https://sourceware.org/bugzilla/show_bug.cgi?id=24336
Bug ID: 24336 Summary: Heap-buffer-overflow in bfd_elf64_swap_reloca_in function in elfcode.h in bfd Product: binutils Version: 2.32 Status: UNCONFIRMED Severity: normal Priority: P2 Component: ld Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com Target Milestone: --- Created attachment 11675 --> https://sourceware.org/bugzilla/attachment.cgi?id=11675&action=edit POC Hi, A Heap-buffer-overflow problem was discovered in bfd_elf64_swap_reloca_in function in elfcode.h in bfd, as distributed in binutils v2.32. A crafted ELF input can cause segment faults and I have confirmed them with address sanitizer too. Here are the POC files. Please use "./ld -E $POC" to reproduce the error. ASAN dumps the backtrace as follow: > ================================================================= > ==1521==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x62100002cd00 at pc 0x00000076b98b bp 0x7ffd69de5650 sp 0x7ffd69de5648 > WRITE of size 8 at 0x62100002cd00 thread T0 > #0 0x76b98a in bfd_elf64_swap_reloca_in > /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/bfd/./elfcode.h:422:17 > #1 0x81c49e in elf_link_read_relocs_from_section > /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/bfd/elflink.c:2531:7 > #2 0x81bb4c in _bfd_elf_link_read_relocs > /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/bfd/elflink.c:2639:12 > #3 0x820ba4 in _bfd_elf_link_check_relocs > /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/bfd/elflink.c:3844:22 > #4 0x555a6c in lang_check_relocs > /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/ld/ldlang.c:7327:7 > #5 0x555a6c in lang_process > /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/ld/ldlang.c:7538 > #6 0x58fb7f in main > /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/ld/./ldmain.c:440:3 > #7 0x7f946339682f in __libc_start_main > /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291 > #8 0x4195f8 in _start > (/home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/build/bin/ld+0x4195f8) > > 0x62100002cd00 is located 0 bytes to the right of 4096-byte region > [0x62100002bd00,0x62100002cd00) > allocated by thread T0 here: > #0 0x4b9728 in malloc > (/home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/build/bin/ld+0x4b9728) > #1 0xc35593 in _objalloc_alloc > /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/libiberty/./objalloc.c:143:22 > > SUMMARY: AddressSanitizer: heap-buffer-overflow > /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/bfd/./elfcode.h:422:17 in > bfd_elf64_swap_reloca_in > Shadow bytes around the buggy address: > 0x0c427fffd950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c427fffd960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c427fffd970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c427fffd980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c427fffd990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > =>0x0c427fffd9a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c427fffd9b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c427fffd9c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c427fffd9d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c427fffd9e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c427fffd9f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Heap right redzone: fb > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack partial redzone: f4 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb > ==1521==ABORTING > Aborted -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils