[PATCH 0/1] elfcreator: Fix NULL dereference in remove_dyn()

[PATCH 0/1] elfcreator: Fix NULL dereference in remove_dyn()

[Håvard F. Aasen]

scncopy segfaults if it doesn't find any sections. The crash occurs
inside remove_dyn() when 'ctor->dynshdr' is null.

The attached patch adds a null check in the function where the
segmentation fault occurs. The calling function could also benefit
from stronger validity checks to prevent this crash in the first place.

Whats happens is that in generic_dyn_fixup_fn(), and the two similar
functions rela_dyn_fixup_fn() and rel_dyn_fixup_fn(), both 'dyn' and
'shdr' may be null (see lines 191-192 in elfcreator.c). The if statement
implicitly assumes that 'dyn' is non-null in the else branch.

It's fairly straight forward to reproduce the issue. Any valid
executable should work: simply run scncopy with a section name that you
know does not exist.

The segmentation fault is as follows:
#0  0x0000555555555e9f in remove_dyn (ctor=0x55555555c3a0, idx=0) at /srv/git/pahole/elfcreator.c:162
#1  0x0000555555555fa2 in generic_dyn_fixup_fn (ctor=0x55555555c3a0, d_tag=4, scn=0x0) at /srv/git/pahole/elfcreator.c:194
#2  0x000055555555634c in fixup_dynamic (ctor=0x55555555c3a0) at /srv/git/pahole/elfcreator.c:264
#3  0x0000555555556476 in elfcreator_end (ctor=0x55555555c3a0) at /srv/git/pahole/elfcreator.c:289
#4  0x00005555555558cd in main (argc=6, argv=0x7fffffffde88) at /srv/git/pahole/scncopy.c:123

Håvard F. Aasen (1):
  elfcreator: Fix NULL dereference in remove_dyn()

 elfcreator.c | 3 +++
 1 file changed, 3 insertions(+)

-- 
2.51.0

[PATCH 1/1] elfcreator: Fix NULL dereference in remove_dyn()

[Håvard F. Aasen]

scncopy segfaults when the requested section does not exist. In this
case, generic_dyn_fixup_fn() (and the related rela_dyn_fixup_fn() and
rel_dyn_fixup_fn()) may receive both a NULL 'dyn' and a NULL 'shdr'.
The code only checks 'shdr' and implicitly assumes 'dyn' is valid in
the else branch.

This leads to a NULL dereference in remove_dyn() when ctor->dynshdr is
NULL.

Add a NULL check to prevent the crash.

Signed-off-by: Håvard F. Aasen <havard.f.aasen@pfft.no>
---
 elfcreator.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/elfcreator.c b/elfcreator.c
index 8e775c5..ea8326f 100644
--- a/elfcreator.c
+++ b/elfcreator.c
@@ -159,6 +159,9 @@ static void remove_dyn(ElfCreator *ctor, size_t idx)
 {
 	size_t cnt;
 
+	if (!ctor->dyndata)
+		return;
+
 	for (cnt = idx; cnt < ctor->dynshdr->sh_size/ctor->dynshdr->sh_entsize;
 			cnt++) {
 		GElf_Dyn *dyn, dyn_mem;
-- 
2.51.0

[PATCH 1/1] Fix segmentation fault in remove_dyn()

[Håvard F. Aasen]

---
 elfcreator.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/elfcreator.c b/elfcreator.c
index 8e775c5..ea8326f 100644
--- a/elfcreator.c
+++ b/elfcreator.c
@@ -159,6 +159,9 @@ static void remove_dyn(ElfCreator *ctor, size_t idx)
 {
 	size_t cnt;
 
+	if (!ctor->dyndata)
+		return;
+
 	for (cnt = idx; cnt < ctor->dynshdr->sh_size/ctor->dynshdr->sh_entsize;
 			cnt++) {
 		GElf_Dyn *dyn, dyn_mem;
-- 
2.51.0

Re: [PATCH 1/1] elfcreator: Fix NULL dereference in remove_dyn()

[Alan Maguire]

On 07/01/2026 21:29, Håvard F. Aasen wrote:
> scncopy segfaults when the requested section does not exist. In this
> case, generic_dyn_fixup_fn() (and the related rela_dyn_fixup_fn() and
> rel_dyn_fixup_fn()) may receive both a NULL 'dyn' and a NULL 'shdr'.
> The code only checks 'shdr' and implicitly assumes 'dyn' is valid in
> the else branch.
> 
> This leads to a NULL dereference in remove_dyn() when ctor->dynshdr is
> NULL.
> 
> Add a NULL check to prevent the crash.
> 
> Signed-off-by: Håvard F. Aasen <havard.f.aasen@pfft.no>

Looks good, I verified the fix resolves the segmentation fault. Applied.
Thank you!

Alan