https://sourceware.org/bugzilla/show_bug.cgi?id=33640
Bug ID: 33640
Summary: readelf enters non-terminating output loop on crafted
input
Product: binutils
Version: 2.44
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: 970429025 at qq dot com
Target Milestone: ---
Created attachment 16471
--> https://sourceware.org/bugzilla/attachment.cgi?id=16471&action=edit
The PoC attachment contains the input file (Infinite_Loop) that triggers this
behavior.
Overview
Running readelf with the provided input causes the program to repeatedly print
table information without terminating.
The program does not crash, but continues producing similar output until
manually interrupted.
Steps to Reproduce:
./readelf --debug-dump --extra-sym-info Infinite_Loop
Actual Results:
objdump prints repeated table entries such as:
Table at Offset 0x21a520
Length: 0
DWARF version: 0
Address size: 0
Segment size: 0
Offset entries: 0
Table at Offset 0x21a524
Length: 0
DWARF version: 0
Address size: 0
Segment size: 0
Offset entries: 0
This behavior continues indefinitely.
The program does not exit and must be stopped manually (e.g., Ctrl-C in gdb).
Relevant GDB excerpt:
Table at Offset 0x21a524
Length: 0
DWARF version: 0
Address size: 0
Segment size: 0
Offset entries: 0
Table at Offset 0x21a528
Length: 0
DWARF version: 0
Address size: 0
Segment size: 0
Offset entries: 0
^C
Program received signal SIGINT, Interrupt.
0x00007f626c0ac104 in __GI___libc_write (fd=1, buf=0xdd959e0, nbytes=25) at
../sysdeps/unix/sysv/linux/write.c:27
27 ../sysdeps/unix/sysv/linux/write.c: No such file or directory.
(gdb) bt
#0 0x00007f626c0ac104 in __GI___libc_write (fd=1, buf=0xdd959e0, nbytes=25) at
../sysdeps/unix/sysv/linux/write.c:27
#1 0x00007f626c02715d in _IO_new_file_write (f=0x7f626c388760
<_IO_2_1_stdout_>, data=0xdd959e0, n=25) at fileops.c:1203
#2 0x00007f626c028f01 in new_do_write (to_do=25, data=0xdd959e0 "Table at
Offset 0x21a52c\ng at 0xc:\ntion:\n\n", fp=0x7f626c388760 <_IO_2_1_stdout_>) at
fileops.c:457
#3 _IO_new_do_write (fp=0x7f626c388760 <_IO_2_1_stdout_>, data=0xdd959e0
"Table at Offset 0x21a52c\ng at 0xc:\ntion:\n\n", to_do=25) at fileops.c:433
#4 0x00007f626c02798d in _IO_new_file_xsputn (f=0x7f626c388760
<_IO_2_1_stdout_>, data=<optimized out>, n=1) at fileops.c:1266
#5 0x00007f626bff797a in _IO_vfprintf_internal (s=0x7f626c388760
<_IO_2_1_stdout_>, format=0x6379f2 "Table at Offset %#lx\n",
ap=ap@entry=0x7ffc169e8410) at vfprintf.c:1674
#6 0x00007f626c000ee6 in __printf (format=<optimized out>) at printf.c:33
#7 0x000000000050315f in display_loclists_unit_header
(section=section@entry=0x885da0 <debug_displays+1568>, header_offset=2204972,
offset_count=offset_count@entry=0x7ffc169e858c,
loclists_start=loclists_start@entry=0x7ffc169e85d8) at
../../binutils-2.44/binutils/dwarf.c:7260
#8 0x00000000004d904e in display_debug_loc (section=section@entry=0x885da0
<debug_displays+1568>, file=file@entry=0xdd943d0) at
../../binutils-2.44/binutils/dwarf.c:7486
#9 0x0000000000499df0 in display_debug_section (shndx=9,
section=section@entry=0xdd968e0, filedata=filedata@entry=0xdd943d0) at
../../binutils-2.44/binutils/readelf.c:17538
#10 0x00000000004614a9 in process_section_contents
(filedata=filedata@entry=0xdd943d0) at
../../binutils-2.44/binutils/readelf.c:17693
#11 0x0000000000449edc in process_object (filedata=filedata@entry=0xdd943d0) at
../../binutils-2.44/binutils/readelf.c:23818
#12 0x0000000000448e9b in process_archive (filedata=filedata@entry=0xdd943d0,
is_thin_archive=172) at ../../binutils-2.44/binutils/readelf.c:24151
#13 0x000000000043a8f7 in process_file (file_name=0x7ffc169e953a
"Infinite_Loop") at ../../binutils-2.44/binutils/readelf.c:24224
#14 0x00000000004383fa in main (argc=<optimized out>, argv=0xfffffffffffffe00)
at ../../binutils-2.44/binutils/readelf.c:24307
(gdb)
Expected Results:
readelf should stop processing and report an error if the input is invalid,
rather than producing unbounded output.
Build & Platform:
binutils version: 2.44
component: readelf
OS: Ubuntu 18.04.6 LTS
arch: x86_64
Additional Information:
The PoC attachment contains the input file (Infinite_Loop) that triggers this
behavior.
The issue is fully reproducible using the command shown above.
--
You are receiving this mail because:
You are on the CC list for the bug.
