12855 – readelf: Endless loop for broken ELF binary

Bug 12855 - readelf: Endless loop for broken ELF binary

Summary: readelf: Endless loop for broken ELF binary

Status:	RESOLVED FIXED

Alias:	None

Product:	binutils
Classification:	Unclassified
Component:	binutils (show other bugs)
Version:	2.21

Importance:	P2 normal
Target Milestone:	---
Assignee:	unassigned

URL:
Keywords:

Depends on:
Blocks:

Reported:	2011-06-07 15:29 UTC by Sascha Peilicke
Modified:	2017-04-25 20:14 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
The offending binary (packed) (954.70 KB, application/x-bzip) 2011-06-07 15:39 UTC, Sascha Peilicke	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sascha Peilicke 2011-06-07 15:29:57 UTC

Commandline:

$ readelf -s godoc

Goes into an endless loop with the following output:

readelf: Error: Unable to seek to 0xYYY for version need aux (3)
...

Ideally, readelf would stop and tell it's a broken binary (see attachment).

Comment 1 Sascha Peilicke 2011-06-07 15:39:05 UTC

Created attachment 5770 [details]
The offending binary (packed)

Comment 2 Sourceware Commits 2011-06-08 15:59:11 UTC

CVSROOT:	/cvs/src
Module name:	src
Changes by:	nickc@sourceware.org	2011-06-08 15:59:07

Modified files:
	binutils       : ChangeLog readelf.c 

Log message:
	PR binutils/12855
	* readelf.c (process_version_sections): Handle binaries containing
	corrupt version information.
	(process_symbol_table): Stop processing a symbol's version
	information if it could not be read in.
	
	(get_data): Add comment describing the function.
	(process_section_headers): Set dynamic_strings_length to 0 if the
	dynamic strings could not be read in.
	(process_dynamic_section): Likewise.
	(process_section_groups): Stop processing the group information if
	the data could not be read in.
	(hppa_processs_unwind): Assert that there is only one string table
	in the file.
	(arm_process_unwind): Likewise.
	(ia64_process_unwind): Likewise.
	Set the size of the unwind auxillary information to 0 if the data
	could not be read.
	(load_specific_debug_section): Handle a failure to read in the
	section.
	(process_mips_specific): Stop display of the PLT GOT section if it
	could not be read in.

Patches:
http://sourceware.org/cgi-bin/cvsweb.cgi/src/binutils/ChangeLog.diff?cvsroot=src&r1=1.1807&r2=1.1808
http://sourceware.org/cgi-bin/cvsweb.cgi/src/binutils/readelf.c.diff?cvsroot=src&r1=1.545&r2=1.546

Comment 3 Nick Clifton 2011-06-08 16:03:19 UTC

Hi Sascha,

  Thanks for reporting this bug.  The problem was that the code in readelf was assuming that the function which reads in the version information would always succeed.  As you have shown however this does not always happen.  I have checked in a patch which fixes this problem (and several other places where the same assumption was made).

Cheers
  Nick

Comment 4 Sourceware Commits 2017-04-25 20:14:25 UTC

The master branch has been updated by Maciej W. Rozycki <macro@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=919383ac718c2a3187ee2a9ad659daa22da26258

commit 919383ac718c2a3187ee2a9ad659daa22da26258
Author: Maciej W. Rozycki <macro@imgtec.com>
Date:   Wed Apr 12 00:02:13 2017 +0100

    MIPS/readelf: Remove extraneous null GOT data check
    
    Null data is handled gracefully throughout in MIPS GOT processing, with
    addresses printed normally and unavailable data shown as `<unknown>' by
    `print_mips_got_entry', and special processing code for GOT[1] doing an
    explicit check.  Remove an unwanted null GOT data check then, introduced
    with commit 592458412fb2 in the course of addressing PR binutils/12855.
    
    	binutils/
    	* readelf.c (process_mips_specific): Remove null GOT data check.