https://sourceware.org/bugzilla/show_bug.cgi?id=32710
Bug ID: 32710
Summary: Null pointer dereference in libiberty/hashtab.c
Product: binutils
Version: 2.32
Status: UNCONFIRMED
Severity: critical
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: shiyuyuranzh at gmail dot com
Target Milestone: ---
Created attachment 15962
--> https://sourceware.org/bugzilla/attachment.cgi?id=15962&action=edit
Vulnerability paths
I have found a potential null pointer dereference bug in libiberty/hashtab.c
and would like to report it to the maintainers.Can you please help me check it?
Thank you for your effort and patience!
Below is the execution sequence of the program that may produce null pointer
dereference bug.The specific paths are shown in the attachment.
First, in the file libiberty/hashtab.c, the function htab_find_slot_with_hash
may return NULL at line 684,if the condition insert == NO_INSERT is judged to
be true.
Second, the function htab_remove_elt_with_hash calls htab_find_slot_with_hash
on line 727, which causes the variable slot to be assigned NULL.
Finally, at line 728, slot is dereferenced, leading to a null pointer
dereference vulnerability.
In addition to this, in other calls to the function htab_find_slot_with_hash,
there are checks on whether its return value is NULL. For example, in the file
bfd/elf64-ppc.c, the function tocsave_find calls htab_find_slot_with_hash on
line 6429, and then checks whether its return value is NULL on line 6430.The
specific code is in the attached file.
--
You are receiving this mail because:
You are on the CC list for the bug.
