https://sourceware.org/bugzilla/show_bug.cgi?id=24098
Bug ID: 24098 Summary: readelf gets SegFault on crafted input that may cause DoS Product: binutils Version: 2.31 Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: PeterRong96 at gmail dot com Target Milestone: --- Created attachment 11541 --> https://sourceware.org/bugzilla/attachment.cgi?id=11541&action=edit 3 files that led to crash. By fuzzing readelf, we have crafted three files that produce SegFaults, and it might cause DoS vulnerabilities. Crash site: readelf.c:8028 8024: relname = elf_hppa_reloc_type (get_reloc_type ( filedata, rp->r_info)); ... 8028: if (! const_strneq (relname, "R_PARISC_SEGREL")) In line 8024 relname become NULL when feeded with crafted data. Doing strncmp later on line 8028 on a NULL pointer it is invalid. Crash cause: According to definition in include/hppa.h:110-496 and include/reloc-marcos.h:95-127, when given "the relocation is not recognised, NULL is returned."(citing comment from include/reloc-marcos.h:97). Below is a stack printed using gdb. #0 __strncmp_avx2 () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:101 No locals. #1 0x00005555556336f2 in slurp_hppa_unwind_table (filedata=<optimized out>, sec=<optimized out>, aux=<optimized out>) at readelf.c:8028 nentries = <optimized out> size = <optimized out> seg = <optimized out> table = <optimized out> tp = <optimized out> relsec = <optimized out> nrelas = <optimized out> rela = <optimized out> relname = 0x0 sym = <optimized out> i = <optimized out> rp = <optimized out> tep = <optimized out> tmp1 = <optimized out> tmp2 = <optimized out> #2 hppa_process_unwind (filedata=<optimized out>) at readelf.c:8115 num_unwind = <optimized out> res = 0 i = <optimized out> sec = <optimized out> unwsec = <optimized out> aux = <optimized out> strsec = <optimized out> #3 0x00005555555a8135 in process_unwind (filedata=<optimized out>) at readelf.c:9253 handlers = <optimized out> #4 process_object (filedata=<optimized out>) at readelf.c:18822 res = 0 i = 31 separates = <optimized out> #5 0x0000555555577866 in process_file (file_name=<optimized out>) at readelf.c:19259 armag = "\177ELF\002\003\001" ret = 1 statbuf = <optimized out> filedata = <optimized out> #6 main (argc=<optimized out>, argv=<optimized out>) at readelf.c:19318 err = 0 -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils