I found an integer overflow bug in process_version_sections (readelf.c), which would make a for loop iterate millions of times.
============Reproduce the bug ============ root@manh-VirtualBox:~# readelf -a readefl_hang.elf ELF Header: Magic: 7f 45 4c 46 00 02 00 00 00 00 00 00 00 00 00 40 Class: none ................. => The program will run for very long time. ====================================== ============Description================== This description is for the version 2.29 ( https://ftp.gnu.org/gnu/binutils/binutils-2.29.tar.gz) At readelf.c:10388, idx += ent.vn_next. This triggers integer overflow, with suitable value of ent.vn_next. With the craft readelf_hang.elf above, the for loop at readelf.c:10304 have iterations as following (set breakpoint at readelf.c:10327 and examine idx, ent.vn_next,...): + Loop 0: idx = 0; ent.vn_next = 64 + Loop 1: idx = 64; ent.vn_next = 64 + Loop 2: idx = 128; ent.vn_next = 4294967168 + Loop 3: idx = 0; ent.vn_next = 64 + Loop 4: idx = 64; ent.vn_next = 64 + Loop 5: idx = 128; ent.vn_next = 4294967168 + Loop 6: idx = 0; ent.vn_next = 64 + Loop 7: idx = 64; ent.vn_next = 64 + Loop 8: idx = 128; ent.vn_next = 4294967168 .... When idx = 128, ent.vn_next = 4294967168, the expression idx + ent.vn_next gets 0 => idx += ent.vn_next gets overflow. So the loop would not break at line readelf.c:10312 if (idx > (size_t) (endbuf - (char *) eneed)) break; and it would iterate until cnt gets equals to section->sh_info. With readelf_hang.elf, section->sh_info = 1441792, so it iterates for 1441792 times. ====================================== ============Suggestion for Patching========= Add the following line before line readelf.c:10388 if (idx + ent.vn_next < idx) break; ======================================
readefl_hang.elf
Description: Binary data
_______________________________________________ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
