[Bug binutils/33891] New: readelf: SIGSEGV in process_debug_info() when parsing malformed DWARF debug_info

Tue, 10 Feb 2026 06:33:32 -0800 

https://sourceware.org/bugzilla/show_bug.cgi?id=33891

            Bug ID: 33891
           Summary: readelf: SIGSEGV in process_debug_info() when parsing
                    malformed DWARF debug_info
           Product: binutils
           Version: 2.42
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: takaosato1997 at gmail dot com
  Target Milestone: ---

Created attachment 16615
  --> https://sourceware.org/bugzilla/attachment.cgi?id=16615&action=edit
Minimized AFL++ PoC. Triggers SIGSEGV in readelf when invoked with: readelf -w
poc_id000000.min

Summary
-------
I reviewed several previous readelf/DWARF bug reports (e.g. bugs 33615, 26086,
24891, 24382, 22219, 21133). While they involve DWARF parsing, none of them
describe a SIGSEGV at process_debug_info() around dwarf.c:4250 related to
rnglists_base handling. This appears to be a distinct issue.

readelf crashes with a segmentation fault when parsing malformed DWARF
debug information. The crash occurs in process_debug_info() while handling
DWARFv5 attributes.

The issue was discovered via AFL++ fuzzing and is reproducible with a
minimized input file.

Impact
------
This is a denial-of-service issue. A specially crafted ELF file causes
readelf to dereference a NULL pointer, leading to SIGSEGV.

Affected Tool
-------------
readelf (binutils)

Reproduction Steps
------------------
1. Install binutils (tested on Ubuntu 24.04):
   $ sudo apt install binutils

2. Run readelf with DWARF parsing enabled:
   $ readelf -w poc_id000000.min

3. The program crashes with SIGSEGV.

Observed Result
---------------
readelf terminates with a segmentation fault (SIGSEGV).

Expected Result
---------------
readelf should gracefully reject malformed DWARF data and exit with an
error message instead of crashing.

Backtrace
---------
The crash occurs at:

  process_debug_info()
  binutils/dwarf.c:4250

Full backtrace:

  #0 process_debug_info(...) at binutils/dwarf.c:4250
  #1 display_debug_info(...) at binutils/dwarf.c:7634
  #2 display_debug_section(...) at binutils/readelf.c:16947
  #3 process_section_contents(...) at binutils/readelf.c:17043
  #4 process_object(...) at binutils/readelf.c:23172
  #5 process_file(...) at binutils/readelf.c:23580
  #6 main(...) at binutils/readelf.c:23651

Faulting Instruction
--------------------
  mov 0x70(%r14), %r14

At the time of the crash, register r14 is NULL, leading to an invalid
memory access.

Environment
-----------
- OS: Ubuntu 24.04.4 LTS
- Architecture: x86_64
- Binutils version: 2.42 (Ubuntu package 2.42-4ubuntu2.8)
- Tool: /usr/bin/readelf

Additional Notes
----------------
The input file was minimized using afl-tmin and reliably reproduces the
crash.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Reply via email to