Bug 33700 - readelf aborts with SIGABRT on crafted input due to invalid pointer free (binutils 2.46(HEAD))
Summary: readelf aborts with SIGABRT on crafted input due to invalid pointer free (bin...
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.46
: P2 normal
Target Milestone: 2.46
Assignee: Alan Modra
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-12-07 18:01 UTC by 970429025
Modified: 2026-03-06 01:33 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Last reconfirmed: 2025-12-08 00:00:00
Project(s) to access:
ssh public key:

Attachments
The PoC attachment contains the input file that triggers the crash (7.34 KB, application/x-zip-compressed)
2025-12-07 18:01 UTC, 970429025 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description 970429025 2025-12-07 18:01:26 UTC 
Created attachment 16506 [details]
The PoC attachment contains the input file that triggers the crash

Overview:
Running readelf on a crafted ELF file causes the program to terminate with SIGABRT after printing multiple warnings about malformed local symbols.

Steps to Reproduce:
./readelf -a Dangling_Pointer

Actual Results:
readelf prints several warnings and then aborts with SIGABRT due to an invalid pointer free.

GDB output excerpt:
readelf: Warning: local symbol 43 found at index >= .symtab's sh_info value of 0
    44: 0000000000000000     0 NOTYPE  LOCAL  DEFAULT  UND <corrupt>
readelf: Warning: local symbol 44 found at index >= .symtab's sh_info value of 0

No version information found in this file.

There is no GOT section in this file.
free(): invalid pointer

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff6bbb7f1 in __GI_abort () at abort.c:79
#2  0x00007ffff6c04837 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff6d31a7b "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3  0x00007ffff6c0b8ba in malloc_printerr (str=str@entry=0x7ffff6d2fc76 "free(): invalid pointer") at malloc.c:5342
#4  0x00007ffff6c12dec in _int_free (have_lock=0, p=0x5d0128 <get_DW_OP_name+2984>, av=0x7ffff6f66c40 <main_arena>) at malloc.c:4167
#5  __GI___libc_free (mem=0x5d0138 <get_DW_OP_name+3000>) at malloc.c:3134
#6  0x000000000045e1d2 in process_got_section_contents ()
#7  0x0000000000448bb3 in process_object ()
#8  0x00000000004484fe in process_archive ()
#9  0x000000000043904a in process_file ()
#10 0x0000000000437119 in main ()
(gdb)


Expected Results:
readelf should handle malformed input safely and exit cleanly instead of aborting.

Build & Platform:
binutils version: 2.46(HEAD)
component: readelf
OS: Ubuntu 18.04.6 LTS
arch: x86_64

Additional Information: 
The PoC attachment contains the input file that triggers the crash(Dangling_pointer). 
Crash type: SIGABRT. 
Fully reproducible.
Comment 1 Sourceware Commits 2025-12-08 09:25:11 UTC 
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ea4bc025abdba85a90e26e13f551c16a44bfa921

commit ea4bc025abdba85a90e26e13f551c16a44bfa921
Author: Alan Modra <amodra@gmail.com>
Date:   Mon Dec 8 16:00:16 2025 +1030

    PR 33698 and PR 33700
    
    It is possible for dump_relocations to return on an error from
    slurp_rela_relocs or slurp_rel_relocs without writing to
    "all_relocations".  In that case an uninitialised r_symbol is passed
    to free at the end of process_got_section_contents.
    
            PR 33698
            PR 33700
            * readelf.c (update_all_relocations): Zero array.  Remove
            unnecessary casts.
Comment 2 Alan Modra 2025-12-08 09:27:12 UTC 
Fixed (really a dup).
Comment 3 970429025 2026-03-06 01:33:33 UTC 
This issue has been assigned CVE-2025-69651