https://sourceware.org/bugzilla/show_bug.cgi?id=34402

            Bug ID: 34402
           Summary: NULL pointer dereference in
                    sparc_check_object_attribute() via crafted SPARC ELF
           Product: elfutils
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: backends
          Assignee: unassigned at sourceware dot org
          Reporter: nathan.auvray60 at gmail dot com
                CC: elfutils-devel at sourceware dot org
  Target Milestone: ---

Created attachment 16846
  --> https://sourceware.org/bugzilla/attachment.cgi?id=16846&action=edit
the PoC for the bug

A NULL pointer dereference occurs in `sparc_check_object_attribute()`
(backends/sparc_attrs.c).

When parsing a SPARC ELF file with a `.gnu.attributes` section (tag 4:
GNU_Sparc_HWCAPS), if the value has bit 31 set (e.g., 0x80000000), the loop
variable `cap` reaches 31. 
Since `caps[31]` is NULL, it calls `strcat(s, NULL)`, leading to an immediate
SIGSEGV.

Impact: 
Reliable Denial of Service (crash) in `eu-readelf -A` and `eu-elflint` when
analyzing a crafted file.

Proposed fix:
Guard the strcat call:
if (caps[cap] != NULL) { ... }

I have attached a Python PoC script that generates the crashing ELF files.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Reply via email to