https://sourceware.org/bugzilla/show_bug.cgi?id=32702
Bug ID: 32702
Summary: Null pointer dereference in bfd/elf32-i386.c
Product: binutils
Version: 2.32
Status: UNCONFIRMED
Severity: critical
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: shiyuyuranzh at gmail dot com
Target Milestone: ---
Created attachment 15958
--> https://sourceware.org/bugzilla/attachment.cgi?id=15958&action=edit
Vulnerability paths and examples
I have found a potential null pointer dereference bug in bfd/elf32-i386.c and
would like to report it to the maintainers. This vulnerability has the
potential to cause unexpected application behavior, crashes. Can you please
help me check it? Thank you for your effort and patience!
Below is the execution sequence of the program that may produce null pointer
dereference bug.The specific paths are shown in the attachment.
First, the function elf_i386_rtype_to_howto returns NULL on line 387 in file
bfd/elf32-i386.c.
Second, function elf_i386_tls_transition calls function elf_i386_rtype_to_howto
on lines 1154 and 1155, resulting in from and to being assigned NULL.
Finally, at line 1180, from and to are dereferenced, resulting in a null
pointer dereference vulnerability.
In addition to this, other calls to the function elf_i386_rtype_to_howto have
checks on their return values.The details are at the bottom of the attached
image. For example, in file bfd/elf32-i386.c, function
elf_i386_relocate_section calls function elf_i386_rtype_to_howto on line 2083,
and later checks its return value on line 2084.
--
You are receiving this mail because:
You are on the CC list for the bug.
