https://sourceware.org/bugzilla/show_bug.cgi?id=24338
Bug ID: 24338 Summary: Heap-buffer-overflow in elf_x86_64_relocate_section in elf64-x86-64.c in bfd Product: binutils Version: 2.32 Status: UNCONFIRMED Severity: normal Priority: P2 Component: ld Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com Target Milestone: --- Created attachment 11677 --> https://sourceware.org/bugzilla/attachment.cgi?id=11677&action=edit POC Hi, A Heap-buffer-overflow problem was discovered in elf_x86_64_relocate_section in elf64-x86-64.c in bfd, as distributed in binutils v2.32. A crafted ELF input can cause segment faults and I have confirmed them with address sanitizer too. Here are the POC files. Please use "./ld -E $POC" to reproduce the error. ASAN dumps the backtrace as follow: > ==21164==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x6290000141fc at pc 0x0000004a342d bp 0x7ffda9dc6a30 sp 0x7ffda9dc61e0 > WRITE of size 16 at 0x6290000141fc thread T0 > #0 0x4a342c in __asan_memcpy (/binutils_2.32/build/bin/ld+0x4a342c) > #1 0x7267d0 in elf_x86_64_relocate_section > /binutils_2.32/bfd/elf64-x86-64.c:3348:7 > #2 0x874c6c in elf_link_input_bfd /binutils_2.32/bfd/elflink.c:10856:10 > #3 0x874c6c in bfd_elf_final_link /binutils_2.32/bfd/elflink.c:12183 > #4 0x59a4dc in ldwrite /binutils_2.32/ld/ldwrite.c:581:8 > #5 0x58fe8c in main /binutils_2.32/ld/./ldmain.c:456:3 > #6 0x7f479a46f82f in __libc_start_main > /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291 > #7 0x4195f8 in _start (/binutils_2.32/build/bin/ld+0x4195f8) > > 0x6290000141fc is located 4 bytes to the left of 17086-byte region > [0x629000014200,0x6290000184be) > allocated by thread T0 here: > #0 0x4b9728 in malloc (/binutils_2.32/build/bin/ld+0x4b9728) > #1 0x69b928 in bfd_malloc /binutils_2.32/bfd/libbfd.c:275:9 > #2 0x59a4dc in ldwrite /binutils_2.32/ld/ldwrite.c:581:8 > #3 0x58fe8c in main /binutils_2.32/ld/./ldmain.c:456:3 > #4 0x7f479a46f82f in __libc_start_main > /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291 > > SUMMARY: AddressSanitizer: heap-buffer-overflow > (/binutils_2.32/build/bin/ld+0x4a342c) in __asan_memcpy > Shadow bytes around the buggy address: > 0x0c527fffa7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c527fffa7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c527fffa800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c527fffa810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c527fffa820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > =>0x0c527fffa830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa] > 0x0c527fffa840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c527fffa850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c527fffa860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c527fffa870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c527fffa880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Heap right redzone: fb > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack partial redzone: f4 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb > ==21164==ABORTING > Aborted -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils