https://sourceware.org/bugzilla/show_bug.cgi?id=33641
Bug ID: 33641
Summary: readelf enters infinite warning loop on crafted input
Product: binutils
Version: 2.44
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: 970429025 at qq dot com
Target Milestone: ---
Created attachment 16472
--> https://sourceware.org/bugzilla/attachment.cgi?id=16472&action=edit
The PoC attachment contains the input file (Infinite_Loop_2) that triggers this
behavior.
Overview
Running readelf with the provided input file causes the program to repeatedly
print the same warning message and never terminates.
The program does not crash but must be interrupted manually.
Steps to Reproduce:
./readelf --lint --process-links Infinite_Loop_2
Actual Results:
readelf prints the same warning message continuously:
readelf: Warning: The length field (0xff100073) in the debug_rnglists header is
wrong - the section is too small
The message repeats indefinitely and the program does not progress.
It must be manually interrupted (e.g., Ctrl-C inside gdb).
Relevant GDB excerpt:
readelf: Warning: The length field (0xff100073) in the debug_rnglists header is
wrong - the section is too small
readelf: Warning: The length field (0xff100073) in the debug_rnglists header is
wrong - the section is too small
readelf: Warning: The length field (0xff100073) in the debug_rnglists header is
wrong - the section is too small
readelf: Warning: The length field (0xff100073) in the debug_rnglists header is
wrong - the section is too small
readelf: Warning: The length field (0xff100073) in the debug_rnglists header is
wrong - the section is too small
readelf: Warning: The length field (0xff100073) in the debug_rnglists header is
wrong - the section is too small
readelf: Warning: The length field (0xff100073) in the debug_rnglists header is
wrong - the section is too small
readelf: Warning: The length field (0xff100073) in the debug_rnglists header is
wrong - the section is too small
readelf: Warning: The length field (0xff100073) in the debug_rnglists header is
wrong - the section is too small
readelf: Warning: The length field (0xff100073) in the debug_rnglists header is
wrong - the section is too small
readelf: Warning: The length field (0xff100073) in the debug_rnglists header is
wrong - the section is too small
readelf: Warning: The length field (0xff100073) in the debug_rnglists header is
wrong - the section is too small
readelf: ^C
Program received signal SIGINT, Interrupt.
0x00007c6c7237f104 in __GI___libc_write (fd=2, buf=0x7ffdaeffe220, nbytes=95)
at ../sysdeps/unix/sysv/linux/write.c:27
27 ../sysdeps/unix/sysv/linux/write.c: No such file or directory.
(gdb) bt
#0 0x00007c6c7237f104 in __GI___libc_write (fd=2, buf=0x7ffdaeffe220,
nbytes=95) at ../sysdeps/unix/sysv/linux/write.c:27
#1 0x00007c6c722fa15d in _IO_new_file_write (f=0x7c6c7265b680
<_IO_2_1_stderr_>, data=0x7ffdaeffe220, n=95) at fileops.c:1203
#2 0x00007c6c722faacf in new_do_write (to_do=<optimized out>,
data=0x7ffdaeffe220 "The length field (0xff100073) in the debug_rnglists
header is wrong - the section is too small\n", fp=0x7c6c7265b680
<_IO_2_1_stderr_>) at fileops.c:457
#3 _IO_new_file_xsputn (f=0x7c6c7265b680 <_IO_2_1_stderr_>, data=<optimized
out>, n=95) at fileops.c:1277
#4 0x00007c6c722cd6c7 in buffered_vfprintf (s=s@entry=0x7c6c7265b680
<_IO_2_1_stderr_>,
format=format@entry=0x637f1b "The length field (%#lx) in the debug_rnglists
header is wrong - the section is too small\n", args=args@entry=0x7ffdaf000890)
at vfprintf.c:2350
#5 0x00007c6c722ca6f6 in _IO_vfprintf_internal (s=0x7c6c7265b680
<_IO_2_1_stderr_>,
format=format@entry=0x637f1b "The length field (%#lx) in the debug_rnglists
header is wrong - the section is too small\n", ap=ap@entry=0x7ffdaf000890) at
vfprintf.c:1301
#6 0x000000000050b62a in warn (message=0x637f1b "The length field (%#lx) in
the debug_rnglists header is wrong - the section is too small\n")
at ../../binutils-2.44/binutils/elfcomm.c:62
#7 0x0000000000508f1c in display_debug_rnglists_unit_header
(section=section@entry=0x885fd0 <debug_displays+2128>,
unit_offset=unit_offset@entry=0x7ffdaf000998,
poffset_size=poffset_size@entry=0x7ffdaf0009c7 "\004\320c\230\024") at
../../binutils-2.44/binutils/dwarf.c:8281
#8 0x00000000004d9fbe in display_debug_ranges (section=section@entry=0x885fd0
<debug_displays+2128>, file=file@entry=0x149863d0) at
../../binutils-2.44/binutils/dwarf.c:8501
#9 0x0000000000499df0 in display_debug_section (shndx=11,
section=section@entry=0x14988890, filedata=filedata@entry=0x149863d0) at
../../binutils-2.44/binutils/readelf.c:17538
#10 0x00000000004614a9 in process_section_contents
(filedata=filedata@entry=0x149863d0) at
../../binutils-2.44/binutils/readelf.c:17693
#11 0x0000000000449edc in process_object (filedata=filedata@entry=0x149863d0)
at ../../binutils-2.44/binutils/readelf.c:23818
#12 0x000000000043a95f in process_file (file_name=0x7ffdaf00253f
"Infinite_Loop_2") at ../../binutils-2.44/binutils/readelf.c:24241
#13 0x00000000004383fa in main (argc=<optimized out>, argv=0x5e) at
../../binutils-2.44/binutils/readelf.c:24307
(gdb)
Expected Results:
readelf should stop processing and report an error rather than entering a
non-terminating warning loop.
Build & Platform:
binutils version: 2.44
component: readelf
OS: Ubuntu 18.04.6 LTS
arch: x86_64
Additional Information:
The PoC attachment contains the input file (Infinite_Loop_2) that triggers this
behavior.
The issue is fully reproducible using the command above.
--
You are receiving this mail because:
You are on the CC list for the bug.
