https://sourceware.org/bugzilla/show_bug.cgi?id=24332
Bug ID: 24332 Summary: Heap-buffer-overflow in bfd_getl16 and bfd_getl64 in bfd, respectively Product: binutils Version: 2.32 Status: UNCONFIRMED Severity: normal Priority: P2 Component: ld Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com Target Milestone: --- Hi, A Heap-buffer-overflow problem was discovered in the function in bfd_getl16 and bfd_getl64 in libbfd.c in bfd, respectively, as distributed in binutils v2.32. A crafted ELF input can cause segment faults and I have confirmed them with address sanitizer too. Here are the POC files. Please use "./ld -E $POC" to reproduce the error. for function bfd_getl16, ASAN dumps the backtrace as follow: > ================================================================= > ==3605==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x60300000e169 at pc 0x00000069cadc bp 0x7ffc3c01e950 sp 0x7ffc3c01e948 > READ of size 1 at 0x60300000e169 thread T0 > #0 0x69cadb in bfd_getl16 /binutils_2.32/bfd/libbfd.c:601:11 > #1 0x7871c4 in _bfd_elf_swap_versym_in /binutils_2.32/bfd/elf.c:182:18 > #2 0x8287c4 in elf_link_add_object_symbols > /binutils_2.32/bfd/elflink.c:4566:6 > #3 0x82165a in bfd_elf_link_add_symbols > /binutils_2.32/bfd/elflink.c:5740:14 > #4 0x534ff0 in load_symbols /binutils_2.32/ld/ldlang.c:3080:7 > #5 0x563440 in open_input_bfds /binutils_2.32/ld/ldlang.c:3529:13 > #6 0x55124f in lang_process /binutils_2.32/ld/ldlang.c:7383:3 > #7 0x58fb7f in main /binutils_2.32/ld/./ldmain.c:440:3 > #8 0x7f566865382f in __libc_start_main > /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291 > #9 0x4195f8 in _start (/binutils_2.32/build/bin/ld+0x4195f8) > > 0x60300000e169 is located 17 bytes to the right of 24-byte region > [0x60300000e140,0x60300000e158) > allocated by thread T0 here: > #0 0x4b9728 in malloc (/binutils_2.32/build/bin/ld+0x4b9728) > #1 0xc350e5 in objalloc_create /binutils_2.32/libiberty/./objalloc.c:91:29 > > SUMMARY: AddressSanitizer: heap-buffer-overflow > /binutils_2.32/bfd/libbfd.c:601:11 in bfd_getl16 > Shadow bytes around the buggy address: > 0x0c067fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c067fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c067fff9bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c067fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c067fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > =>0x0c067fff9c20: fa fa 00 00 06 fa fa fa 00 00 00 fa fa[fa]fd fd > 0x0c067fff9c30: fd fd fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa > 0x0c067fff9c40: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa > 0x0c067fff9c50: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 > 0x0c067fff9c60: 01 fa fa fa 00 00 01 fa fa fa 00 00 01 fa fa fa > 0x0c067fff9c70: 00 00 01 fa fa fa 00 00 01 fa fa fa 00 00 01 fa > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Heap right redzone: fb > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack partial redzone: f4 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb > ==3605==ABORTING > Aborted for function bfd_getl64, ASAN dumps the backtrace as follow: > ================================================================= > ==9353==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x61200000bb5f at pc 0x00000069ec00 bp 0x7ffff6ca23f0 sp 0x7ffff6ca23e8 > READ of size 1 at 0x61200000bb5f thread T0 > #0 0x69ebff in bfd_getl64 /binutils_2.32/bfd/libbfd.c:758:8 > #1 0x76c095 in bfd_elf64_swap_dyn_in /binutils_2.32/bfd/./elfcode.h:457:21 > #2 0x824e32 in elf_link_add_object_symbols > /binutils_2.32/bfd/elflink.c:4080:8 > #3 0x82165a in bfd_elf_link_add_symbols > /binutils_2.32/bfd/elflink.c:5740:14 > #4 0x534ff0 in load_symbols /binutils_2.32/ld/ldlang.c:3080:7 > #5 0x563440 in open_input_bfds /binutils_2.32/ld/ldlang.c:3529:13 > #6 0x55124f in lang_process /binutils_2.32/ld/ldlang.c:7383:3 > #7 0x58fb7f in main /binutils_2.32/ld/./ldmain.c:440:3 > #8 0x7f4d047e882f in __libc_start_main > /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291 > #9 0x4195f8 in _start (/binutils_2.32/build/bin/ld+0x4195f8) > > 0x61200000bb5f is located 7 bytes to the right of 280-byte region > [0x61200000ba40,0x61200000bb58) > allocated by thread T0 here: > #0 0x4b9728 in malloc (/binutils_2.32/build/bin/ld+0x4b9728) > #1 0x69b928 in bfd_malloc /binutils_2.32/bfd/libbfd.c:275:9 > #2 0x824b1d in elf_link_add_object_symbols > /binutils_2.32/bfd/elflink.c:4062:9 > #3 0x82165a in bfd_elf_link_add_symbols > /binutils_2.32/bfd/elflink.c:5740:14 > #4 0x534ff0 in load_symbols /binutils_2.32/ld/ldlang.c:3080:7 > #5 0x563440 in open_input_bfds /binutils_2.32/ld/ldlang.c:3529:13 > #6 0x55124f in lang_process /binutils_2.32/ld/ldlang.c:7383:3 > #7 0x58fb7f in main /binutils_2.32/ld/./ldmain.c:440:3 > #8 0x7f4d047e882f in __libc_start_main > /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291 > > SUMMARY: AddressSanitizer: heap-buffer-overflow > /binutils_2.32/bfd/libbfd.c:758:8 in bfd_getl64 > Shadow bytes around the buggy address: > 0x0c247fff9710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c247fff9720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c247fff9730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c247fff9740: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 > 0x0c247fff9750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > =>0x0c247fff9760: 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa > 0x0c247fff9770: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd > 0x0c247fff9780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0c247fff9790: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0c247fff97a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 > 0x0c247fff97b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Heap right redzone: fb > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack partial redzone: f4 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb > ==9353==ABORTING > Aborted -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils