[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug ld/20925] New: LD: Buffer Overflow when loading symbols (2)
|
From: |
boehme.marcel at gmail dot com |
|
Subject: |
[Bug ld/20925] New: LD: Buffer Overflow when loading symbols (2) |
|
Date: |
Sat, 03 Dec 2016 04:51:01 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=20925
Bug ID: 20925
Summary: LD: Buffer Overflow when loading symbols (2)
Product: binutils
Version: 2.28 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: ld
Assignee: unassigned at sourceware dot org
Reporter: boehme.marcel at gmail dot com
Target Milestone: ---
Dear all,
The following bug was found with AFLFast, a fork of AFL, in a 24 hour fuzzing
session on Binutils. Thanks also to Van-Thuan Pham.
The is a heap-based buffer overflow in the linker that does *not* actually
crash the linker for Binutils in trunk. The execution crashes for the
preinstalled versions v2.26.1 and v2.24 of Binutils on Ubuntu 16.04 and 14.04,
though, as well as printing an assertion failure.
This bug might also be related to PR20909 and PR20924 but the overflow is
located in a different function (bfd_getl32).
$ printf
"\x08\x01\x00\x00\x08\x00\x00\x00\x04\x00\x00\x00\x00\xef\x01\x72\x60\x00\x00\x00\x00\x10\x02\xf1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x23\x00\xee\xff\x00\x00\x00\x7f\x00\x02\x00\x00\x00\x64\x00\x00\x00\x44\xf3\x0a\x00\x06\x00\x00\x00\x01\x00\x00\x00\x7f\xf7\x27\x60\x00\x00\x00\x00\x14\x02\x5a\x00\x44\xe5\x0a\x00\x06\x00\x00\x00\x0b0\xff\xff0000\x05\x00\x00\x00\x00\xf1\x00\x18\x00\xf7\x23\x60\x00\x00\x00\x00\x18\x80\xff\x00\x44\xf1\x0a\x00\x02\x00\x00\x00\x18\x00\x5a\x00\x44\xe5\x0a\x00\x06\x00\x00\x00\x0b\x0a\xff\xff\xff\xff\x00\x00\x08\x00\x00\x00\x00\xf1\x00\x18\xe1\x5a"
> test
$ ./ld test
..
ASAN says:
READ of size 1 at 0x60800000bf80 thread T0
#0 0x517519 in bfd_getl32 ../../bfd/libbfd.c:548
#1 0x76844d in aout_link_add_symbols ../../bfd/aoutx.h:3095
#2 0x7698e8 in aout_link_add_object_symbols ../../bfd/aoutx.h:3227
#3 0x76ac36 in aout_32_link_add_symbols ../../bfd/aoutx.h:3488
#4 0x438d89 in load_symbols ../../ld/ldlang.c:2897
#5 0x43c299 in open_input_bfds ../../ld/ldlang.c:3346
#6 0x4568f7 in lang_process ../../ld/ldlang.c:6871
#7 0x465d20 in main ../../ld/ldmain.c:428
#8 0x7f2dcac40f44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#9 0x403968
(/home/ubuntu/subjects/binutils-gdb_fixed/obj-asan/ld/ld-new+0x403968)
0x60800000bf80 is located 0 bytes to the right of 96-byte region
[0x60800000bf20,0x60800000bf80)
allocated by thread T0 here:
#0 0x7f2dcbfc13a8 in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc23a8)
#1 0x516762 in bfd_malloc ../../bfd/libbfd.c:184
#2 0x75945f in aout_get_external_symbols ../../bfd/aoutx.h:1323
#3 0x7698c7 in aout_link_add_object_symbols ../../bfd/aoutx.h:3225
#4 0x76ac36 in aout_32_link_add_symbols ../../bfd/aoutx.h:3488
#5 0x438d89 in load_symbols ../../ld/ldlang.c:2897
#6 0x43c299 in open_input_bfds ../../ld/ldlang.c:3346
#7 0x4568f7 in lang_process ../../ld/ldlang.c:6871
#8 0x465d20 in main ../../ld/ldmain.c:428
#9 0x7f2dcac40f44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../bfd/libbfd.c:548 in
bfd_getl32
Best regards,
- Marcel
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug ld/20925] New: LD: Buffer Overflow when loading symbols (2),
boehme.marcel at gmail dot com <=