'[Bug binutils/29290] New: dwarf.c: null pointer dereference'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       binutils-bugs
Subject:    [Bug binutils/29290] New: dwarf.c: null pointer dereference
From:       "h3xrabbit at gmail dot com" <sourceware-bugzilla () sourceware ! org>
Date:       2022-06-26 21:12:22
Message-ID: bug-29290-70 () http ! sourceware ! org/bugzilla/
[Download RAW message or body]

https://sourceware.org/bugzilla/show_bug.cgi?id=29290

            Bug ID: 29290
           Summary: dwarf.c: null pointer dereference
           Product: binutils
           Version: 2.39 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: h3xrabbit at gmail dot com
  Target Milestone: ---

Created attachment 14177
  --> https://sourceware.org/bugzilla/attachment.cgi?id=14177&action=edit
PoC to trigger null pointer dereference

During fuzzing campaign, I discovered a null pointer dereference bug in readelf
(on the latest commit 9544899f2809833729159b0acb414ef7730650d5) in
read_and_display_attr_value(), that can may a denial of service via a crafted
file.

To reproduce the bug:
```
readelf -w poc
```

ASAN output:
```
=================================================================
==527903==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000078 (pc
0x0000005da25e bp 0x7ffc9e9d8460 sp 0x7ffc9e9d79e0 T0)
==527903==The signal is caused by a READ memory access.
==527903==Hint: address points to the zero page.
    #0 0x5da25e in read_and_display_attr_value ../../binutils/dwarf.c:2758:50
    #1 0x5cbe63 in display_debug_names ../../binutils/dwarf.c:10369:16
    #2 0x57a10c in display_debug_section ../../binutils/readelf.c:16234:18
    #3 0x5318a4 in process_section_contents ../../binutils/readelf.c:16330:10
    #4 0x51183a in process_object ../../binutils/readelf.c:22368:9
    #5 0x501331 in process_file ../../binutils/readelf.c:22791:13
    #6 0x4feb82 in main ../../binutils/readelf.c:22862:11
    #7 0x7fb874918082 in __libc_start_main
/build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #8 0x41c4ad in _start (build3/binutils/readelf+0x41c4ad)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/tmp/binutils/build3/binutils/../../binutils/dwarf.c:2758:50 in
read_and_display_attr_value
==527903==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic