[Bug binutils/33701] New: readelf aborts with SIGABRT on crafted input when run with “-w abbrev” (binutils 2.46(HEAD)).

Sun, 07 Dec 2025 10:18:59 -0800 

https://sourceware.org/bugzilla/show_bug.cgi?id=33701

            Bug ID: 33701
           Summary: readelf aborts with SIGABRT on crafted input when run
                    with “-w abbrev” (binutils 2.46(HEAD)).
           Product: binutils
           Version: 2.46 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: 970429025 at qq dot com
  Target Milestone: ---

Created attachment 16507
  --> https://sourceware.org/bugzilla/attachment.cgi?id=16507&action=edit
The PoC attachment contains the input file that triggers the crash

Overview:
Running readelf with “-w abbrev” on a crafted ELF file causes the program to
print DWARF-related warnings and then terminate with SIGABRT.

Steps to Reproduce:
./readelf -w abbrev SIGABRT

Actual Results:
readelf reports a warning about a missing .debug_addr section, prints
“Unhandled data length: 0”, and then aborts with SIGABRT.

GDB output excerpt:

    <6e6>   DW_AT_comp_dir    : (indexed string: 0): <no .debug_str section>
    <6e7>   DW_AT_low_pc      :readelf: Warning: Cannot fetch indexed address:
the .debug_addr section is missing
 (index: 0x2): 0
    <6e8>   DW_AT_high_pc     : 0x15b00
    <6ec>   DW_AT_addr_base   : 0x1000
    <6f0>   DW_AT_rnglists_base: 0
    <6f4>   DW_AT_loclists_base: 0xbefd7000 (location list)
 <-17><6f8>: Abbrev Number: 50 (DW_TAG_lexical_block)
    <6f9>   DW_AT_ranges      :readelf: Error: Unhandled data length: 0

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) vt
Undefined command: "vt".  Try "help".
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff6bbb7f1 in __GI_abort () at abort.c:79
#2  0x000000000054aa54 in byte_get_little_endian ()
#3  0x000000000051ca93 in fetch_indexed_offset ()
#4  0x0000000000517997 in read_and_display_attr_value ()
#5  0x0000000000510507 in read_and_display_attr ()
#6  0x00000000004e5d5c in process_debug_info ()
#7  0x00000000004f2a08 in display_debug_info ()
#8  0x00000000004bd8dd in display_debug_section ()
#9  0x000000000045d4d4 in process_section_contents ()
#10 0x0000000000448b6e in process_object ()
#11 0x00000000004484fe in process_archive ()
#12 0x000000000043904a in process_file ()
#13 0x0000000000437119 in main ()
(gdb) 

Expected Results:
readelf should handle malformed DWARF abbrev/debug info safely and exit cleanly
after reporting errors, instead of aborting.

Build & Platform:
binutils version: 2.46(HEAD)
component: readelf
OS: Ubuntu 18.04.6 LTS
arch: x86_64

Additional Information: 
The PoC attachment contains the input file that triggers the crash(SIGABRT). 
Crash type: SIGABRT. 
Fully reproducible.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Reply via email to