Created attachment 16503 [details] The PoC attachment contains the input file that triggers the crash Overview: Running readelf with the provided malformed input causes the program to crash with a segmentation fault due to a null-pointer dereference. Steps to Reproduce: ./readelf -a Null_Pointer Actual Results: readelf prints several warnings about invalid ELF header fields and then crashes with SIGSEGV inside display_relocations(). The program does not handle the malformed input gracefully and exits immediately. Relevant GDB excerpt: warning: Error disabling address space randomization: Operation not permitted [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". ELF Header: Magic: 7f 45 4c 46 69 6e 75 74 69 6c 73 00 2e 2e 2f 2e Class: <unknown: 69> Data: <unknown: 6e> Version: 117 <unknown> OS/ABI: <unknown: 74> ABI Version: 105 Type: <unknown>: 2f2e Machine: <unknown>: 0x6962 Version: 0x6974756e Entry point address: 0x322d736c Start of program headers: 791950382 (bytes into file) Start of section headers: 1970170210 (bytes into file) Flags: 0x736c6974 Size of this header: 26880 (bytes) Size of program headers: 11635 (bytes) Number of program headers: 24946 Size of section headers: 27758 (bytes) Number of section headers: 25193 Section header string table index: 25390 <corrupt: out of range> readelf: Warning: The e_shentsize field in the ELF header is larger than the size of an ELF section header readelf: Error: Reading 699307294 bytes extends past end of file for section headers readelf: Error: Section headers are not available! readelf: Error: Too many program headers - 0x6172 - the file is not that big There is no dynamic section in this file. Program received signal SIGSEGV, Segmentation fault. 0x000000000048109b in display_relocations () (gdb) bt #0 0x000000000048109b in display_relocations () #1 0x0000000000457a11 in process_relocs () #2 0x0000000000448976 in process_object () #3 0x00000000004391be in process_file () #4 0x0000000000437119 in main () Expected Results: readelf should detect the invalid ELF structure and stop processing with an error message, instead of dereferencing a null pointer and crashing. Build & Platform: Binutils 2.46(HEAD) Component: readelf OS: Ubuntu 18.04.6 LTS Platform: x86_64 Additional Information: The PoC attachment contains the input file that triggers the crash (Null_Pointer). Crash type: null pointer dereference (SIGSEGV). Fully reproducible.
https://sourceware.org/git/?p=binutils-gdb.git;a=blob;f=binutils/readelf.c;h=759c0367c7211175a57810fe010a7e81a01929bc;hb=HEAD#l10053 The section here could be NULL pointer. I am wondering if it is necessary to check all the pointers.
The pointer could be NULL or other illegal value, like 0x50, 0x80, etc.
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=66a3492ce68e1ae45b2489bd9a815c39ea5d7f66 commit 66a3492ce68e1ae45b2489bd9a815c39ea5d7f66 Author: Alan Modra <amodra@gmail.com> Date: Mon Dec 8 15:58:33 2025 +1030 PR 33697, fuzzer segfault PR 33697 * readelf.c (process_relocs): Don't segfault on no sections.
Fixed
This issue has been assigned CVE-2025-69649