Created attachment 14803 [details] poc_file used in command input Our fuzzer found a heap overflow bug in the latest readelf executable. **Command Input** readelf poc_file -w poc_file is attached. **Command Output** readelf: Warning: Section 13 has an out of range sh_link value of 402653184 readelf: Warning: Section 24 has an out of range sh_link value of 92168 readelf: Error: no .dynamic section in the dynamic segment readelf: Warning: could not find separate debug file '' readelf: Warning: tried: /lib/debug/ readelf: Warning: tried: /usr/lib/debug/usr/ readelf: Warning: tried: /usr/lib/debug//home/youngseok/data/230327/asan_inter_30_30_shrink5_1_230308/readelf/5_id:026647// readelf: Warning: tried: /usr/lib/debug/ readelf: Warning: tried: /home/youngseok/data/230327/asan_inter_30_30_shrink5_1_230308/readelf/5_id:026647/.debug/ readelf: Warning: tried: /home/youngseok/data/230327/asan_inter_30_30_shrink5_1_230308/readelf/5_id:026647/ readelf: Warning: tried: .debug/ readelf: Warning: tried: readelf: Warning: could not find separate debug file '' readelf: Warning: tried: /lib/debug/ readelf: Warning: tried: /usr/lib/debug/usr/ readelf: Warning: tried: /usr/lib/debug//home/youngseok/data/230327/asan_inter_30_30_shrink5_1_230308/readelf/5_id:026647// readelf: Warning: tried: /usr/lib/debug/ readelf: Warning: tried: /home/youngseok/data/230327/asan_inter_30_30_shrink5_1_230308/readelf/5_id:026647/.debug/ readelf: Warning: tried: /home/youngseok/data/230327/asan_inter_30_30_shrink5_1_230308/readelf/5_id:026647/ readelf: Warning: tried: .debug/ readelf: Warning: tried: readelf: Warning: unable to open file '/home/youngseok/data/230327/asan_inter_30_30_shrink5_1_230308/readelf/5_id:026647/' referenced from .debug_sup section readelf: Warning: .note.gnu.build-id data size is too big **Sanitizer Dump** ==32229==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000b0 at pc 0x5555556eb4e1 bp 0x7fffffffda20 sp 0x7fffffffda10 WRITE of size 4 at 0x6020000000b0 thread T0 #0 0x5555556eb4e0 in end_cu_tu_entry dwarf.c:10760 #1 0x5555556ebfc2 in process_cu_tu_index dwarf.c:10876 #2 0x5555556edbdf in load_cu_tu_indexes dwarf.c:11128 #3 0x5555556edc49 in find_cu_tu_set dwarf.c:11146 #4 0x555555675de1 in display_debug_section readelf.c:16373 #5 0x555555676321 in process_section_contents readelf.c:16471 #6 0x555555693871 in process_object readelf.c:22574 #7 0x555555695b03 in process_file readelf.c:22997 #8 0x555555695f62 in main readelf.c:23068 #9 0x7ffff6a48c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) #10 0x55555561d749 in _start (/home/youngseok/subjects/latest_asan_install/binutils/bin/readelf+0xc9749) **Environment** - OS: Ubuntu 18.04 - gcc: 7.5.0 - binutils: 2.40.50.20230404 binutils is built it address sanitizer. Here is the build script: CFLAGS="-fsanitize=address -g -O0" CXXFLAGS="-fsanitize=address -g -O0" \ ./configure --enable-targets=all
Investigating
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=688fe114cd80e410dbed08064eaaedf5584d31cf commit 688fe114cd80e410dbed08064eaaedf5584d31cf Author: Nick Clifton <nickc@redhat.com> Date: Tue Apr 11 15:59:07 2023 +0100 Fix a potential illegal memory access when displaying corrupt DWARF information. PR 30312 * dwarf.c (prealloc_cu_tu_list): Always allocate at least one entry.
Hi Youngseok Choi, Thank you for reporting this problem. I have checked in a small patch to correct the issue and ensure that an illegal memory access does not occur. Cheers Nick