Submit #496484: GNU elfutils/eu-readelf 0.192 Buffer Over-readinfo

TitleGNU elfutils/eu-readelf 0.192 Buffer Over-read
Description**Description** A segv can occur in eu-readelf when using the -D and -a options with a specially crafted input file. This issue leads to buffer-overflow **Affected Version** elfutils 0.192 **Steps to Reproduce** Build elfutils 0.192 with AddressSanitizer (e.g., CFLAGS="-g -fsanitize=address" ./configure && make -j). /mnt/data/optfuzz/benchmark/elfutils-0.192/bins/bin/eu-readelf -a -D /tmp/poc ELF Header: Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 Class: ELF64 Data: 2's complement, little endian Ident Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: REL (Relocatable file) Machine: SPARC v9 Version: 1 (current) Entry point address: 0xde00000000000000 Start of program headers: 1143 (bytes into file) Start of section headers: 274877906944 (bytes into file) Flags: 0x400000 Size of this header: 16 (bytes) Size of program header entries: 13 (bytes) Number of program headers entries: 54 Size of section header entries: 0 (bytes) Number of section headers entries: 4 Section header string table index: 0 Section Headers: [Nr] Name Type Addr Off Size ES Flags Lk Inf Al Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align ??? ??? ??? AddressSanitizer:DEADLYSIGNAL ================================================================= ==2738438==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x557b7b003aa3 bp 0x7ffc944cabd0 sp 0x7ffc944ca8a0 T0) ==2738438==The signal is caused by a READ memory access. ==2738438==Hint: address points to the zero page. #0 0x557b7b003aa2 in handle_dynamic_symtab /mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:2903 #1 0x557b7b001104 in print_symtab /mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:2582 #2 0x557b7aff5f39 in process_elf_file /mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:1064 #3 0x557b7aff4b5b in process_dwflmod /mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:840 #4 0x7f9401a24708 in dwfl_getmodules /mnt/data/optfuzz/benchmark/elfutils-0.192/libdwfl/dwfl_getmodules.c:86 #5 0x557b7aff55b9 in process_file /mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:948 #6 0x557b7aff31e6 in main /mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:417 #7 0x7f9400c99082 in __libc_start_main ../csu/libc-start.c:308 #8 0x557b7aff0b2d in _start (/mnt/data/optfuzz/benchmark/elfutils-0.192/bins/bin/eu-readelf+0x6bb2d) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:2903 in handle_dynamic_symtab ==2738438==ABORTING **Env** Distributor ID: Ubuntu Description: Ubuntu 20.04.6 LTS Release: 20.04 Codename: focal
Source⚠️ https://sourceware.org/bugzilla/show_bug.cgi?id=32655
User
 rookie (UID 80861)
Submission02/07/2025 10:19 AM (3 months ago)
Moderation02/16/2025 10:10 AM (9 days later)
StatusAccepted
VulDB Entry295978 [GNU elfutils 0.192 eu-read readelf.c handle_dynamic_symtab null pointer dereference]
Points20

PreviousOverviewNext

Do you need the next level of professionalism?

Upgrade your account now!