https://sourceware.org/bugzilla/show_bug.cgi?id=33914
Bug ID: 33914
Summary: readelf: SIGABRT in DWARF .debug_line parsing due to
zero-sized field passed to byte_get_little_endian()
Product: binutils
Version: 2.46
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: takaosato1997 at gmail dot com
Target Milestone: ---
Created attachment 16625
--> https://sourceware.org/bugzilla/attachment.cgi?id=16625&action=edit
PoC ELF file that causes readelf to abort (SIGABRT) in byte_get_little_endian()
when parsing malformed DWARF5 .debug_line data.
Overview
========
When processing a crafted ELF file containing malformed DWARF v5 debug
information, readelf aborts with SIGABRT instead of gracefully handling
the malformed data and exiting cleanly.
The crash occurs while parsing the .debug_line section and is triggered
by a zero-sized field being passed to byte_get_little_endian(), which
internally invokes abort() when size == 0.
This indicates a missing validation check during DWARF line table parsing.
Reproduction
============
Command:
readelf -wlRFap poc.min
The attached file (poc.min) reliably triggers the crash.
The issue is fully reproducible.
Observed Behavior
=================
readelf emits multiple DWARF-related warnings and then terminates:
readelf: Error: Unhandled data length: 0
Aborted (core dumped)
The program terminates with SIGABRT.
ASAN Backtrace
==============
Using an ASAN-instrumented build of binutils 2.46.0:
#0 __GI_abort
#1 byte_get_little_endian (size=0)
at binutils/elfcomm.c:173
#2 fetch_indexed_addr
at binutils/dwarf.c:719
#3 read_and_display_attr_value
at binutils/dwarf.c:2919
#4 display_formatted_table
at binutils/dwarf.c:4680
#5 display_debug_lines_raw
at binutils/dwarf.c:4878
#6 display_debug_lines
at binutils/dwarf.c:6014
#7 display_debug_section
#8 process_section_contents
#9 process_object
#10 process_file
#11 main
The abort originates in byte_get_little_endian() due to size == 0.
Technical Analysis
==================
The crafted ELF file contains malformed DWARF5 debug information
within the .debug_line section.
During parsing of the line table, readelf reaches a state where:
- pointer_size becomes zero
- or num_bytes becomes zero
- or a form requiring indexed address resolution is processed
with insufficient or corrupted metadata
Eventually, fetch_indexed_addr() calls byte_get_little_endian()
with size == 0.
byte_get_little_endian() explicitly aborts when size is zero,
leading to a SIGABRT.
There appears to be no prior validation ensuring that size is
non-zero before attempting endian extraction.
Expected Behavior
=================
readelf should detect malformed DWARF data and report parsing errors,
but it should not invoke abort().
The program should:
- Report the corruption
- Stop processing the malformed section
- Exit cleanly with a non-zero return code
Aborting via SIGABRT is not appropriate behavior when analyzing
untrusted input.
Why This Is Not a Duplicate
===========================
This issue differs from previously reported DWARF-related crashes:
- It does not involve relocation processing (e.g. dump_relr_relocations)
- It is not a double-free or heap corruption
- It is not limited to .debug_abbrev handling
- The crash occurs specifically in .debug_line parsing
- The root cause is a zero-sized field passed to byte_get_little_endian()
The failure path is:
display_debug_lines_raw()
-> read_and_display_attr_value()
-> fetch_indexed_addr()
-> byte_get_little_endian(size=0)
This is distinct from previously reported relocation or abbrev crashes.
Environment
===========
binutils version: 2.46.0
component: readelf
architecture: x86_64
OS: Ubuntu Linux (reproducible on 18.04 and 22.04)
Reproducibility: 100%
Impact
======
A malformed ELF file can reliably trigger a crash in readelf.
This constitutes a denial-of-service condition when readelf is
used to analyze untrusted binaries.
No memory corruption beyond abort() was observed.
--
You are receiving this mail because:
You are on the CC list for the bug.
