Bug 23945 - NULL pointer dereference in readelf.c:slurp_hppa_unwind_table
Summary: NULL pointer dereference in readelf.c:slurp_hppa_unwind_table
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.31
: P2 normal
Target Milestone: 2.32
Assignee: Alan Modra
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-12-01 04:15 UTC by ganshuitao
Modified: 2018-12-01 11:56 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Last reconfirmed: 2018-12-01 00:00:00

Attachments
Triggered by “./readelf -aW poc0” (2.10 KB, application/octet-stream)
2018-12-01 04:15 UTC, ganshuitao 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description ganshuitao 2018-12-01 04:15:29 UTC 
Created attachment 11425 [details]
Triggered by “./readelf -aW poc0”

version: binutils 2.31
Summary: 

There is an illegal READ memory access at binutils/readelf.c:8028(function slurp_hppa_unwind_table) that could cause crash in binutils 2.31. 

Description:

The asan debug is as follows:

$./readelf -aW POC0

ASAN:DEADLYSIGNAL
=================================================================
==112614==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f41689057d9 bp 0x7fffc6885440 sp 0x7fffc6884ba0 T0)
==112614==The signal is caused by a READ memory access.
==112614==Hint: address points to the zero page.
    #0 0x7f41689057d8  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5a7d8)
    #1 0x55eb6edc3485 in slurp_hppa_unwind_table /home/company/real/binutils-2.31/binutils/readelf.c:8028
    #2 0x55eb6edc3485 in hppa_process_unwind /home/company/real/binutils-2.31/binutils/readelf.c:8115
    #3 0x55eb6ede985c in process_unwind /home/company/real/binutils-2.31/binutils/readelf.c:9253
    #4 0x55eb6ede985c in process_object /home/company/real/binutils-2.31/binutils/readelf.c:18822
    #5 0x55eb6ed9daa9 in process_file /home/company/real/binutils-2.31/binutils/readelf.c:19259
    #6 0x55eb6ed9daa9 in main /home/company/real/binutils-2.31/binutils/readelf.c:19318
    #7 0x7f41684ec1c0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x211c0)
    #8 0x55eb6ed9e319 in _start (/home/company/real/binutils-2.31/install_asan/bin/readelf+0x98319)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5a7d8) 
==112614==ABORTING
Comment 1 Sourceware Commits 2018-12-01 11:49:18 UTC 
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=726bd37d6c5d5013d34023044ed7cbbb01317978

commit 726bd37d6c5d5013d34023044ed7cbbb01317978
Author: Alan Modra <amodra@gmail.com>
Date:   Sat Dec 1 21:15:03 2018 +1030

    PR23945, NULL pointer dereference in readelf.c:slurp_hppa_unwind_table
    
    	PR 23945
    	* readelf.c (slurp_ia64_unwind_table): Don't call elf_ia64_reloc_type
    	needlessly.
    	(slurp_hppa_unwind_table): Use same range checks and error messages
    	as slurp_ia64_unwind_table.
Comment 2 Alan Modra 2018-12-01 11:56:43 UTC 
Fixed