Bug 22216 - infinite loop in readelf process_symbol_table
Summary: infinite loop in readelf process_symbol_table
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.30
: P2 normal
Target Milestone: 2.30
Assignee: Alan Modra
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-27 03:48 UTC by skysider
Modified: 2017-09-27 08:03 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Last reconfirmed: 2017-09-27 00:00:00


Attachments
poc of infinite loop (7.21 KB, application/x-executable)
2017-09-27 03:48 UTC, skysider
Details

Note You need to log in before you can comment on or make changes to this bug.
Description skysider 2017-09-27 03:48:28 UTC
Created attachment 10489 [details]
poc of infinite loop

When I run "readelf -a -g -t --dyn-syms -n -u -c -D -I loop3.elf", it just print information persistenly. I look into the problem and find that the problem is in the function process_symbol_table. Here is part of its snippet:

11446           for (hn = 0; hn < nbuckets; hn++)
11447             {
11448               if (! buckets[hn])
11449                 continue;
11450 
11451               for (si = buckets[hn]; si < nchains && si > 0; si = chains[si])
11452                 print_dynamic_symbol (si, hn);
11453             }
11454         }
11455 

When infinite loop happens, var si=1, while chains[1]=1, so the for loop in line 11452 will never stop.
The poc is attached here.
Comment 1 cvs-commit@gcc.gnu.org 2017-09-27 08:02:08 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6bd6a03d6975a96802b37741a99644570e52a72b

commit 6bd6a03d6975a96802b37741a99644570e52a72b
Author: Alan Modra <amodra@gmail.com>
Date:   Wed Sep 27 15:14:00 2017 +0930

    PR22216, infinite loop in readelf process_symbol_table
    
    This should make readelf bombproof given a fuzzed DT_HASH.  Also
    removes a bogus check that would have resulted in wrong histograms.
    
    	PR 22216
    	* readelf.c (process_symbol_table): Check that DT_HASH symbol
    	chains are only visited once, and report an error if not.  Display
    	invalid symbol index if chain is out of range.  Use the same logic
    	when calculating histograms rather than the PR 17531 fix.  Delete
    	bogus check that chained index is less than number of buckets.
Comment 2 Alan Modra 2017-09-27 08:03:55 UTC
Fixed