https://sourceware.org/bugzilla/show_bug.cgi?id=24042
Bug ID: 24042 Summary: Global-buffer-overflow problem in function output_rel_find in eelf_x86_64.c, as demonstrated by "ld -E" Product: binutils Version: 2.31 Status: UNCONFIRMED Severity: normal Priority: P2 Component: ld Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com Target Milestone: --- Created attachment 11497 --> https://sourceware.org/bugzilla/attachment.cgi?id=11497&action=edit POC1 Hi, there. A Global-buffer-overflow problem was discovered in function output_rel_find in eelf_x86_64.c of binutils 2.31. This problem can be reproduced in the latest code base, too. A crafted ELF input can cause segment faults and I have confirmed them with address sanitizer too. Please use the "./ld -E $POC" to reproduce the bug. The ASAN dumps the stack trace as follows: > ================================================================= > ==24959==ERROR: AddressSanitizer: global-buffer-overflow on address > 0x000000b0f044 at pc 0x0000004a3889 bp 0x7ffd29777410 sp 0x7ffd29777400 > READ of size 1 at 0x000000b0f044 thread T0 > #0 0x4a3888 in output_rel_find /binutils-2.31_ASAN/ld/eelf_x86_64.c:1802 > #1 0x4a5cb8 in gldelf_x86_64_place_orphan > /binutils-2.31_ASAN/ld/eelf_x86_64.c:2138 > #2 0x47fd79 in ldemul_place_orphan /binutils-2.31_ASAN/ld/ldemul.c:130 > #3 0x45580d in ldlang_place_orphan /binutils-2.31_ASAN/ld/ldlang.c:6497 > #4 0x455f08 in lang_place_orphans /binutils-2.31_ASAN/ld/ldlang.c:6554 > #5 0x45a679 in lang_process /binutils-2.31_ASAN/ld/ldlang.c:7349 > #6 0x469dbd in main ldmain.c:438 > #7 0x7fa2ca96182f in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) > #8 0x4036d8 in _start (/binutils-2.31_ASAN/build/bin/ld+0x4036d8) > > 0x000000b0f044 is located 3 bytes to the right of global variable '*.LC0' > defined in 'elf.c' (0xb0f040) of size 1 > '*.LC0' is ascii string '' > 0x000000b0f044 is located 60 bytes to the left of global variable '*.LC10' > defined in 'elf.c' (0xb0f080) of size 67 > '*.LC10' is ascii string '%pB: attempt to load strings from a non-string > section (number %d)' > SUMMARY: AddressSanitizer: global-buffer-overflow > /binutils-2.31_ASAN/ld/eelf_x86_64.c:1802 output_rel_find > Shadow bytes around the buggy address: > 0x000080159db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x000080159dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x000080159dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x000080159de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x000080159df0: 06 f9 f9 f9 f9 f9 f9 f9 00 00 01 f9 f9 f9 f9 f9 > =>0x000080159e00: 06 f9 f9 f9 f9 f9 f9 f9[01]f9 f9 f9 f9 f9 f9 f9 > 0x000080159e10: 00 00 00 00 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9 > 0x000080159e20: 04 f9 f9 f9 f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9 > 0x000080159e30: 00 00 00 00 00 00 06 f9 f9 f9 f9 f9 00 00 00 00 > 0x000080159e40: 00 00 00 00 06 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 > 0x000080159e50: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Heap right redzone: fb > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack partial redzone: f4 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > ==24959==ABORTING -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils