Bug 19255 - Malformed ELF triggers NULL pointer dereference in _bfd_elf_setup_sections
Summary: Malformed ELF triggers NULL pointer dereference in _bfd_elf_setup_sections
Status: RESOLVED DUPLICATE of bug 18758
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.25
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-11-17 23:28 UTC by Brandon Azad
Modified: 2015-11-20 15:01 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
ELF file to reproduce (1.81 KB, application/x-executable)
2015-11-17 23:28 UTC, Brandon Azad 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Brandon Azad 2015-11-17 23:28:21 UTC 
Created attachment 8789 [details]
ELF file to reproduce

A malformed ELF file can trigger a NULL pointer dereference in the function _bfd_elf_setup_sections in elf.c:

835              /* There are some unknown sections in the group.  */
836              (*_bfd_error_handler)
837                (_("%B: unknown [%d] section `%s' in group [%s]"),
838                 abfd,
839                 (unsigned int) idx->shdr->sh_type,
840                 bfd_elf_string_from_elf_section (abfd,
841                                                  (elf_elfheader (abfd)
842                                                   ->e_shstrndx),
843                                                  idx->shdr->sh_name),
844                 shdr->bfd_section->name);
845              result = FALSE;

shdr->bfd_section is NULL when the above code is run. This is unlikely to be exploitable.

Found with American Fuzzy Lop.
Comment 1 Nick Clifton 2015-11-20 15:01:52 UTC 
Hi Bazad,

  This problem has already been reported and fixed in PR 18758.  But thanks very much for reporting the problem anyway.

Cheers
  Nick

*** This bug has been marked as a duplicate of bug 18758 ***