[Bug binutils/33700] New: readelf aborts with SIGABRT on crafted input due to invalid pointer free (binutils 2.46(HEAD))

Sun, 07 Dec 2025 10:02:10 -0800 

https://sourceware.org/bugzilla/show_bug.cgi?id=33700

            Bug ID: 33700
           Summary: readelf aborts with SIGABRT on crafted input due to
                    invalid pointer free (binutils 2.46(HEAD))
           Product: binutils
           Version: 2.46 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: 970429025 at qq dot com
  Target Milestone: ---

Created attachment 16506
  --> https://sourceware.org/bugzilla/attachment.cgi?id=16506&action=edit
The PoC attachment contains the input file that triggers the crash

Overview:
Running readelf on a crafted ELF file causes the program to terminate with
SIGABRT after printing multiple warnings about malformed local symbols.

Steps to Reproduce:
./readelf -a Dangling_Pointer

Actual Results:
readelf prints several warnings and then aborts with SIGABRT due to an invalid
pointer free.

GDB output excerpt:
readelf: Warning: local symbol 43 found at index >= .symtab's sh_info value of
0
    44: 0000000000000000     0 NOTYPE  LOCAL  DEFAULT  UND <corrupt>
readelf: Warning: local symbol 44 found at index >= .symtab's sh_info value of
0

No version information found in this file.

There is no GOT section in this file.
free(): invalid pointer

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff6bbb7f1 in __GI_abort () at abort.c:79
#2  0x00007ffff6c04837 in __libc_message (action=action@entry=do_abort,
fmt=fmt@entry=0x7ffff6d31a7b "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3  0x00007ffff6c0b8ba in malloc_printerr (str=str@entry=0x7ffff6d2fc76
"free(): invalid pointer") at malloc.c:5342
#4  0x00007ffff6c12dec in _int_free (have_lock=0, p=0x5d0128
<get_DW_OP_name+2984>, av=0x7ffff6f66c40 <main_arena>) at malloc.c:4167
#5  __GI___libc_free (mem=0x5d0138 <get_DW_OP_name+3000>) at malloc.c:3134
#6  0x000000000045e1d2 in process_got_section_contents ()
#7  0x0000000000448bb3 in process_object ()
#8  0x00000000004484fe in process_archive ()
#9  0x000000000043904a in process_file ()
#10 0x0000000000437119 in main ()
(gdb)


Expected Results:
readelf should handle malformed input safely and exit cleanly instead of
aborting.

Build & Platform:
binutils version: 2.46(HEAD)
component: readelf
OS: Ubuntu 18.04.6 LTS
arch: x86_64

Additional Information: 
The PoC attachment contains the input file that triggers the
crash(Dangling_pointer). 
Crash type: SIGABRT. 
Fully reproducible.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Reply via email to