Bug 18879 - general protection fault in readelf (byte_get_little_endian(elfcomm.c:149))
Summary: general protection fault in readelf (byte_get_little_endian(elfcomm.c:149))
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.26
: P2 critical
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-08-28 08:58 UTC by Brian 'geeknik' Carpenter
Modified: 2015-09-08 12:00 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
fweimer: security-


Attachments
crashing test case (139 bytes, application/octet-stream)
2015-08-28 08:58 UTC, Brian 'geeknik' Carpenter
Details
Check for large offsets in a small section (517 bytes, patch)
2015-09-03 15:17 UTC, Nick Clifton
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Brian 'geeknik' Carpenter 2015-08-28 08:58:17 UTC
Created attachment 8559 [details]
crashing test case

While fuzzing readelf (GNU readelf (GNU Binutils) 2.25.51.20150826) with American Fuzzy Lop (http://lcamtuf.coredump.cx/afl/), I found a malformed ELF object that causes a general protection fault.

Command line:
./readelf -a test00-min 

Valgrind:
ELF Header:
  Magic:   7f 45 4c 46 02 30 30 30 30 30 30 30 30 30 30 30 
  Class:                             ELF64
  Data:                              <unknown: 30>
  Version:                           48 <unknown: %lx>
  OS/ABI:                            <unknown: 30>
  ABI Version:                       48
  Type:                              <unknown>: 3030
  Machine:                           Texas Instruments TMS320C6000 DSP family
  Version:                           0x30303030
  Entry point address:               0x3030303030303030
  Start of program headers:          3472328296227680304 (bytes into file)
  Start of section headers:          2544 (bytes into file)
  Flags:                             0x30303030
  Size of this header:               12336 (bytes)
  Size of program headers:           12336 (bytes)
  Number of program headers:         12336
  Size of section headers:           64 (bytes)
  Number of section headers:         48
  Section header string table index: 26
readelf: Error: Section 9 has invalid sh_entsize of 3030303030303030
readelf: Error: (Using the expected size of 24 for the rest of this dump)
readelf: Error: Section 27 has invalid sh_entsize of 3030303030303030
readelf: Error: (Using the expected size of 24 for the rest of this dump)

Section Headers:
  [Nr] Name              Type             Address           Offset
       Size              EntSize          Flags  Link  Info  Align
  [ 0] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [ 1] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [ 2] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [ 3] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [ 4] <corrupt>         30303030: <unkn  3030303030303030  00000230
       0000000000000001  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [ 5] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [ 6] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [ 7] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [ 8] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [ 9] <corrupt>         RELA             3030303030303030  00000347
       0000000000000430  0000000000000018 MSxxop      808464432    11     3472328296227680304
  [10] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [11] <corrupt>         C6000_UNWIND     3030303030303030  00000030
       0000000000000030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [12] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [13] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [14] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [15] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [16] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [17] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [18] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [19] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [20] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [21] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [22] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [23] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [24] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [25] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [26] <corrupt>         30303030: <unkn  3030303030303030  00000830
       0000000000000030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [27] <corrupt>         SYMTAB           3030303030303030  00001130
       0000000000000600  0000000000000018 MSxxop      28   808464432     3472328296227680304
  [28] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [29] <corrupt>         00043030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [30] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [31] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [32] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [33] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [34] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [35] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [36] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [37] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [38] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [39] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [40] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [41] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [42] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [43] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [44] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [45] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [46] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [47] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
Key to Flags:
  W (write), A (alloc), X (execute), M (merge), S (strings)
  I (info), L (link order), G (group), T (TLS), E (exclude), x (unknown)
  O (extra OS processing required) o (OS specific), p (processor specific)

There are no section groups in this file.
readelf: Warning: The e_phentsize field in the ELF header is larger than the size of an ELF program header
readelf: Error: Reading 0x9120900 bytes extends past end of file for program headers

Relocation section '<corrupt>' at offset 0x347 contains 44 entries:
  Offset          Info           Type           Sym. Value    Sym. Name + Addend
000000000004  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
000000000020  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
000000000024  000000000019 R_C6000_PREL31                       3030303030303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
readelf: Error: Reading 0x3030303030303030 bytes extends past end of file for string table

Unwind table index '<corrupt>' at offset 0x30 contains 3 entries:

readelf: Error: Bad symbol index in unwind relocation (13563782407139376 > 64)
0x3030303090909090: @0x3030303090909094
readelf: Error: Reading 0x3030303030303030 bytes extends past end of file for unwind data

0x3030303030b09098: @0x303030303064309c

0x30303030909090a0: @0x30303030909090a4

0x30303030909090a8: @0x30303030909090ac

readelf: Error: Bad symbol index in unwind relocation (13563782407139376 > 64)
0x30303030909090b0: @0x3030303060606060
==45049== Invalid read of size 1
==45049==    at 0x562320: byte_get_little_endian (elfcomm.c:149)
==45049==    by 0x495932: get_unwind_section_word (readelf.c:7525)
==45049==    by 0x495932: decode_arm_unwind (readelf.c:8095)
==45049==    by 0x49BCEC: dump_arm_unwind (readelf.c:8317)
==45049==    by 0x49BCEC: arm_process_unwind (readelf.c:8397)
==45049==    by 0x4C7C4F: process_unwind (readelf.c:8430)
==45049==    by 0x4C7C4F: process_object (readelf.c:16044)
==45049==    by 0x403D00: process_file (readelf.c:16426)
==45049==    by 0x403D00: main (readelf.c:16497)
==45049==  Address 0x6060606065a995f1 is not stack'd, malloc'd or (recently) free'd
==45049== 
==45049== 
==45049== Process terminating with default action of signal 11 (SIGSEGV)
==45049==  General Protection Fault
==45049==    at 0x562320: byte_get_little_endian (elfcomm.c:149)
==45049==    by 0x495932: get_unwind_section_word (readelf.c:7525)
==45049==    by 0x495932: decode_arm_unwind (readelf.c:8095)
==45049==    by 0x49BCEC: dump_arm_unwind (readelf.c:8317)
==45049==    by 0x49BCEC: arm_process_unwind (readelf.c:8397)
==45049==    by 0x4C7C4F: process_unwind (readelf.c:8430)
==45049==    by 0x4C7C4F: process_object (readelf.c:16044)
==45049==    by 0x403D00: process_file (readelf.c:16426)
==45049==    by 0x403D00: main (readelf.c:16497)
Segmentation fault

GDB:
ELF Header:
  Magic:   7f 45 4c 46 02 30 30 30 30 30 30 30 30 30 30 30 
  Class:                             ELF64
  Data:                              <unknown: 30>
  Version:                           48 <unknown: %lx>
  OS/ABI:                            <unknown: 30>
  ABI Version:                       48
  Type:                              <unknown>: 3030
  Machine:                           Texas Instruments TMS320C6000 DSP family
  Version:                           0x30303030
  Entry point address:               0x3030303030303030
  Start of program headers:          3472328296227680304 (bytes into file)
  Start of section headers:          2544 (bytes into file)
  Flags:                             0x30303030
  Size of this header:               12336 (bytes)
  Size of program headers:           12336 (bytes)
  Number of program headers:         12336
  Size of section headers:           64 (bytes)
  Number of section headers:         48
  Section header string table index: 26
readelf: Error: Section 9 has invalid sh_entsize of 3030303030303030
readelf: Error: (Using the expected size of 24 for the rest of this dump)
readelf: Error: Section 27 has invalid sh_entsize of 3030303030303030
readelf: Error: (Using the expected size of 24 for the rest of this dump)

Section Headers:
  [Nr] Name              Type             Address           Offset
       Size              EntSize          Flags  Link  Info  Align
  [ 0] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [ 1] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [ 2] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [ 3] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [ 4] <corrupt>         30303030: <unkn  3030303030303030  00000230
       0000000000000001  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [ 5] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [ 6] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [ 7] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [ 8] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [ 9] <corrupt>         RELA             3030303030303030  00000347
       0000000000000430  0000000000000018 MSxxop      808464432    11     3472328296227680304
  [10] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [11] <corrupt>         C6000_UNWIND     3030303030303030  00000030
       0000000000000030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [12] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [13] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [14] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [15] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [16] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [17] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [18] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [19] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [20] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [21] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [22] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [23] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [24] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [25] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [26] <corrupt>         30303030: <unkn  3030303030303030  00000830
       0000000000000030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [27] <corrupt>         SYMTAB           3030303030303030  00001130
       0000000000000600  0000000000000018 MSxxop      28   808464432     3472328296227680304
  [28] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [29] <corrupt>         00043030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [30] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [31] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [32] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [33] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [34] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [35] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [36] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [37] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [38] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [39] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [40] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [41] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [42] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [43] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [44] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [45] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [46] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
  [47] <corrupt>         30303030: <unkn  3030303030303030  3030303030303030
       3030303030303030  3030303030303030 MSxxop      808464432   808464432     3472328296227680304
Key to Flags:
  W (write), A (alloc), X (execute), M (merge), S (strings)
  I (info), L (link order), G (group), T (TLS), E (exclude), x (unknown)
  O (extra OS processing required) o (OS specific), p (processor specific)

There are no section groups in this file.
readelf: Warning: The e_phentsize field in the ELF header is larger than the size of an ELF program header
readelf: Error: Reading 0x9120900 bytes extends past end of file for program headers

Relocation section '<corrupt>' at offset 0x347 contains 44 entries:
  Offset          Info           Type           Sym. Value    Sym. Name + Addend
000000000004  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
000000000020  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
000000000024  000000000019 R_C6000_PREL31                       3030303030303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
3030303030303030  3030303030303030 unrecognized: 30303030 bad symbol index: 30303030
readelf: Error: Reading 0x3030303030303030 bytes extends past end of file for string table

Unwind table index '<corrupt>' at offset 0x30 contains 3 entries:

readelf: Error: Bad symbol index in unwind relocation (13563782407139376 > 64)
0x3030303090909090: @0x3030303090909094
readelf: Error: Reading 0x3030303030303030 bytes extends past end of file for unwind data

0x3030303030b09098: @0x303030303064309c

0x30303030909090a0: @0x30303030909090a4

0x30303030909090a8: @0x30303030909090ac

readelf: Error: Bad symbol index in unwind relocation (13563782407139376 > 64)
0x30303030909090b0: @0x3030303060606060

Program received signal SIGSEGV, Segmentation fault.
0x0000000000562320 in byte_get_little_endian ()
(gdb) bt
#0  0x0000000000562320 in byte_get_little_endian ()
#1  0x0000000000495933 in decode_arm_unwind () at readelf.c:7525
#2  0x000000000049bced in arm_process_unwind () at readelf.c:8317
#3  0x00000000004c7c50 in process_object () at readelf.c:8430
#4  0x0000000000403d01 in main () at readelf.c:16426
(gdb) i r
rax            0x4	4
rbx            0x4	4
rcx            0x7e3360	8270688
rdx            0x30303030	808464432
rsi            0x4	4
rdi            0x6060606060de7520	6944656592463623456
rbp            0x1	0x1
rsp            0x7fffffffddf0	0x7fffffffddf0
r8             0x7e14c0	8262848
r9             0x7ffff7fde700	140737354000128
r10            0x7ffff7fde700	140737354000128
r11            0x246	582
r12            0x7e3220	8270368
r13            0x0	0
r14            0x6060606060606060	6944656592455360608
r15            0x7e3590	8271248
rip            0x562320	0x562320 <byte_get_little_endian+400>
eflags         0x10297	[ CF PF AF SF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
Comment 1 cvs-commit@gcc.gnu.org 2015-09-03 15:16:54 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1a9155522d3d1f6aded1178ad7038e846b6d67ba

commit 1a9155522d3d1f6aded1178ad7038e846b6d67ba
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Sep 3 16:15:49 2015 +0100

    Fix seg-fault in readelf when scanniing a corrupt binary.
    
    	PR binutils/18879
    	* readelf.c (get_unwind_section_word): Check for negative offsets
    	and very small sections.
    	(dump_arm_unwind): Warn if the table offset is too large.
Comment 2 Nick Clifton 2015-09-03 15:17:54 UTC
Created attachment 8578 [details]
Check for large offsets in a small section
Comment 3 Nick Clifton 2015-09-03 15:18:24 UTC
Hi Brian,

  Thanks for reporting this bug.  I have checked in the uploaded patch which should fix this problem.

Cheers
  Nick
Comment 4 Florian Weimer 2015-09-08 12:00:21 UTC
It seems this is just an invalid read.  readelf runs as a separate process, and the readelf process image only contains the readelf program, system libraries, and the input file, so I don't think this is a security vulnerability.