Created attachment 14404 [details] POC Hi, there. There is a null pointer dereference in the newest version(2.39.50.20221019, commit 9454c9ce) of nm-new, bfd_elf_get_symbol_version_string, elf.c:1969, which directly causes a segmentation fault. My environment is: DISTRIB_ID=Ubuntu DISTRIB_RELEASE=20.04 DISTRIB_CODENAME=focal DISTRIB_DESCRIPTION="Ubuntu 20.04.5 LTS" Compiler=gcc 9.4.0 To reproduce, run nm-new -aD poc Here is the trace reported by ASAN: ==2056575==ERROR: AddressSanitizer: SEGV on unknown address 0x0006c6258006 (pc 0x0000005b6eee bp 0x0c240000002a sp 0x7ffe8702e440 T0) ==2056575==The signal is caused by a READ memory access. #0 0x5b6eee in _bfd_elf_get_symbol_version_string /benchmark/binutils-gdb/build-a/bfd/../../bfd/elf.c #1 0x4fbe13 in print_symname /benchmark/binutils-gdb/build-a/binutils/../../binutils/nm.c:715:4 #2 0x50055c in print_symbol /benchmark/binutils-gdb/build-a/binutils/../../binutils/nm.c:1219:3 #3 0x4fea41 in print_symbols /benchmark/binutils-gdb/build-a/binutils/../../binutils/nm.c:1403:7 #4 0x4fea41 in display_rel_file /benchmark/binutils-gdb/build-a/binutils/../../binutils/nm.c:1530:5 #5 0x4f9885 in display_file /benchmark/binutils-gdb/build-a/binutils/../../binutils/nm.c:1680:7 #6 0x4f888f in main /benchmark/binutils-gdb/build-a/binutils/../../binutils/nm.c:2197:12 #7 0x7f912956e082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 #8 0x41d57d in _start ( /benchmark/binutils-gdb/build-a/binutils/nm-new+0x41d57d) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /benchmark/binutils-gdb/build-a/bfd/../../bfd/elf.c in _bfd_elf_get_symbol_version_string ==2056575==ABORTING
It seems to be an incomplete fix of CVE-2020-16599.
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5c831a3c7f3ca98d6aba1200353311e1a1f84c70 commit 5c831a3c7f3ca98d6aba1200353311e1a1f84c70 Author: Nick Clifton <nickc@redhat.com> Date: Wed Oct 19 15:09:12 2022 +0100 Fix an illegal memory access when parsing an ELF file containing corrupt symbol version information. PR 29699 * elf.c (_bfd_elf_slurp_version_tables): Fail if the sh_info field of the section header is zero.
Fixed