https://sourceware.org/bugzilla/show_bug.cgi?id=33743
Bug ID: 33743
Summary: readelf aborts with SIGABRT when processing malformed
ELF input during RELR relocation handling(binutils
2.46(HEAD))
Product: binutils
Version: 2.46 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: 970429025 at qq dot com
Target Milestone: ---
Created attachment 16535
--> https://sourceware.org/bugzilla/attachment.cgi?id=16535&action=edit
The PoC attachment contains the input file that triggers the crash
Overview:
Running readelf -a --dwarf-start 128 on a malformed ELF file results in an
abnormal termination with SIGABRT during relocation processing.
Steps to Reproduce:
./readelf -a --dwarf-start 128 SIGABRT_3
Actual Results:
While handling the malformed ELF file, readelf reports numerous inconsistencies
related to relocation data and subsequently aborts execution, terminating with
SIGABRT.
GDB output excerpt:
readelf: Warning: [18]: Unexpected value (227476560) in info field.
readelf: Warning: Size of section 18 is larger than the entire file!
[18] <no-strings> 0a8b0400: <unkn 049f7df0 abe0ab0 e7045001 ce0db304
WAXxMLGCxop 17663500 227476560 1342246314
readelf: Warning: section 18: sh_link value of 17663500 is larger than the
number of sections
readelf: Warning: [19]: Unexpected value (623974990) in info field.
readelf: Warning: Size of section 19 is larger than the entire file!
[19] <no-strings> 0df20dd7: <unkn 0abe0ab3 10007f10 ffffffff 7f100d97
Wxxo 607197711 623974990 216990879
readelf: Warning: section 19: sh_link value of 607197711 is larger than the
number of sections
readelf: Warning: [20]: Unexpected value (607197711) in info field.
readelf: Warning: Size of section 20 is larger than the entire file!
[20] <no-strings> 1a0fffff: <unkn 049f2531 dbb0d97 10007f10 dbb049f
WMSTxxxxop 4294967295 607197711 624040526
readelf: Warning: section 20: sh_link value of 4294967295 is larger than the
number of sections
Key to Flags:
W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
L (link order), O (extra OS processing required), G (group), T (TLS),
C (compressed), x (unknown), o (OS specific), E (exclude),
D (mbind), p (processor specific)
There are no section groups in this file.
readelf: Error: Too many program headers - 0x3000 - the file is not that big
There is no dynamic section in this file.
Relocation section 0 at offset 0 contains 6 entries which relocate 22
locations:
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007ffff6bbb7f1 in __GI_abort () at abort.c:79
#2 0x000000000047cab3 in dump_relr_relocations ()
#3 0x000000000048171e in display_relocations ()
#4 0x0000000000457a34 in process_relocs ()
#5 0x0000000000448976 in process_object ()
#6 0x00000000004391be in process_file ()
#7 0x0000000000437119 in main ()
(gdb)
Expected Results:
readelf should detect and report errors when encountering malformed ELF or
relocation data and exit cleanly, without invoking abort() or triggering a
SIGABRT.
Build & Platform:
binutils version: 2.46(HEAD)
component: readelf
OS: Ubuntu 18.04.6 LTS
arch: x86_64
Additional Information:
The PoC attachment contains the input file that triggers the crash(SIGABRT_3).
Crash type: SIGABRT.
Fully reproducible.
--
You are receiving this mail because:
You are on the CC list for the bug.
