https://sourceware.org/bugzilla/show_bug.cgi?id=34131
Bug ID: 34131
Summary: NULL deref in elfobj_grok_stapsdt_note_1 via crafted
NT_STAPSDT ELF note (bfd/elf.c:) (CWE-476)
Product: binutils
Version: 2.47 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: ihlopez18 at gmail dot com
Target Milestone: ---
lfobj_grok_stapsdt_note_1() in bfd/elf.c allocates memory for an sdt_note
structure using bfd_alloc() but does not check the return value before
immediately writing through the pointer. If bfd_alloc() returns NULL, which it
does under memory pressure or when bfd_abort_on_alloc_error is not set, the
assignment cur->next = elf_tdata(abfd)->sdt_note_head at line 11340 performs a
write to address 0x0, causing an immediate SIGSEGV. Same bug appears in line
11337.
The rest bfd_alloc callers in the same codebase check the return value.
--
You are receiving this mail because:
You are on the CC list for the bug.
