https://sourceware.org/bugzilla/show_bug.cgi?id=34402
Bug ID: 34402
Summary: NULL pointer dereference in
sparc_check_object_attribute() via crafted SPARC ELF
Product: elfutils
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: backends
Assignee: unassigned at sourceware dot org
Reporter: nathan.auvray60 at gmail dot com
CC: elfutils-devel at sourceware dot org
Target Milestone: ---
Created attachment 16846
--> https://sourceware.org/bugzilla/attachment.cgi?id=16846&action=edit
the PoC for the bug
A NULL pointer dereference occurs in `sparc_check_object_attribute()`
(backends/sparc_attrs.c).
When parsing a SPARC ELF file with a `.gnu.attributes` section (tag 4:
GNU_Sparc_HWCAPS), if the value has bit 31 set (e.g., 0x80000000), the loop
variable `cap` reaches 31.
Since `caps[31]` is NULL, it calls `strcat(s, NULL)`, leading to an immediate
SIGSEGV.
Impact:
Reliable Denial of Service (crash) in `eu-readelf -A` and `eu-elflint` when
analyzing a crafted file.
Proposed fix:
Guard the strcat call:
if (caps[cap] != NULL) { ... }
I have attached a Python PoC script that generates the crashing ELF files.
--
You are receiving this mail because:
You are on the CC list for the bug.