[Bug binutils/24909] New: Uninitialized use on stack in readelf

[wang8330 at umn dot edu]

https://sourceware.org/bugzilla/show_bug.cgi?id=24909

            Bug ID: 24909
           Summary: Uninitialized use on stack in readelf
           Product: binutils
           Version: 2.33 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: wang8330 at umn dot edu
  Target Milestone: ---

Created attachment 11949
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11949&action=edit
PoC to trigger the vulnerability.

There is a uninitialized use on stack in readelf.c may cause information leak.

The commit id for the gitrepo I tested is
fc9e754460ccf1c893fc9e67c02c49f58f1bd38e

Compile command:

CC=clang \
CFLAGS="-DFORTIFY_SOURCE=2 -fno-omit-frame-pointer -g -Wno-error -ggdb" \
./configure \
--disable-shared --disable-gdb --disable-libdecnumber --disable-readline \
--disable-sim
make

How to trigger the bug:
./readelf -a input

I tested this program using clang, not sure if it also exists for gcc.

When compiling with -O2, on line 12018 in function process_symbol_table() in
readelf.c, sym_info is first declared on stack.

It is supposed to be updated on line 12044 in function
get_symbol_version_string().

The problem is that there are only two statements in
get_symbol_version_string() to initialize sym_info and the input triggers
neither of them, so sym_info is actually uninitialized when used in line 12051.

The input is attached.

-- 
You are receiving this mail because:
You are on the CC list for the bug.