| Title | GNU elfutils/eu-readelf 0.192 buffer over read |
|---|
| Description | **Description**
A segv can occur in eu-readelf when using the -z and -x options with a specially crafted input file. This issue leads to buffer-overflow
**Affected Version**
elfutils 0.192
**Steps to Reproduce**
Build elfutils 0.192 with AddressSanitizer (e.g., CFLAGS="-g -fsanitize=address" ./configure && make -j).
/mnt/data/optfuzz/benchmark/elfutils-0.192/bins/bin/eu-readelf -z -x 6 /tmp/poc
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1889020==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fc3af0914d0 bp 0x7ffda19688b0 sp 0x7ffda1968010 T0)
==1889020==The signal is caused by a READ memory access.
==1889020==Hint: address points to the zero page.
#0 0x7fc3af0914cf in __interceptor_strncmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:449
#1 0x56189b286c4d in startswith ../lib/system.h:117
#2 0x56189b2e2e47 in dump_data_section /mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:13312
#3 0x56189b2e3ad5 in for_each_section_argument /mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:13440
#4 0x56189b2e3e7b in dump_data /mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:13470
#5 0x56189b28c062 in process_elf_file /mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:1080
#6 0x56189b28ab5b in process_dwflmod /mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:840
#7 0x7fc3afb5b708 in dwfl_getmodules /mnt/data/optfuzz/benchmark/elfutils-0.192/libdwfl/dwfl_getmodules.c:86
#8 0x56189b28b5b9 in process_file /mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:948
#9 0x56189b2891e6 in main /mnt/data/optfuzz/benchmark/elfutils-0.192/src/readelf.c:417
#10 0x7fc3aedd0082 in __libc_start_main ../csu/libc-start.c:308
#11 0x56189b286b2d in _start (/mnt/data/optfuzz/benchmark/elfutils-0.192/bins/bin/eu-readelf+0x6bb2d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:449 in __interceptor_strncmp
==1889020==ABORTING
**Env**
Distributor ID: Ubuntu
Description: Ubuntu 20.04.6 LTS
Release: 20.04
Codename: focal |
|---|
| Source | ⚠️ https://sourceware.org/bugzilla/show_bug.cgi?id=32656 |
|---|
| User | rookie (UID 80861) |
|---|
| Submission | 02/07/2025 10:27 AM (2 months ago) |
|---|
| Moderation | 02/16/2025 11:36 AM (9 days later) |
|---|
| Status | Accepted |
|---|
| VulDB Entry | 295981 [GNU elfutils 0.192 eu-readelf readelf.c dump_data_section/print_string_section z/x buffer overflow] |
|---|
| Points | 20 |
|---|