SignalHandler /usr/src/contrib/llvm-project/llvm/lib/Support/Unix/Signals.inc:0:3
 #3 0x00000008249cf5ff handle_signal /usr/src/lib/libthr/thread/thr_sig.c:0:3
 #4 0x00000008249cebbb thr_sighandler /usr/src/lib/libthr/thread/thr_sig.c:244:1
 #5 0x000000082270d2d3 ([vdso]+0x2d3)
 #6 0x0000000000f96641 dynamicEntries /usr/src/contrib/llvm-project/llvm/lib/Object/ELF.cpp:590:24
 #7 0x0000000000df2268 operator bool /usr/src/contrib/llvm-project/llvm/include/llvm/Support/Error.h:559:17
 #8 0x0000000000df2268 printDynamicSection /usr/src/contrib/llvm-project/llvm/tools/llvm-objdump/ELFDump.cpp:205:8
 #9 0x0000000000df2268 printPrivateHeaders /usr/src/contrib/llvm-project/llvm/tools/llvm-objdump/ELFDump.cpp:431:3
#10 0x0000000000e6a13c dumpObject /usr/src/contrib/llvm-project/llvm/tools/llvm-objdump/llvm-objdump.cpp:2815:7
#11 0x0000000000e654b0 dumpInput /usr/src/contrib/llvm-project/llvm/tools/llvm-objdump/llvm-objdump.cpp:0:5
#12 0x0000000000e654b0 for_each<std::__1::__wrap_iter<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > *>, void (*)(llvm::StringRef)> /usr/obj/usr/src/amd64.amd64/tmp/usr/include/c++/v1/__algorithm/for_each.h:26:5
#13 0x0000000000e654b0 for_each<std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > &, void (*)(llvm::StringRef)> /usr/src/contrib/llvm-project/llvm/include/llvm/ADT/STLExtras.h:1731:10
#14 0x0000000000e654b0 main /usr/src/contrib/llvm-project/llvm/tools/llvm-objdump/llvm-objdump.cpp:3248:3
#15 0x0000000828a2d0aa __libc_start1 /usr/src/lib/libc/csu/libc_start1.c:157:2
Bus error (core dumped)
@emaste emaste added tools:llvm-objdump crash-on-invalid crash Prefer [crash-on-valid] or [crash-on-invalid] labels Mar 17, 2024
@llvmbot
Copy link
Member

llvmbot commented Mar 17, 2024

@llvm/issue-subscribers-tools-llvm-objdump

Author: Ed Maste (emaste)

Reported against FreeBSD in https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277736 which has an attached reproducer

Copied from the FreeBSD bug report:

# uname -a
FreeBSD stock14 15.0-CURRENT FreeBSD 15.0-CURRENT #<!-- -->19 main-n268743-a58813fd701e: Sat Mar  9 07:18:21 AST 2024     root@<!-- -->stock14:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64
# objdump --version
LLVM (http://llvm.org/):
  LLVM version 17.0.6
  Optimized build with assertions.
...
# objdump -p ldd1b.exe 
...
PLEASE submit a bug report to https://bugs.freebsd.org/submit/ and include the crash backtrace.
Stack dump:
0.      Program arguments: objdump -p ldd1b.exe
 #<!-- -->0 0x0000000001230c41 PrintStackTrace /usr/src/contrib/llvm-project/llvm/lib/Support/Unix/Signals.inc:602:13
 #<!-- -->1 0x000000000122f0b5 RunSignalHandlers /usr/src/contrib/llvm-project/llvm/lib/Support/Signals.cpp:105:18
 #<!-- -->2 0x0000000001231365 SignalHandler /usr/src/contrib/llvm-project/llvm/lib/Support/Unix/Signals.inc:0:3
 #<!-- -->3 0x00000008249cf5ff handle_signal /usr/src/lib/libthr/thread/thr_sig.c:0:3
 #<!-- -->4 0x00000008249cebbb thr_sighandler /usr/src/lib/libthr/thread/thr_sig.c:244:1
 #<!-- -->5 0x000000082270d2d3 ([vdso]+0x2d3)
 #<!-- -->6 0x0000000000f96641 dynamicEntries /usr/src/contrib/llvm-project/llvm/lib/Object/ELF.cpp:590:24
 #<!-- -->7 0x0000000000df2268 operator bool /usr/src/contrib/llvm-project/llvm/include/llvm/Support/Error.h:559:17
 #<!-- -->8 0x0000000000df2268 printDynamicSection /usr/src/contrib/llvm-project/llvm/tools/llvm-objdump/ELFDump.cpp:205:8
 #<!-- -->9 0x0000000000df2268 printPrivateHeaders /usr/src/contrib/llvm-project/llvm/tools/llvm-objdump/ELFDump.cpp:431:3
#<!-- -->10 0x0000000000e6a13c dumpObject /usr/src/contrib/llvm-project/llvm/tools/llvm-objdump/llvm-objdump.cpp:2815:7
#<!-- -->11 0x0000000000e654b0 dumpInput /usr/src/contrib/llvm-project/llvm/tools/llvm-objdump/llvm-objdump.cpp:0:5
#<!-- -->12 0x0000000000e654b0 for_each&lt;std::__1::__wrap_iter&lt;std::__1::basic_string&lt;char, std::__1::char_traits&lt;char&gt;, std::__1::allocator&lt;char&gt; &gt; *&gt;, void (*)(llvm::StringRef)&gt; /usr/obj/usr/src/amd64.amd64/tmp/usr/include/c++/v1/__algorithm/for_each.h:26:5
#<!-- -->13 0x0000000000e654b0 for_each&lt;std::__1::vector&lt;std::__1::basic_string&lt;char, std::__1::char_traits&lt;char&gt;, std::__1::allocator&lt;char&gt; &gt;, std::__1::allocator&lt;std::__1::basic_string&lt;char, std::__1::char_traits&lt;char&gt;, std::__1::allocator&lt;char&gt; &gt; &gt; &gt; &amp;, void (*)(llvm::StringRef)&gt; /usr/src/contrib/llvm-project/llvm/include/llvm/ADT/STLExtras.h:1731:10
#<!-- -->14 0x0000000000e654b0 main /usr/src/contrib/llvm-project/llvm/tools/llvm-objdump/llvm-objdump.cpp:3248:3
#<!-- -->15 0x0000000828a2d0aa __libc_start1 /usr/src/lib/libc/csu/libc_start1.c:157:2
Bus error (core dumped)

@EugeneZelenko EugeneZelenko removed the crash Prefer [crash-on-valid] or [crash-on-invalid] label Mar 17, 2024
chencha3 pushed a commit to chencha3/llvm-project that referenced this issue Mar 23, 2024
@antoniofrighetto @chencha3
[Object][ELF] Ensure offset to locate dyn section does not go past size
39be95a 
Validate `p_offset` in `dynamicEntries` before computing the entry offset.

Fixes: llvm#85568.
@jh7370 jh7370 mentioned this issue Mar 26, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
crash-on-invalid llvm:support
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@emaste @EugeneZelenko @llvmbot