Hi Samuel, On Tue, Feb 17, 2026 at 07:27:03PM +0000, Dainard, Samuel wrote: > Attachment protected by Amazon: > > [fix-elfutils-0.194-process-symtab-null-check.patch] > https://us-west-2.secure-attach.amazon.com/82999f9a-76e9-4fa0-be7e-1b71d2c7f6b0/55fe9d27-70d3-42de-bc9c-0f83512de09f > > Amazon has replaced the attachment in this email with a download link. > Downloads will be available until March 19, 2026, 19:26 (UTC+00:00). > [Tell us what you think] > https://amazonexteu.qualtrics.com/jfe/form/SV_ehuz6zGo8YnsRKK > [For more information click here] https://docs.secure-attach.amazon.com/guide
That made it a little awkward to get/apply the patch. But the patch does look good. > I found a NULL pointer dereference bug in elfutils 0.194 that causes > eu-readelf > to crash when processing malformed ELF files with the -D (--use-dynamic) flag. > > **Problem:** > When eu-readelf is invoked with -D on a malformed ELF file, process_symtab() > receives a NULL symstr_data pointer (from failed elf_getdata_rawchunk or > invalid > dynamic segment). The function dereferences symstr_data->d_buf without > checking, > causing SIGSEGV. > > **Location:** > src/readelf.c, line 2877 in process_symtab() > > **Reproduction:** > 1. Download test file: https://sourceware.org/bugzilla/attachment.cgi?id=15925 > (This is the CVE-2025-1365 PoC from bugzilla #32654) > 2. Run: eu-readelf -a -D poc > 3. Result: Segmentation fault (exit 139) > > **How We Found It:** > This bug was discovered during CVE-2025-1365 regression testing. While testing > the fix for CVE-2025-1365 (commit 5e5c0394), we found that the test PoC file > triggered a different crash in the newly refactored code. > > **Impact:** > - Crash on malformed ELF files that should be handled gracefully > - Regression introduced in 0.194 by refactoring in commit 5e5c0394 > - This commit extracted dynamic segment symbol table processing into a new > process_symtab() function (as part of fixing CVE-2025-1365) > - The new function added validate_str() calls but failed to add a NULL check > for symstr_data before accessing its d_buf member > - Previous versions (0.188 and earlier) handled dynamic processing inline in > print_symtab() and didn't have this code path > - Affects any tool using eu-readelf -D on untrusted input > > **Fix:** > Add NULL check before dereferencing symstr_data. This matches the defensive > coding pattern used elsewhere in elfutils and allows graceful error handling. > > The attached patch adds a simple NULL check that resolves the crash. After the > fix, eu-readelf processes what it can from malformed files and exits cleanly > with appropriate error messages instead of crashing. > > Tested on x86_64 with the reproduction case above - crash eliminated, graceful > handling restored. Thanks for that explanation. That all makes sense. > Signed-off-by: [Samuel Dainard] <[[email protected]]> I added your Signed-off-by to the actual patch/commit message and pushed with a small whitespace change (so the line wasn't too long). Thanks, Mark
>From 1d9c952ce7be8e71216b245f9069e478c0b59719 Mon Sep 17 00:00:00 2001 From: Samuel Dainard <[email protected]> Date: Tue, 17 Feb 2026 23:07:06 +0100 Subject: [PATCH] readelf: Fix NULL pointer dereference in process_symtab with -D flag When using eu-readelf with the -D (use_dynamic_segment) flag on malformed ELF files, process_symtab can receive a NULL symstr_data pointer if elf_getdata_rawchunk fails or the dynamic segment is malformed. The function then dereferences symstr_data->d_buf without checking, causing a segmentation fault. Add NULL check before accessing symstr_data fields. Fixes regression introduced in 0.194 where process_symtab was refactored to handle dynamic segment symbol tables. Signed-off-by: Samuel Dainard <[email protected]> --- src/readelf.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/readelf.c b/src/readelf.c index 2685c64af983..719c5602ee69 100644 --- a/src/readelf.c +++ b/src/readelf.c @@ -2874,8 +2874,9 @@ process_symtab (Ebl *ebl, unsigned int nsyms, Elf64_Word idx, xndx = sym->st_shndx; if (use_dynamic_segment == true) { - if (validate_str (symstr_data->d_buf, sym->st_name, - symstr_data->d_size)) + if (symstr_data != NULL + && validate_str (symstr_data->d_buf, sym->st_name, + symstr_data->d_size)) sym_name = (char *)symstr_data->d_buf + sym->st_name; else sym_name = NULL; -- 2.52.0
