Created attachment 10489 [details]
poc of infinite loop
When I run "readelf -a -g -t --dyn-syms -n -u -c -D -I loop3.elf", it just print information persistenly. I look into the problem and find that the problem is in the function process_symbol_table. Here is part of its snippet:
11446 for (hn = 0; hn < nbuckets; hn++)
11448 if (! buckets[hn])
11451 for (si = buckets[hn]; si < nchains && si > 0; si = chains[si])
11452 print_dynamic_symbol (si, hn);
When infinite loop happens, var si=1, while chains=1, so the for loop in line 11452 will never stop.
The poc is attached here.
The master branch has been updated by Alan Modra <email@example.com>:
Author: Alan Modra <firstname.lastname@example.org>
Date: Wed Sep 27 15:14:00 2017 +0930
PR22216, infinite loop in readelf process_symbol_table
This should make readelf bombproof given a fuzzed DT_HASH. Also
removes a bogus check that would have resulted in wrong histograms.
* readelf.c (process_symbol_table): Check that DT_HASH symbol
chains are only visited once, and report an error if not. Display
invalid symbol index if chain is out of range. Use the same logic
when calculating histograms rather than the PR 17531 fix. Delete
bogus check that chained index is less than number of buckets.