SEGV in function elf::segment::segment at elf/elf.cc:180

[bladchan]

Hi,

I am running some experiments for AFLAPI and it has found a SEGV in function elf::segment::segment at elf/elf.cc:180. This bug may allows attackers to cause DoS, so I report it here.

Environment: Ubuntu 18.04 + Clang 6.0

Test target: examples/dump-lines

Testcase here: badelf.zip

To reproduce:
• Complie the hole project and examples with ASAN

You can use like this: ./dump-lines badelf

ASAN says:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==83554==ERROR: AddressSanitizer: SEGV on unknown address 0x7f7351aeefff (pc 0x0000005fba70 bp 0x7ffe73841ea0 sp 0x7ffe73841df0 T0)
==83554==The signal is caused by a READ memory access.
#0 0x5fba6f in elf::segment::segment(elf::elf const&, void const*) /home/ubuntu/libelfin/elf/elf.cc:180
#1 0x5fc54d in elf::(elf)::elf(std::shared_ptrelf::loader const&) /home/ubuntu/libelfin/elf/elf.cc:100
#2 0x519098 in main /home/ubuntu/libelfin/examples/dump-lines.cc:36:18
#3 0x7f735067cc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#4 0x41bf29 in _start (/home/ubuntu/libelfin/examples/dump-lines+0x41bf29)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ubuntu/libelfin/elf/elf.cc:180 in elf::segment::segment(elf::elf const&, void const*)
==83554==ABORTING

Impact:
An attacker can exploit this vulnerability by submitting a malicious elf file that exploits this bug which will result in a DoS.