Bug 13622 - readelf crashes when reading binary with shredded section header offset
Summary: readelf crashes when reading binary with shredded section header offset
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.22
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-01-25 01:47 UTC by Jan Lieven
Modified: 2012-01-30 11:35 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
Better handling of corrupt ELF header (480 bytes, patch)
2012-01-25 14:27 UTC, Nick Clifton
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jan Lieven 2012-01-25 01:47:25 UTC
When readelf tries to read a section header that is paste the size of the target ELF it crashes with a SIGABRT.

Steps to reproduce:
1.) Trash the section header offset of any elf (i.e. write 0xFF @ 0x21 for 32bit ELF)
2.) Run readelf -a elf_with_corrupted_header

readelf: Error: Unable to read in 0x28 bytes of section headers
ELF Header:
<snip>
  Start of section headers:          39288 (bytes into file)
<snip>
readelf: Error: Unable to read in 0x4d8 bytes of section headers
readelf: Error: Section headers are not available!

Program received signal SIGABRT, Aborted.
RAX: 0x0000000000000000
=> 0x7ffff7854935 <raise+53>:   cmp    rax,0xfffffffffffff000
   0x7ffff785493b <raise+59>:   ja     0x7ffff785494f <raise+79>
   0x7ffff785493d <raise+61>:   repz ret 
   0x7ffff785493f <raise+63>:   nop
   0x7ffff7854940 <raise+64>:   test   eax,eax
   0x7ffff7854942 <raise+66>:   jg     0x7ffff7854925 <raise+37>
   0x7ffff7854944 <raise+68>:   test   eax,0x7fffffff
   0x7ffff7854949 <raise+73>:   je     0x7ffff7854960 <raise+96>

0x00007ffff7854935 in raise () from /lib/libc.so.6
gdb$ bt
#0  0x00007ffff7854935 in raise () from /lib/libc.so.6
#1  0x00007ffff7855dab in abort () from /lib/libc.so.6
#2  0x000000000041de99 in process_section_groups (file=<optimized out>) at /tmp/binutils/src/binutils/readelf.c:4964
#3  process_object (file_name=<optimized out>, file=0x65a060) at /tmp/binutils/src/binutils/readelf.c:13283
#4  0x0000000000401dc4 in process_file (file_name=0x7fffffffe91a "a.out") at /tmp/binutils/src/binutils/readelf.c:13659
#5  main (argc=0x3, argv=0x7fffffffe5e8) at /tmp/binutils/src/binutils/readelf.c:13724
Comment 1 Jan Lieven 2012-01-25 02:00:10 UTC
I forgot to mention the output of readelf --version. It's 2.22.51.20120123 build from a cvs checkout done on the day of compilation.
Comment 2 Nick Clifton 2012-01-25 14:27:10 UTC
Created attachment 6174 [details]
Better handling of corrupt ELF header
Comment 3 Nick Clifton 2012-01-25 14:28:02 UTC
Hi Jan,

  Please could you try out the uploaded patch and let me know if it works for you.

Cheers
  Nick
Comment 4 Jan Lieven 2012-01-25 20:02:22 UTC
Thanks, the patch fixes the issue.
Comment 5 Sourceware Commits 2012-01-26 09:59:34 UTC
CVSROOT:	/cvs/src
Module name:	src
Changes by:	nickc@sourceware.org	2012-01-26 09:59:31

Modified files:
	binutils       : ChangeLog readelf.c 

Log message:
	PR binutils/13622
	* readelf.c (process_section_groups): If there are no section
	headers do not scan for section groups.
	(process_note_sections): Likewise for note sections.

Patches:
http://sourceware.org/cgi-bin/cvsweb.cgi/src/binutils/ChangeLog.diff?cvsroot=src&r1=1.1873&r2=1.1874
http://sourceware.org/cgi-bin/cvsweb.cgi/src/binutils/readelf.c.diff?cvsroot=src&r1=1.565&r2=1.566
Comment 6 Nick Clifton 2012-01-26 10:00:09 UTC
Patch applied.
Comment 7 Sourceware Commits 2012-01-30 11:35:44 UTC
CVSROOT:	/cvs/src
Module name:	src
Branch: 	binutils-2_22-branch
Changes by:	nickc@sourceware.org	2012-01-30 11:35:39

Modified files:
	binutils       : ChangeLog readelf.c 

Log message:
	PR binutils/13622
	* readelf.c (process_section_groups): If there are no section
	headers do not scan for section groups.
	(process_note_sections): Likewise for note sections.

Patches:
http://sourceware.org/cgi-bin/cvsweb.cgi/src/binutils/ChangeLog.diff?cvsroot=src&only_with_tag=binutils-2_22-branch&r1=1.1831.2.1&r2=1.1831.2.2
http://sourceware.org/cgi-bin/cvsweb.cgi/src/binutils/readelf.c.diff?cvsroot=src&only_with_tag=binutils-2_22-branch&r1=1.554&r2=1.554.2.1