https://sourceware.org/bugzilla/show_bug.cgi?id=24909
Bug ID: 24909
Summary: Uninitialized use on stack in readelf
Product: binutils
Version: 2.33 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: wang8330 at umn dot edu
Target Milestone: ---
Created attachment 11949
--> https://sourceware.org/bugzilla/attachment.cgi?id=11949&action=edit
PoC to trigger the vulnerability.
There is a uninitialized use on stack in readelf.c may cause information leak.
The commit id for the gitrepo I tested is
fc9e754460ccf1c893fc9e67c02c49f58f1bd38e
Compile command:
CC=clang \
CFLAGS="-DFORTIFY_SOURCE=2 -fno-omit-frame-pointer -g -Wno-error -ggdb" \
./configure \
--disable-shared --disable-gdb --disable-libdecnumber --disable-readline \
--disable-sim
make
How to trigger the bug:
./readelf -a input
I tested this program using clang, not sure if it also exists for gcc.
When compiling with -O2, on line 12018 in function process_symbol_table() in
readelf.c, sym_info is first declared on stack.
It is supposed to be updated on line 12044 in function
get_symbol_version_string().
The problem is that there are only two statements in
get_symbol_version_string() to initialize sym_info and the input triggers
neither of them, so sym_info is actually uninitialized when used in line 12051.
The input is attached.
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
