https://sourceware.org/bugzilla/show_bug.cgi?id=24042
Bug ID: 24042
Summary: Global-buffer-overflow problem in function
output_rel_find in eelf_x86_64.c, as demonstrated by
"ld -E"
Product: binutils
Version: 2.31
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: ld
Assignee: unassigned at sourceware dot org
Reporter: wcventure at 126 dot com
Target Milestone: ---
Created attachment 11497
--> https://sourceware.org/bugzilla/attachment.cgi?id=11497&action=edit
POC1
Hi, there.
A Global-buffer-overflow problem was discovered in function output_rel_find in
eelf_x86_64.c of binutils 2.31. This problem can be reproduced in the latest
code base, too. A crafted ELF input can cause segment faults and I have
confirmed them with address sanitizer too.
Please use the "./ld -E $POC" to reproduce the bug.
The ASAN dumps the stack trace as follows:
> =================================================================
> ==24959==ERROR: AddressSanitizer: global-buffer-overflow on address
> 0x000000b0f044 at pc 0x0000004a3889 bp 0x7ffd29777410 sp 0x7ffd29777400
> READ of size 1 at 0x000000b0f044 thread T0
> #0 0x4a3888 in output_rel_find /binutils-2.31_ASAN/ld/eelf_x86_64.c:1802
> #1 0x4a5cb8 in gldelf_x86_64_place_orphan
> /binutils-2.31_ASAN/ld/eelf_x86_64.c:2138
> #2 0x47fd79 in ldemul_place_orphan /binutils-2.31_ASAN/ld/ldemul.c:130
> #3 0x45580d in ldlang_place_orphan /binutils-2.31_ASAN/ld/ldlang.c:6497
> #4 0x455f08 in lang_place_orphans /binutils-2.31_ASAN/ld/ldlang.c:6554
> #5 0x45a679 in lang_process /binutils-2.31_ASAN/ld/ldlang.c:7349
> #6 0x469dbd in main ldmain.c:438
> #7 0x7fa2ca96182f in __libc_start_main
> (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
> #8 0x4036d8 in _start (/binutils-2.31_ASAN/build/bin/ld+0x4036d8)
>
> 0x000000b0f044 is located 3 bytes to the right of global variable '*.LC0'
> defined in 'elf.c' (0xb0f040) of size 1
> '*.LC0' is ascii string ''
> 0x000000b0f044 is located 60 bytes to the left of global variable '*.LC10'
> defined in 'elf.c' (0xb0f080) of size 67
> '*.LC10' is ascii string '%pB: attempt to load strings from a non-string
> section (number %d)'
> SUMMARY: AddressSanitizer: global-buffer-overflow
> /binutils-2.31_ASAN/ld/eelf_x86_64.c:1802 output_rel_find
> Shadow bytes around the buggy address:
> 0x000080159db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x000080159dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x000080159dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x000080159de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x000080159df0: 06 f9 f9 f9 f9 f9 f9 f9 00 00 01 f9 f9 f9 f9 f9
> =>0x000080159e00: 06 f9 f9 f9 f9 f9 f9 f9[01]f9 f9 f9 f9 f9 f9 f9
> 0x000080159e10: 00 00 00 00 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9
> 0x000080159e20: 04 f9 f9 f9 f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9
> 0x000080159e30: 00 00 00 00 00 00 06 f9 f9 f9 f9 f9 00 00 00 00
> 0x000080159e40: 00 00 00 00 06 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9
> 0x000080159e50: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap right redzone: fb
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> ==24959==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
