Bug 33641 - readelf enters infinite warning loop on crafted input
Summary: readelf enters infinite warning loop on crafted input
Status: RESOLVED DUPLICATE of bug 33638
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.44
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-11-17 02:35 UTC by 970429025
Modified: 2026-03-06 01:38 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
Project(s) to access:
ssh public key:

Attachments
The PoC attachment contains the input file (Infinite_Loop_2) that triggers this behavior. (17.57 KB, application/x-zip-compressed)
2025-11-17 02:35 UTC, 970429025 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description 970429025 2025-11-17 02:35:45 UTC 
Created attachment 16472 [details]
The PoC attachment contains the input file (Infinite_Loop_2) that triggers this behavior.

Overview
Running readelf with the provided input file causes the program to repeatedly print the same warning message and never terminates.
The program does not crash but must be interrupted manually.


Steps to Reproduce:
./readelf --lint --process-links Infinite_Loop_2

Actual Results:
readelf prints the same warning message continuously:
readelf: Warning: The length field (0xff100073) in the debug_rnglists header is wrong - the section is too small

The message repeats indefinitely and the program does not progress.
It must be manually interrupted (e.g., Ctrl-C inside gdb).


Relevant GDB excerpt:
readelf: Warning: The length field (0xff100073) in the debug_rnglists header is wrong - the section is too small
readelf: Warning: The length field (0xff100073) in the debug_rnglists header is wrong - the section is too small
readelf: Warning: The length field (0xff100073) in the debug_rnglists header is wrong - the section is too small
readelf: Warning: The length field (0xff100073) in the debug_rnglists header is wrong - the section is too small
readelf: Warning: The length field (0xff100073) in the debug_rnglists header is wrong - the section is too small
readelf: Warning: The length field (0xff100073) in the debug_rnglists header is wrong - the section is too small
readelf: Warning: The length field (0xff100073) in the debug_rnglists header is wrong - the section is too small
readelf: Warning: The length field (0xff100073) in the debug_rnglists header is wrong - the section is too small
readelf: Warning: The length field (0xff100073) in the debug_rnglists header is wrong - the section is too small
readelf: Warning: The length field (0xff100073) in the debug_rnglists header is wrong - the section is too small
readelf: Warning: The length field (0xff100073) in the debug_rnglists header is wrong - the section is too small
readelf: Warning: The length field (0xff100073) in the debug_rnglists header is wrong - the section is too small
readelf: ^C
Program received signal SIGINT, Interrupt.
0x00007c6c7237f104 in __GI___libc_write (fd=2, buf=0x7ffdaeffe220, nbytes=95) at ../sysdeps/unix/sysv/linux/write.c:27
27      ../sysdeps/unix/sysv/linux/write.c: No such file or directory.
(gdb) bt
#0  0x00007c6c7237f104 in __GI___libc_write (fd=2, buf=0x7ffdaeffe220, nbytes=95) at ../sysdeps/unix/sysv/linux/write.c:27
#1  0x00007c6c722fa15d in _IO_new_file_write (f=0x7c6c7265b680 <_IO_2_1_stderr_>, data=0x7ffdaeffe220, n=95) at fileops.c:1203
#2  0x00007c6c722faacf in new_do_write (to_do=<optimized out>,
    data=0x7ffdaeffe220 "The length field (0xff100073) in the debug_rnglists header is wrong - the section is too small\n", fp=0x7c6c7265b680 <_IO_2_1_stderr_>) at fileops.c:457
#3  _IO_new_file_xsputn (f=0x7c6c7265b680 <_IO_2_1_stderr_>, data=<optimized out>, n=95) at fileops.c:1277
#4  0x00007c6c722cd6c7 in buffered_vfprintf (s=s@entry=0x7c6c7265b680 <_IO_2_1_stderr_>,
    format=format@entry=0x637f1b "The length field (%#lx) in the debug_rnglists header is wrong - the section is too small\n", args=args@entry=0x7ffdaf000890) at vfprintf.c:2350
#5  0x00007c6c722ca6f6 in _IO_vfprintf_internal (s=0x7c6c7265b680 <_IO_2_1_stderr_>,
    format=format@entry=0x637f1b "The length field (%#lx) in the debug_rnglists header is wrong - the section is too small\n", ap=ap@entry=0x7ffdaf000890) at vfprintf.c:1301
#6  0x000000000050b62a in warn (message=0x637f1b "The length field (%#lx) in the debug_rnglists header is wrong - the section is too small\n")
    at ../../binutils-2.44/binutils/elfcomm.c:62
#7  0x0000000000508f1c in display_debug_rnglists_unit_header (section=section@entry=0x885fd0 <debug_displays+2128>, unit_offset=unit_offset@entry=0x7ffdaf000998,
    poffset_size=poffset_size@entry=0x7ffdaf0009c7 "\004\320c\230\024") at ../../binutils-2.44/binutils/dwarf.c:8281
#8  0x00000000004d9fbe in display_debug_ranges (section=section@entry=0x885fd0 <debug_displays+2128>, file=file@entry=0x149863d0) at ../../binutils-2.44/binutils/dwarf.c:8501
#9  0x0000000000499df0 in display_debug_section (shndx=11, section=section@entry=0x14988890, filedata=filedata@entry=0x149863d0) at ../../binutils-2.44/binutils/readelf.c:17538
#10 0x00000000004614a9 in process_section_contents (filedata=filedata@entry=0x149863d0) at ../../binutils-2.44/binutils/readelf.c:17693
#11 0x0000000000449edc in process_object (filedata=filedata@entry=0x149863d0) at ../../binutils-2.44/binutils/readelf.c:23818
#12 0x000000000043a95f in process_file (file_name=0x7ffdaf00253f "Infinite_Loop_2") at ../../binutils-2.44/binutils/readelf.c:24241
#13 0x00000000004383fa in main (argc=<optimized out>, argv=0x5e) at ../../binutils-2.44/binutils/readelf.c:24307
(gdb)


Expected Results:
readelf should stop processing and report an error rather than entering a non-terminating warning loop.

Build & Platform:
binutils version: 2.44
component: readelf
OS: Ubuntu 18.04.6 LTS
arch: x86_64

Additional Information:
The PoC attachment contains the input file (Infinite_Loop_2) that triggers this behavior.
The issue is fully reproducible using the command above.
Comment 1 Zheng Bao 2025-11-21 02:53:43 UTC 
On new 2.45, this dead loop has gone.
So do we need to keep working on this?

$ ./binutils/readelf  --debug-dump --extra
-sym-info  ../Infinite_Loop

File: ../Infinite_Loop(libdep_plugin.o)
readelf: Warning: Bogus end-of-siblings marker detected at offset 133 in .debug_info section
readelf: Warning: Bogus end-of-siblings marker detected at offset 134 in .debug_info section
readelf: Warning: Bogus end-of-siblings marker detected at offset 13b in .debug_info section
readelf: Warning: Further warnings about bogus end-of-sibling markers suppressed
readelf: Warning: Offset of 0x3000000 is too big for section .debug_loclists
Contents of the .debug_loclists section:

Table at Offset 0
  Length:          0x288
  DWARF version:   5
  Address size:    8
  Segment size:    0
  Offset entries:  21

   Offset Entries starting at 0xc:
    [     0] 0x54
    [     1] 0x76
    [     2] 0x7f
    [     3] 0xcd
    [     4] 0xe6
    [     5] 0xf7
    [     6] 0x131
    [     7] 0x140
    [     8] 0x151
    [     9] 0x160
    [    10] 0x171
    [    11] 0x179
    [    12] 0x1ad
    [    13] 0x1df
    [    14] 0x1f5
    [    15] 0x22b
    [    16] 0x233
    [    17] 0x250
    [    18] 0x258
    [    19] 0x267
    [    20] 0x271

Table at Offset 0x28c
  Length:          0
  DWARF version:   0
  Address size:    0
  Segment size:    0
  Offset entries:  0

Table at Offset 0x290
readelf: ../../binutils/dwarf.c:7260: display_loclists_unit_header: Assertion `(start) <= (end)' failed.
Aborted (core dumped)

$ ./binutils/readelf  --version
GNU readelf (GNU Binutils) 2.45.50.20251120
Copyright (C) 2025 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.
Comment 2 Alan Modra 2025-11-22 04:31:34 UTC 
Dup

*** This bug has been marked as a duplicate of bug 33638 ***
Comment 3 970429025 2026-03-06 01:38:26 UTC 
This issue has been assigned CVE-2025-69648