Attachment protected by Amazon: [fix-elfutils-0.194-process-symtab-null-check.patch] https://us-west-2.secure-attach.amazon.com/82999f9a-76e9-4fa0-be7e-1b71d2c7f6b0/55fe9d27-70d3-42de-bc9c-0f83512de09f
Amazon has replaced the attachment in this email with a download link. Downloads will be available until March 19, 2026, 19:26 (UTC+00:00). [Tell us what you think] https://amazonexteu.qualtrics.com/jfe/form/SV_ehuz6zGo8YnsRKK [For more information click here] https://docs.secure-attach.amazon.com/guide Hello, I found a NULL pointer dereference bug in elfutils 0.194 that causes eu-readelf to crash when processing malformed ELF files with the -D (--use-dynamic) flag. **Problem:** When eu-readelf is invoked with -D on a malformed ELF file, process_symtab() receives a NULL symstr_data pointer (from failed elf_getdata_rawchunk or invalid dynamic segment). The function dereferences symstr_data->d_buf without checking, causing SIGSEGV. **Location:** src/readelf.c, line 2877 in process_symtab() **Reproduction:** 1. Download test file: https://sourceware.org/bugzilla/attachment.cgi?id=15925 (This is the CVE-2025-1365 PoC from bugzilla #32654) 2. Run: eu-readelf -a -D poc 3. Result: Segmentation fault (exit 139) **How We Found It:** This bug was discovered during CVE-2025-1365 regression testing. While testing the fix for CVE-2025-1365 (commit 5e5c0394), we found that the test PoC file triggered a different crash in the newly refactored code. **Impact:** - Crash on malformed ELF files that should be handled gracefully - Regression introduced in 0.194 by refactoring in commit 5e5c0394 - This commit extracted dynamic segment symbol table processing into a new process_symtab() function (as part of fixing CVE-2025-1365) - The new function added validate_str() calls but failed to add a NULL check for symstr_data before accessing its d_buf member - Previous versions (0.188 and earlier) handled dynamic processing inline in print_symtab() and didn't have this code path - Affects any tool using eu-readelf -D on untrusted input **Fix:** Add NULL check before dereferencing symstr_data. This matches the defensive coding pattern used elsewhere in elfutils and allows graceful error handling. The attached patch adds a simple NULL check that resolves the crash. After the fix, eu-readelf processes what it can from malformed files and exits cleanly with appropriate error messages instead of crashing. Tested on x86_64 with the reproduction case above - crash eliminated, graceful handling restored. Signed-off-by: [Samuel Dainard] <[[email protected]]>
