[Bug binutils/29290] New: dwarf.c: null pointer dereference

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/29290] New: dwarf.c: null pointer dereference

From:	h3xrabbit at gmail dot com
Subject:	[Bug binutils/29290] New: dwarf.c: null pointer dereference
Date:	Sun, 26 Jun 2022 21:12:22 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=29290

            Bug ID: 29290
           Summary: dwarf.c: null pointer dereference
           Product: binutils
           Version: 2.39 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: h3xrabbit at gmail dot com
  Target Milestone: ---

Created attachment 14177
  --> https://sourceware.org/bugzilla/attachment.cgi?id=14177&action=edit
PoC to trigger null pointer dereference

During fuzzing campaign, I discovered a null pointer dereference bug in readelf
(on the latest commit 9544899f2809833729159b0acb414ef7730650d5) in
read_and_display_attr_value(), that can may a denial of service via a crafted
file.

To reproduce the bug:
```
readelf -w poc
```

ASAN output:
```
=================================================================
==527903==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000078 (pc
0x0000005da25e bp 0x7ffc9e9d8460 sp 0x7ffc9e9d79e0 T0)
==527903==The signal is caused by a READ memory access.
==527903==Hint: address points to the zero page.
    #0 0x5da25e in read_and_display_attr_value ../../binutils/dwarf.c:2758:50
    #1 0x5cbe63 in display_debug_names ../../binutils/dwarf.c:10369:16
    #2 0x57a10c in display_debug_section ../../binutils/readelf.c:16234:18
    #3 0x5318a4 in process_section_contents ../../binutils/readelf.c:16330:10
    #4 0x51183a in process_object ../../binutils/readelf.c:22368:9
    #5 0x501331 in process_file ../../binutils/readelf.c:22791:13
    #6 0x4feb82 in main ../../binutils/readelf.c:22862:11
    #7 0x7fb874918082 in __libc_start_main
/build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #8 0x41c4ad in _start (build3/binutils/readelf+0x41c4ad)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/tmp/binutils/build3/binutils/../../binutils/dwarf.c:2758:50 in
read_and_display_attr_value
==527903==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/29290] New: dwarf.c: null pointer dereference, h3xrabbit at gmail dot com <=
- [Bug binutils/29290] dwarf.c: null pointer dereference, h3xrabbit at gmail dot com, 2022/06/27
- [Bug binutils/29290] dwarf.c: null pointer dereference, nickc at redhat dot com, 2022/06/27
- [Bug binutils/29290] dwarf.c: null pointer dereference, cvs-commit at gcc dot gnu.org, 2022/06/27
- [Bug binutils/29290] dwarf.c: null pointer dereference, nickc at redhat dot com, 2022/06/27

Prev by Date: [Bug binutils/29289] New: display_debug_names: Assertion `name_count == buckets_filled + hash_clash_count' failed
Next by Date: [Bug libctf/29291] New: ld-ctf/data-func-conflicted*.d FAIL with -g3 -O0
Previous by thread: [Bug binutils/29289] New: display_debug_names: Assertion `name_count == buckets_filled + hash_clash_count' failed
Next by thread: [Bug binutils/29290] dwarf.c: null pointer dereference
Index(es):
- Date
- Thread