[Bug binutils/33698] New: readelf aborts with SIGABRT due to double free when processing malformed input (binutils 2.46(HEAD))

970429025 at qq dot com Sat, 06 Dec 2025 21:03:53 -0800

https://sourceware.org/bugzilla/show_bug.cgi?id=33698


            Bug ID: 33698
           Summary: readelf aborts with SIGABRT due to double free when
                    processing malformed input (binutils 2.46(HEAD))
           Product: binutils
           Version: 2.46 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: 970429025 at qq dot com
  Target Milestone: ---

Created attachment 16504
  --> https://sourceware.org/bugzilla/attachment.cgi?id=16504&action=edit
The PoC attachment contains the input file that triggers the crash

Overview:
Running readelf with a crafted input file causes the program to terminate with
SIGABRT after printing several corruption warnings.

Steps to Reproduce:
./readelf -a Double_Free

Actual Results:
readelf prints multiple warnings about malformed symbols and then aborts with:
double free or corruption (out)
Program terminates with SIGABRT.

GDB output excerpt:
    44: 01c9120d8d013078 0xc96c0d008f010000 FILE    LOCAL  DEFAULT BAD[0xc00]
<corrupt>
readelf: Warning: local symbol 44 found at index >= .symtab's sh_info value of
33

No version information found in this file.

There is no GOT section in this file.
double free or corruption (out)

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff6bbb7f1 in __GI_abort () at abort.c:79
#2  0x00007ffff6c04837 in __libc_message (action=action@entry=do_abort,
fmt=fmt@entry=0x7ffff6d31a7b "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3  0x00007ffff6c0b8ba in malloc_printerr (str=str@entry=0x7ffff6d33788 "double
free or corruption (out)") at malloc.c:5342
#4  0x00007ffff6c12e4a in _int_free (have_lock=0, p=0xa23cc30,
av=0x7ffff6f66c40 <main_arena>) at malloc.c:4308
#5  __GI___libc_free (mem=0xa23cc40) at malloc.c:3134
#6  0x000000000045e1d2 in process_got_section_contents ()
#7  0x0000000000448bb3 in process_object ()
#8  0x00000000004484fe in process_archive ()
#9  0x000000000043904a in process_file ()
#10 0x0000000000437119 in main ()
(gdb)


Expected Results:
readelf should reject malformed input and exit cleanly instead of aborting due
to memory corruption.

Build & Platform:
binutils version: 2.46(HEAD)
component: readelf
OS: Ubuntu 18.04.6 LTS
arch: x86_64

Additional Information: 
The PoC attachment contains the input file that triggers the
crash(Double_Free). 
Crash type: SIGABRT. 
Fully reproducible.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug binutils/33698] New: readelf aborts with SIGABRT due to double free when processing malformed input (binutils 2.46(HEAD))

Reply via email to