Created attachment 11949 [details] PoC to trigger the vulnerability. There is a uninitialized use on stack in readelf.c may cause information leak. The commit id for the gitrepo I tested is fc9e754460ccf1c893fc9e67c02c49f58f1bd38e Compile command: CC=clang \ CFLAGS="-DFORTIFY_SOURCE=2 -fno-omit-frame-pointer -g -Wno-error -ggdb" \ ./configure \ --disable-shared --disable-gdb --disable-libdecnumber --disable-readline \ --disable-sim make How to trigger the bug: ./readelf -a input I tested this program using clang, not sure if it also exists for gcc. When compiling with -O2, on line 12018 in function process_symbol_table() in readelf.c, sym_info is first declared on stack. It is supposed to be updated on line 12044 in function get_symbol_version_string(). The problem is that there are only two statements in get_symbol_version_string() to initialize sym_info and the input triggers neither of them, so sym_info is actually uninitialized when used in line 12051. The input is attached.
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0b8b76098ff3d3dcd0c621f2e45cc0b4e7211d6a commit 0b8b76098ff3d3dcd0c621f2e45cc0b4e7211d6a Author: Alan Modra <amodra@gmail.com> Date: Fri Aug 16 15:17:23 2019 +0930 PR24909, Uninitialized use on stack in readelf PR 24909 PR 23499 * readelf.c (get_symbol_version_string): Set sym_info earlier.
Fixed, thanks for the analysis!
The binutils-2_32-branch branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e8d25d40456520c8890937915df77dbd2d748d76 commit e8d25d40456520c8890937915df77dbd2d748d76 Author: Alan Modra <amodra@gmail.com> Date: Fri Aug 16 15:17:23 2019 +0930 PR24909, Uninitialized use on stack in readelf PR 24909 PR 23499 * readelf.c (get_symbol_version_string): Set sym_info earlier. (cherry picked from commit 0b8b76098ff3d3dcd0c621f2e45cc0b4e7211d6a)