[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/23804] New: Heap-buffer-overflow problem in function Sec_m
|
From: |
wcventure at 126 dot com |
|
Subject: |
[Bug binutils/23804] New: Heap-buffer-overflow problem in function Sec_merge_hash_lookup in merge.c, as demonstrated by "ld -E" |
|
Date: |
Sun, 21 Oct 2018 10:22:23 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=23804
Bug ID: 23804
Summary: Heap-buffer-overflow problem in function
Sec_merge_hash_lookup in merge.c, as demonstrated by
"ld -E"
Product: binutils
Version: 2.31
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: wcventure at 126 dot com
Target Milestone: ---
Created attachment 11355
--> https://sourceware.org/bugzilla/attachment.cgi?id=11355&action=edit
POC1
Heap-buffer-overflow problem in function Sec_merge_hash_lookup in merge.c, as
demonstrated by "ld -E"
Hi, there.
A Heap-buffer-overflow problem was discovered in function Sec_merge_hash_lookup
in merge.c of binutils 2.31. This problem can be reproduced in the latest code
base, too. A crafted ELF input can cause segment faults and I have confirmed
them with address sanitizer too.
Please use the "./ld -E $POC" to reproduce the bug.
The ASAN dumps the stack trace as follows:
> ==6219==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x7fafe4eca898 at pc 0x0000010a46ef bp 0x7fffeb302450 sp 0x7fffeb302448
> READ of size 1 at 0x7fafe4eca898 thread T0
> #0 0x10a46ee in sec_merge_hash_lookup bintuils_gdb/bfd/merge.c:166:7
> #1 0x10a685d in sec_merge_add bintuils_gdb/bfd/merge.c:268:11
> #2 0x10996e5 in record_section bintuils_gdb/bfd/merge.c:488:12
> #3 0x10974ed in _bfd_merge_sections bintuils_gdb/bfd/merge.c:751:13
> #4 0xba24d3 in _bfd_elf_merge_sections bintuils_gdb/bfd/elflink.c:7398:5
> #5 0x589ea4 in lang_process bintuils_gdb/ld/ldlang.c:7543:7
> #6 0x5fd19c in main bintuils_gdb/ld/./ldmain.c:438:3
> #7 0x7fafe409382f in __libc_start_main
> /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
> #8 0x419638 in _start
> (/media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_latest_ASAN_O0/build/bin/ld+0x419638)
>
> 0x7fafe4eca898 is located 0 bytes to the right of 131224-byte region
> [0x7fafe4eaa800,0x7fafe4eca898)
> allocated by thread T0 here:
> #0 0x4b9748 in malloc
> (/media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_latest_ASAN_O0/build/bin/ld+0x4b9748)
> #1 0x12a243c in _objalloc_alloc bintuils_gdb/libiberty/./objalloc.c:143:22
> #2 0x83a238 in bfd_alloc bintuils_gdb/bfd/opncls.c:949:9
> #3 0x1094f3a in _bfd_add_merge_section bintuils_gdb/bfd/merge.c:432:15
> #4 0xba1cd4 in _bfd_elf_merge_sections bintuils_gdb/bfd/elflink.c:7389:12
> #5 0x589ea4 in lang_process bintuils_gdb/ld/ldlang.c:7543:7
> #6 0x5fd19c in main bintuils_gdb/ld/./ldmain.c:438:3
> #7 0x7fafe409382f in __libc_start_main
> /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow
> bintuils_gdb/bfd/merge.c:166:7 in sec_merge_hash_lookup
> Shadow bytes around the buggy address:
> 0x0ff67c9d14c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0ff67c9d14d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0ff67c9d14e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0ff67c9d14f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0ff67c9d1500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0ff67c9d1510: 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0ff67c9d1520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0ff67c9d1530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0ff67c9d1540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0ff67c9d1550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0ff67c9d1560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap right redzone: fb
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
> ==6219==ABORTING
> Aborted
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/23804] New: Heap-buffer-overflow problem in function Sec_merge_hash_lookup in merge.c, as demonstrated by "ld -E",
wcventure at 126 dot com <=
- [Bug binutils/23804] Heap-buffer-overflow problem in function Sec_merge_hash_lookup in merge.c, as demonstrated by "ld -E", wcventure at 126 dot com, 2018/10/21
- [Bug binutils/23804] Heap-buffer-overflow problem in function Sec_merge_hash_lookup in merge.c, as demonstrated by "ld -E", amodra at gmail dot com, 2018/10/23
- [Bug binutils/23804] Heap-buffer-overflow problem in function Sec_merge_hash_lookup in merge.c, as demonstrated by "ld -E", cvs-commit at gcc dot gnu.org, 2018/10/23
- [Bug binutils/23804] Heap-buffer-overflow problem in function Sec_merge_hash_lookup in merge.c, as demonstrated by "ld -E", amodra at gmail dot com, 2018/10/23
- [Bug binutils/23804] Heap-buffer-overflow problem in function Sec_merge_hash_lookup in merge.c, as demonstrated by "ld -E", amodra at gmail dot com, 2018/10/23