Created attachment 15941 [details] poc **Description** A segv can occur in eu-strip when using the "-f debug_info.dat --reloc-debug-sections" options with a specially crafted input file. This issue leads to illegal memory access. **Affected Version** GNU eu-strip 0.192 **Steps to Reproduce** ./elfutils-0.192/bins/bin/eu-strip -f debug_info.dat --reloc-debug-sections /tmp/poc AddressSanitizer:DEADLYSIGNAL ================================================================= ==2365155==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f9b25c66a62 bp 0x7ffdd06709a0 sp 0x7ffdd0670930 T0) ==2365155==The signal is caused by a READ memory access. ==2365155==Hint: address points to the zero page. #0 0x7f9b25c66a61 in gelf_getsymshndx ./elfutils-0.192/libelf/gelf_getsymshndx.c:123 #1 0x56042a2ec5dd in remove_debug_relocations ./elfutils-0.192/src/strip.c:690 #2 0x56042a2fb9e0 in handle_elf ./elfutils-0.192/src/strip.c:2460 #3 0x56042a2ed461 in process_file ./elfutils-0.192/src/strip.c:799 #4 0x56042a2e9ba5 in main ./elfutils-0.192/src/strip.c:269 #5 0x7f9b24da5082 in __libc_start_main ../csu/libc-start.c:308 #6 0x56042a2e932d in _start (./elfutils-0.192/bins/bin/eu-strip+0x4632d) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ./elfutils-0.192/libelf/gelf_getsymshndx.c:123 in gelf_getsymshndx ==2365155==ABORTING ** Env ** Distributor ID: Ubuntu Description: Ubuntu 20.04.6 LTS Release: 20.04 Codename: focal
The problem here is that the symscn is actually a (corrupt) NOBITS section, so doesn't have any data.
commit fbf1df9ca286de3323ae541973b08449f8d03aba Author: Mark Wielaard <mark@klomp.org> Date: Thu Feb 13 14:59:34 2025 +0100 strip: Verify symbol table is a real symbol table We didn't check the symbol table referenced from the relocation table was a real symbol table. This could cause a crash if that section happened to be an SHT_NOBITS section without any data. Fix this by adding an explicit check. * src/strip.c (INTERNAL_ERROR_MSG): New macro that takes a message string to display. (INTERNAL_ERROR): Use INTERNAL_ERROR_MSG with elf_errmsg (-1). (remove_debug_relocations): Check the sh_link referenced section is real and isn't a SHT_NOBITS section. https://sourceware.org/bugzilla/show_bug.cgi?id=32673 Signed-off-by: Mark Wielaard <mark@klomp.org>
Note that someone created CVE-2025-1377 for this bug without following our SECURITY policy: https://sourceware.org/cgit/elfutils/tree/SECURITY This is NOT a security issue according to our policy: Since most elfutils tools are run in short-lived, local, interactive, development context rather than remotely "in production", we generally treat malfunctions as ordinary bugs rather than security vulnerabilities. We request that people who report suspected security vulnerabilities report them through the contacts in our SECURITY policy and not through non-affiliated CNAs.
Sorry, Is elfutils-0.185 affected? I can reproduce the issue in version 0.189, but not in version 0.185. I compared the code and think that the elfutils-0.185 should also be affected, but I don't know why it can't be reproduced