[Bug binutils/33697] New: readelf crashes with SIGSEGV on crafted input due to a null-pointer dereference

Sat, 06 Dec 2025 20:40:29 -0800 

https://sourceware.org/bugzilla/show_bug.cgi?id=33697

            Bug ID: 33697
           Summary: readelf crashes with SIGSEGV on crafted input due to a
                    null-pointer dereference
           Product: binutils
           Version: 2.46 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: 970429025 at qq dot com
  Target Milestone: ---

Created attachment 16503
  --> https://sourceware.org/bugzilla/attachment.cgi?id=16503&action=edit
The PoC attachment contains the input file that triggers the crash

Overview:
Running readelf with the provided malformed input causes the program to crash
with a segmentation fault due to a null-pointer dereference.

Steps to Reproduce:
./readelf -a Null_Pointer

Actual Results:
readelf prints several warnings about invalid ELF header fields and then
crashes with SIGSEGV inside display_relocations().
The program does not handle the malformed input gracefully and exits
immediately.

Relevant GDB excerpt:
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
ELF Header:
  Magic:   7f 45 4c 46 69 6e 75 74 69 6c 73 00 2e 2e 2f 2e
  Class:                             <unknown: 69>
  Data:                              <unknown: 6e>
  Version:                           117 <unknown>
  OS/ABI:                            <unknown: 74>
  ABI Version:                       105
  Type:                              <unknown>: 2f2e
  Machine:                           <unknown>: 0x6962
  Version:                           0x6974756e
  Entry point address:               0x322d736c
  Start of program headers:          791950382 (bytes into file)
  Start of section headers:          1970170210 (bytes into file)
  Flags:                             0x736c6974
  Size of this header:               26880 (bytes)
  Size of program headers:           11635 (bytes)
  Number of program headers:         24946
  Size of section headers:           27758 (bytes)
  Number of section headers:         25193
  Section header string table index: 25390 <corrupt: out of range>
readelf: Warning: The e_shentsize field in the ELF header is larger than the
size of an ELF section header
readelf: Error: Reading 699307294 bytes extends past end of file for section
headers
readelf: Error: Section headers are not available!
readelf: Error: Too many program headers - 0x6172 - the file is not that big

There is no dynamic section in this file.

Program received signal SIGSEGV, Segmentation fault.
0x000000000048109b in display_relocations ()
(gdb) bt
#0  0x000000000048109b in display_relocations ()
#1  0x0000000000457a11 in process_relocs ()
#2  0x0000000000448976 in process_object ()
#3  0x00000000004391be in process_file ()
#4  0x0000000000437119 in main ()


Expected Results:
readelf should detect the invalid ELF structure and stop processing with an
error message, instead of dereferencing a null pointer and crashing.

Build & Platform:
Binutils 2.46(HEAD)
Component: readelf
OS: Ubuntu 18.04.6 LTS
Platform: x86_64

Additional Information:
The PoC attachment contains the input file that triggers the crash
(Null_Pointer).
Crash type: null pointer dereference (SIGSEGV).
Fully reproducible.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Reply via email to