Created attachment 12745 [details]
stack-overflow-print_dynamic_symbol-readelf-12096

There is a stack-buffer-overflow in readelf.c:12096:20 that can cause readelf to Segmentation fault.

## System info

Ubuntu X64, gcc (Ubuntu 5.5.0-12ubuntu1), binutils 2.35

## Configure

CFLAGS="-fno-stack-protector" ./configure
CFLAGS="-g -fsanitize=address" LDFLAGS="-fsanitize=address" ./configure

## Command line

./binutils/readelf -a @@

## Output

```
Symbol table '.dynsym' contains 73 entries:
   Num:    Value  Size Type    Bind   Vis      Ndx Name
     0: 00000000     0 NOTYPE  LOCAL  DEFAULT  UND ^P
Segmentation fault (core dumped)
```

## AddressSanitizer output

```
=================================================================
==74564==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe1e0e0160 at pc 0x00000044792a bp 0x7ffe1e0dff20 sp 0x7ffe1e0df6d0
WRITE of size 335 at 0x7ffe1e0e0160 thread T0
    #0 0x447929 in vsprintf (/home/seviezhou/binutils-2.35/binutils/readelf+0x447929)
    #1 0x447c56 in __interceptor_sprintf (/home/seviezhou/binutils-2.35/binutils/readelf+0x447c56)
    #2 0x593686 in print_dynamic_symbol /home/seviezhou/binutils-2.35/binutils/readelf.c:12096:20
    #3 0x533412 in process_symbol_table /home/seviezhou/binutils-2.35/binutils/readelf.c:12221:6
    #4 0x533412 in process_object /home/seviezhou/binutils-2.35/binutils/readelf.c:20333
    #5 0x5178f4 in process_file /home/seviezhou/binutils-2.35/binutils/readelf.c:20795:13
    #6 0x5178f4 in main /home/seviezhou/binutils-2.35/binutils/readelf.c:20868
    #7 0x7fecc6418b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #8 0x41aa99 in _start (/home/seviezhou/binutils-2.35/binutils/readelf+0x41aa99)

Address 0x7ffe1e0e0160 is located in stack of thread T0 at offset 320 in frame
    #0 0x591fcf in print_dynamic_symbol /home/seviezhou/binutils-2.35/binutils/readelf.c:12053

  This frame has 3 object(s):
    [32, 36) 'sym_info' (line 12055)
    [48, 50) 'vna_other' (line 12056)
    [64, 320) 'buffer' (line 12094) <== Memory access at offset 320 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/seviezhou/binutils-2.35/binutils/readelf+0x447929) in vsprintf
Shadow bytes around the buggy address:
  0x100043c13fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100043c13fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100043c13ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100043c14000: 00 00 00 00 f1 f1 f1 f1 04 f2 02 f2 00 00 00 00
  0x100043c14010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100043c14020: 00 00 00 00 00 00 00 00 00 00 00 00[f3]f3 f3 f3
  0x100043c14030: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x100043c14040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100043c14050: f1 f1 f1 f1 f8 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8
  0x100043c14060: f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f8 f2 f2 f2
  0x100043c14070: f8 f8 f2 f2 f8 f8 f2 f2 f8 f8 f8 f2 f2 f2 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==74564==ABORTING
```