pyelftools icon indicating copy to clipboard operation
pyelftools copied to clipboard

Published 20 hours ago verified publisher icon eliben

Bug: Unlimited recursion when parsing linked sections

Open pd-fkie opened this issue 2 years ago • 1 comments

When the class ELFFile parses sections that are linked via sh_link it doesn't check for any loops in the linked list. According to Oracles Linker and Libraries Guide a linked list of sections can be terminated by a section that points to itself if sh_flags contains the flag SHF_ORDERED. In the current state of pyelftools however such an endless loop would result in a RecursionError exception.

The following ELF file can trigger the exception when parsed with the current version of pyelftools: crash-d08fc9a817c40b3c241a163d9101ab425fe31db5 As the name indicates this bug was found through fuzzing and thus the crash file does not adhere to the ELF standard however it would be possible to create a valid ELF file that triggers the same exception.

pd-fkie avatar Aug 30 '21 22:08 pd-fkie

Thanks for the report. PRs to fix this are welcome.

eliben avatar Aug 31 '21 13:08 eliben

To elaborate, the problem in the linked file is that section 0 has type SHT_HASH and has 0 as sh_link (e. g. points at itself). ELFFile.get_section() for section 0 tries to build a ELFHashSection, follows the link, which calls get_section() with 0 and so on.

sevaa avatar Apr 16 '24 19:04 sevaa

@pd-fkie Addressed in #522 by validating which section types can link to which.

sevaa avatar Apr 17 '24 13:04 sevaa