https://sourceware.org/bugzilla/show_bug.cgi?id=23780
Bug ID: 23780 Summary: There is an assertion abort in function display_raw_attribute() in readelf.c in GNU Binutils of version 2.31.1. Product: binutils Version: 2.31 Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: hanfangzhang9 at gmail dot com Target Milestone: --- Created attachment 11329 --> https://sourceware.org/bugzilla/attachment.cgi?id=11329&action=edit The poc file of this bug Dear all, There is an assertion abort in function display_raw_attribute() in readelf.c in GNU Binutils of version 2.31.1. It will lead to remote denial of service. To reproduce: Download the attched file poc readelf -a poc Normal output: ... readelf: readelf.c:15158: display_raw_attribute: Assertion `end > p' failed. Aborted The GDB debugging information is as follow: readelf: readelf.c:15158: display_raw_attribute: Assertion `end > p' failed. Program received signal SIGABRT, Aborted. [----------------------------------registers-----------------------------------] RAX: 0x0 RBX: 0x7ffff7ff7000 --> 0x6461657200001000 RCX: 0x7ffff7a42428 (<__GI_raise+56>: cmp rax,0xfffffffffffff000) RDX: 0x6 RSI: 0x10c3d RDI: 0x10c3d RBP: 0x44d38b --> 0x70203e20646e65 ('end > p') RSP: 0x7fffffffd9b8 --> 0x7ffff7a4402a (<__GI_abort+362>: mov rdx,QWORD PTR fs:0x10) RIP: 0x7ffff7a42428 (<__GI_raise+56>: cmp rax,0xfffffffffffff000) R8 : 0x698f00 --> 0x0 R9 : 0xffff000000000000 R10: 0x8 R11: 0x246 R12: 0x3b36 ('6;') R13: 0x476820 ("display_raw_attribute") R14: 0x0 R15: 0x6982fa --> 0x2e006e6f69737265 ('ersion') EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x7ffff7a4241e <__GI_raise+46>: mov eax,0xea 0x7ffff7a42423 <__GI_raise+51>: movsxd rdi,ecx 0x7ffff7a42426 <__GI_raise+54>: syscall => 0x7ffff7a42428 <__GI_raise+56>: cmp rax,0xfffffffffffff000 0x7ffff7a4242e <__GI_raise+62>: ja 0x7ffff7a42450 <__GI_raise+96> 0x7ffff7a42430 <__GI_raise+64>: repz ret 0x7ffff7a42432 <__GI_raise+66>: nop WORD PTR [rax+rax*1+0x0] 0x7ffff7a42438 <__GI_raise+72>: test ecx,ecx [------------------------------------stack-------------------------------------] 0000| 0x7fffffffd9b8 --> 0x7ffff7a4402a (<__GI_abort+362>: mov rdx,QWORD PTR fs:0x10) 0008| 0x7fffffffd9c0 --> 0x20 (' ') 0016| 0x7fffffffd9c8 --> 0x0 0024| 0x7fffffffd9d0 --> 0x0 0032| 0x7fffffffd9d8 --> 0x0 0040| 0x7fffffffd9e0 --> 0x0 0048| 0x7fffffffd9e8 --> 0x0 0056| 0x7fffffffd9f0 --> 0x0 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGABRT 0x00007ffff7a42428 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:54 54 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. gdb-peda$ bt #0 0x00007ffff7a42428 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:54 #1 0x00007ffff7a4402a in __GI_abort () at abort.c:89 #2 0x00007ffff7a3abd7 in __assert_fail_base (fmt=<optimized out>, assertion=assertion@entry=0x44d38b "end > p", file=file@entry=0x44d381 "readelf.c", line=line@entry=0x3b36, function=function@entry=0x476820 <__PRETTY_FUNCTION__.21845> "display_raw_attribute") at assert.c:92 #3 0x00007ffff7a3ac82 in __GI___assert_fail (assertion=assertion@entry=0x44d38b "end > p", file=file@entry=0x44d381 "readelf.c", line=line@entry=0x3b36, function=function@entry=0x476820 <__PRETTY_FUNCTION__.21845> "display_raw_attribute") at assert.c:101 #4 0x0000000000404fac in display_raw_attribute (p=<optimized out>, end=end@entry=0x698310 "") at readelf.c:15158 #5 0x0000000000404ff9 in display_public_gnu_attributes (start=<optimized out>, end=0x698310 "") at readelf.c:18509 #6 0x000000000040aea9 in process_attributes (filedata=filedata@entry=0x697000, public_name=public_name@entry=0x451301 "gnu", proc_type=proc_type@entry=0x6ffffff5, display_pub_attribute=display_pub_attribute@entry=0x404fb0 <display_public_gnu_attributes>, display_proc_gnu_attribute=display_proc_gnu_attribute@entry=0x409350 <display_generic_attribute>) at readelf.c:15460 #7 0x0000000000428373 in process_arch_specific (filedata=0x697000) at readelf.c:18578 #8 process_object (filedata=filedata@entry=0x697000) at readelf.c:18856 #9 0x000000000040226d in process_file (file_name=<optimized out>) at readelf.c:19259 #10 main (argc=argc@entry=0x3, argv=argv@entry=0x7fffffffe018) at readelf.c:19318 #11 0x00007ffff7a2d830 in __libc_start_main (main=0x401b80 <main>, argc=0x3, argv=0x7fffffffe018, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe008) at ../csu/libc-start.c:291 #12 0x0000000000402449 in _start () Credits: Hanfang Zhang, Sichuan University Best regards, Hanfang Zhang -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils