readelf crashes very easily when parsing malformed binaries. The attached patch fixes three floating point exceptions (divide-by-zero) and approximately 13 out-of-bounds reads (due to null pointer dereference, integer overflows, and bad array indexing). I have test files that trigger each of these crashes, but the patch should be pretty self-explanatory. I've tested the patch, confirmed it breaks no functionality, and that it resolves each of my crash files: (Patch hosted on Ubuntu's Launchpad) http://launchpadlibrarian.net/53144133/readelf-crashes.patch
Created attachment 4916 [details] Fix for readelf crashes
Created attachment 4917 [details] Revised patch, fixed casts Fixed to work on 64-bit platforms
Subject: Bug 11889 CVSROOT: /cvs/src Module name: src Changes by: nickc@sourceware.org 2010-08-13 16:02:17 Modified files: binutils : ChangeLog readelf.c Log message: PR binutils/11889 * readelf.c (get_32bit_elf_symbols): Check for a corrupt sh_entsize. (get_64bit_elf_symbols): Likewise. (process_symbol_table): Likewise. (process_section_groups): Check for corrupt headers. (process_version_sections): Check for corrupt indicies. (process_corefile_note_segment): Likewise. Patches: http://sourceware.org/cgi-bin/cvsweb.cgi/src/binutils/ChangeLog.diff?cvsroot=src&r1=1.1670&r2=1.1671 http://sourceware.org/cgi-bin/cvsweb.cgi/src/binutils/readelf.c.diff?cvsroot=src&r1=1.512&r2=1.513
Hi Dan, Thanks for the bug report and patch. I have checked it in, modulo a few formatting fixes, along with this changelog entry. Cheers Nick binutils/ChangeLog 2010-08-13 Dan Rosenberg <dan.j.rosenberg@gmail.com> PR binutils/11889 * readelf.c (get_32bit_elf_symbols): Check for a corrupt sh_entsize. (get_64bit_elf_symbols): Likewise. (process_symbol_table): Likewise. (process_section_groups): Check for corrupt headers. (process_version_sections): Check for corrupt indicies. (process_corefile_note_segment): Likewise.