Bug 22510 - Segmentation fault on load_debug_section
Summary: Segmentation fault on load_debug_section
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.30
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-11-28 09:41 UTC by Mingi Cho
Modified: 2017-11-30 10:27 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
poc of the crash (3.07 KB, application/x-executable)
2017-11-28 09:41 UTC, Mingi Cho
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Mingi Cho 2017-11-28 09:41:42 UTC
Created attachment 10646 [details]
poc of the crash

Triggered by "./readelf -w $POC"
Tested on Ubuntu 16.04 (x86)

Segmentation fault occurred when processing malformed ELF file.


The GDB debugging information is as follows:

Program received signal SIGSEGV, Segmentation fault.
0x08049298 in load_debug_section (debug=str, data=0x8104908) at readelf.c:13584
13584	      if (strs != NULL && strs->sh_size != 0)
(gdb) bt
#0  0x08049298 in load_debug_section (debug=str, data=0x8104908) at readelf.c:13584
#1  0x0809abcf in load_separate_debug_file (file=0x8104908, 
    filename=0xbffff2b8 "/home/min/Downloads/load_debug_section") at dwarf.c:9839
#2  0x0805264f in process_object (filedata=0x8104908) at readelf.c:18569
#3  0x0804b079 in process_file (file_name=0xbffff2b8 "/home/min/Downloads/load_debug_section") at readelf.c:18991
#4  0x0804a42a in main (argc=3, argv=0xbffff0a4) at readelf.c:19050


Credits:

Mingi Cho and Taekyoung Kwon of the Information Security Lab, Yonsei University.
Comment 1 cvs-commit@gcc.gnu.org 2017-11-30 10:26:18 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f425ec6600b69e39eb605f3128806ff688137ea8

commit f425ec6600b69e39eb605f3128806ff688137ea8
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Nov 30 10:25:01 2017 +0000

    Prevent an illegal memory access in readelf when attempting to parse a corrupt ELF file.
    
    	PR 22510
    	* readelf.c (load_debug_section): Fail if there are no section
    	headers available.
Comment 2 Nick Clifton 2017-11-30 10:27:55 UTC
Hi Mingi,

  Thanks for reporting this bug.  I have checked in the obvious fix - a check
  for an absence of section headers before attempting to load any debug section:

    https://sourceware.org/ml/binutils/2017-11/msg00568.html

Cheers
  Nick