Project

General

Profile

Actions

Bug #6177

closed

elfdump can die on truncated ELF files

Added by Robert Mustacchi about 6 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Category:
cmd - userland programs
Start date:
2015-08-29
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

A dump showed up in thoth from elfdump. Ironically, this dump is from thoth itself:

bcantrill@manta # pargs -e $MANTA_INPUT_FILE
core '/manta/thoth/stor/thoth/79ddbbff4e1f03277ba9d94e202bdeff/core.elfdump.39947' of 39947:    elfdump -n /manta/thoth/stor/thoth/8c09cf7cd4785ce12be7a79f9ebec6d9/core.node.2
envp[0]: MANTA_JOB_ID=a6283178-e099-c4f8-a6e6-f0841174d77e
envp[1]: MANTA_USER=thoth
envp[2]: MANTA_OUTPUT_BASE=/thoth/jobs/a6283178-e099-c4f8-a6e6-f0841174d77e/stor/thoth/stor/thoth/8c09cf7cd4785ce12be7a79f9ebec6d9/core.node.29222.0.
envp[3]: MANTA_NO_AUTH=true
envp[4]: PATH=/opt/marlin/ubin:/opt/local/bin:/opt/local/sbin:/usr/sbin:/usr/bin
envp[5]: MANTA_URL=http://localhost:80/
envp[6]: PWD=/
envp[7]: mc_input_key=/thoth/stor/thoth/8c09cf7cd4785ce12be7a79f9ebec6d9/core.node.29222
envp[8]: DTRACE_DOF_INIT_DISABLE=1
envp[9]: SHLVL=1
envp[10]: HOME=/root
envp[11]: MANTA_INPUT_FILE=/manta/thoth/stor/thoth/8c09cf7cd4785ce12be7a79f9ebec6d9/core.node.29222
envp[12]: mc_input_file=/manta/thoth/stor/thoth/8c09cf7cd4785ce12be7a79f9ebec6d9/core.node.29222
envp[13]: MANTA_INPUT_OBJECT=/thoth/stor/thoth/8c09cf7cd4785ce12be7a79f9ebec6d9/core.node.29222
envp[14]: _=/usr/bin/elfdump

We died in this loop in shdr_cache():

        ...
        /*
         * Obtain the data for each section.
         */
        for (ndx = 1; ndx < shnum; ndx++) {
                Cache   *_cache = &cache[ndx];
                Elf_Scn *scn = _cache->c_scn;

                if ((_cache->c_data = elf_getdata(scn, NULL)) == NULL) {
                        failure(file, MSG_ORIG(MSG_ELF_GETDATA));
                        (void) fprintf(stderr, MSG_INTL(MSG_ELF_ERR_SCNDATA),
                            EC_WORD(elf_ndxscn(scn)));
                }

                /*
                 * If a string table, verify that it has NULL first and
                 * final bytes.
                 */
                if ((_cache->c_shdr->sh_type == SHT_STRTAB) &&
                    (_cache->c_data->d_buf != NULL) &&
                    (_cache->c_data->d_size > 0)) {
                        ...

Note that upon failure of elf_getdata(), we generate an error message –
but then drive on anyway, dying if the section in question is of SHT_STRTAB. Sure enough:

$ MANTA_USER=thoth mjob errors a6283178-e099-c4f8-a6e6-f0841174d77e | json stderr
/thoth/jobs/a6283178-e099-c4f8-a6e6-f0841174d77e/stor/thoth/stor/thoth/8c09cf7cd4785ce12be7a79f9ebec6d9/core.node.29222.0.err.ff1fc1b8-7ecc-44ab-a0d0-a42ed2e7b05c
$ MANTA_USER=thoth mget /thoth/jobs/a6283178-e099-c4f8-a6e6-f0841174d77e/stor/thoth/stor/thoth/8c09cf7cd4785ce12be7a79f9ebec6d9/core.node.29222.0.err.ff1fc1b8-7ecc-44ab-a0d0-a42ed2e7b05c
/manta/thoth/stor/thoth/8c09cf7cd4785ce12be7a79f9ebec6d9/core.node.29222: elf_getdata failed: Format error: data region truncated
    unable to obtain section data: shstrtab[43]
/manta/thoth/stor/thoth/8c09cf7cd4785ce12be7a79f9ebec6d9/core.node.29222: elf_getdata failed: Format error: data region truncated
    unable to obtain section data: section[3]
/manta/thoth/stor/thoth/8c09cf7cd4785ce12be7a79f9ebec6d9/core.node.29222: elf_getdata failed: Format error: data region truncated
    unable to obtain section data: section[4]
$

Note that the first error message is MSG_ELF_ERR_SHDR; of the two error messages before death, here are the sections that they correspond to:

Section Header[3]:  sh_name: .symtab
    sh_addr:      0xfe680000      sh_flags:   0
    sh_size:      0x1930          sh_type:    [ SHT_SYMTAB ]
    sh_offset:    0x3bad050       sh_entsize: 0x10 (403 entries)
    sh_link:      4               sh_info:    205
    sh_addralign: 0x4       

Section Header[4]:  sh_name: .strtab
    sh_addr:      0xfe680000      sh_flags:   [ SHF_STRINGS ]
    sh_size:      0x1b5b          sh_type:    [ SHT_STRTAB ]
    sh_offset:    0x3bae980       sh_entsize: 0
    sh_link:      0               sh_info:    0
    sh_addralign: 0x1       

This confirms that elfdump died because it did not correctly drive on in this case. To be consistent with the coding style elsewhere in elfdump, c_data should not be assumed to be non-NULL.

Actions #1

Updated by Electric Monk about 6 years ago

  • Status changed from New to Closed
  • % Done changed from 90 to 100

git commit 9bc2928da4128bbbe0feaaa43090efe2ea01abe2

commit  9bc2928da4128bbbe0feaaa43090efe2ea01abe2
Author: Bryan Cantrill <bryan@joyent.com>
Date:   2015-08-31T01:54:35.000Z

    6177 elfdump can die on truncated ELF files
    Reviewed by: Toomas Soome <tsoome@me.com>
    Reviewed by: Igor Kozhukhov <ikozhukhov@gmail.com>
    Reviewed by: Josef 'Jeff' Sipek <jeffpc@josefsipek.net>
    Approved by: Richard Lowe <richlowe@richlowe.net>

Actions

Also available in: Atom PDF