[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug ld/24332] New: Heap-buffer-overflow in bfd_getl16 and bfd_getl64 in
From: |
wcventure at 126 dot com |
Subject: |
[Bug ld/24332] New: Heap-buffer-overflow in bfd_getl16 and bfd_getl64 in bfd, respectively |
Date: |
Thu, 14 Mar 2019 12:21:20 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=24332
Bug ID: 24332
Summary: Heap-buffer-overflow in bfd_getl16 and bfd_getl64 in
bfd, respectively
Product: binutils
Version: 2.32
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: ld
Assignee: unassigned at sourceware dot org
Reporter: wcventure at 126 dot com
Target Milestone: ---
Hi,
A Heap-buffer-overflow problem was discovered in the function in bfd_getl16 and
bfd_getl64 in libbfd.c in bfd, respectively, as distributed in binutils v2.32.
A crafted ELF input can cause segment faults and I have confirmed them with
address sanitizer too.
Here are the POC files. Please use "./ld -E $POC" to reproduce the error.
for function bfd_getl16, ASAN dumps the backtrace as follow:
> =================================================================
> ==3605==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x60300000e169 at pc 0x00000069cadc bp 0x7ffc3c01e950 sp 0x7ffc3c01e948
> READ of size 1 at 0x60300000e169 thread T0
> #0 0x69cadb in bfd_getl16 /binutils_2.32/bfd/libbfd.c:601:11
> #1 0x7871c4 in _bfd_elf_swap_versym_in /binutils_2.32/bfd/elf.c:182:18
> #2 0x8287c4 in elf_link_add_object_symbols
> /binutils_2.32/bfd/elflink.c:4566:6
> #3 0x82165a in bfd_elf_link_add_symbols
> /binutils_2.32/bfd/elflink.c:5740:14
> #4 0x534ff0 in load_symbols /binutils_2.32/ld/ldlang.c:3080:7
> #5 0x563440 in open_input_bfds /binutils_2.32/ld/ldlang.c:3529:13
> #6 0x55124f in lang_process /binutils_2.32/ld/ldlang.c:7383:3
> #7 0x58fb7f in main /binutils_2.32/ld/./ldmain.c:440:3
> #8 0x7f566865382f in __libc_start_main
> /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
> #9 0x4195f8 in _start (/binutils_2.32/build/bin/ld+0x4195f8)
>
> 0x60300000e169 is located 17 bytes to the right of 24-byte region
> [0x60300000e140,0x60300000e158)
> allocated by thread T0 here:
> #0 0x4b9728 in malloc (/binutils_2.32/build/bin/ld+0x4b9728)
> #1 0xc350e5 in objalloc_create /binutils_2.32/libiberty/./objalloc.c:91:29
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow
> /binutils_2.32/bfd/libbfd.c:601:11 in bfd_getl16
> Shadow bytes around the buggy address:
> 0x0c067fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c067fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c067fff9bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c067fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c067fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> =>0x0c067fff9c20: fa fa 00 00 06 fa fa fa 00 00 00 fa fa[fa]fd fd
> 0x0c067fff9c30: fd fd fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
> 0x0c067fff9c40: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa
> 0x0c067fff9c50: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
> 0x0c067fff9c60: 01 fa fa fa 00 00 01 fa fa fa 00 00 01 fa fa fa
> 0x0c067fff9c70: 00 00 01 fa fa fa 00 00 01 fa fa fa 00 00 01 fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap right redzone: fb
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
> ==3605==ABORTING
> Aborted
for function bfd_getl64, ASAN dumps the backtrace as follow:
> =================================================================
> ==9353==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x61200000bb5f at pc 0x00000069ec00 bp 0x7ffff6ca23f0 sp 0x7ffff6ca23e8
> READ of size 1 at 0x61200000bb5f thread T0
> #0 0x69ebff in bfd_getl64 /binutils_2.32/bfd/libbfd.c:758:8
> #1 0x76c095 in bfd_elf64_swap_dyn_in /binutils_2.32/bfd/./elfcode.h:457:21
> #2 0x824e32 in elf_link_add_object_symbols
> /binutils_2.32/bfd/elflink.c:4080:8
> #3 0x82165a in bfd_elf_link_add_symbols
> /binutils_2.32/bfd/elflink.c:5740:14
> #4 0x534ff0 in load_symbols /binutils_2.32/ld/ldlang.c:3080:7
> #5 0x563440 in open_input_bfds /binutils_2.32/ld/ldlang.c:3529:13
> #6 0x55124f in lang_process /binutils_2.32/ld/ldlang.c:7383:3
> #7 0x58fb7f in main /binutils_2.32/ld/./ldmain.c:440:3
> #8 0x7f4d047e882f in __libc_start_main
> /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
> #9 0x4195f8 in _start (/binutils_2.32/build/bin/ld+0x4195f8)
>
> 0x61200000bb5f is located 7 bytes to the right of 280-byte region
> [0x61200000ba40,0x61200000bb58)
> allocated by thread T0 here:
> #0 0x4b9728 in malloc (/binutils_2.32/build/bin/ld+0x4b9728)
> #1 0x69b928 in bfd_malloc /binutils_2.32/bfd/libbfd.c:275:9
> #2 0x824b1d in elf_link_add_object_symbols
> /binutils_2.32/bfd/elflink.c:4062:9
> #3 0x82165a in bfd_elf_link_add_symbols
> /binutils_2.32/bfd/elflink.c:5740:14
> #4 0x534ff0 in load_symbols /binutils_2.32/ld/ldlang.c:3080:7
> #5 0x563440 in open_input_bfds /binutils_2.32/ld/ldlang.c:3529:13
> #6 0x55124f in lang_process /binutils_2.32/ld/ldlang.c:7383:3
> #7 0x58fb7f in main /binutils_2.32/ld/./ldmain.c:440:3
> #8 0x7f4d047e882f in __libc_start_main
> /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow
> /binutils_2.32/bfd/libbfd.c:758:8 in bfd_getl64
> Shadow bytes around the buggy address:
> 0x0c247fff9710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c247fff9720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c247fff9730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c247fff9740: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
> 0x0c247fff9750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0c247fff9760: 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa
> 0x0c247fff9770: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
> 0x0c247fff9780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x0c247fff9790: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x0c247fff97a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
> 0x0c247fff97b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap right redzone: fb
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
> ==9353==ABORTING
> Aborted
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug ld/24332] New: Heap-buffer-overflow in bfd_getl16 and bfd_getl64 in bfd, respectively,
wcventure at 126 dot com <=
- [Bug ld/24332] Heap-buffer-overflow in bfd_getl16 and bfd_getl64 in bfd, respectively, wcventure at 126 dot com, 2019/03/14
- [Bug ld/24332] Heap-buffer-overflow in bfd_getl16 and bfd_getl64 in bfd, respectively, wcventure at 126 dot com, 2019/03/14
- [Bug ld/24332] Heap-buffer-overflow in bfd_getl16 and bfd_getl64 in bfd, respectively, nickc at redhat dot com, 2019/03/14
- [Bug ld/24332] Heap-buffer-overflow in bfd_getl16 and bfd_getl64 in bfd, respectively, cvs-commit at gcc dot gnu.org, 2019/03/14
- [Bug ld/24332] Heap-buffer-overflow in bfd_getl16 and bfd_getl64 in bfd, respectively, nickc at redhat dot com, 2019/03/14