[Bug ld/24334] New: Heap-buffer-overflow in section_vma

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug ld/24334] New: Heap-buffer-overflow in section_vma_same function in

From:	wcventure at 126 dot com
Subject:	[Bug ld/24334] New: Heap-buffer-overflow in section_vma_same function in dwarf2.c in bfd
Date:	Thu, 14 Mar 2019 12:33:18 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=24334

            Bug ID: 24334
           Summary: Heap-buffer-overflow in section_vma_same function in
                    dwarf2.c in bfd
           Product: binutils
           Version: 2.32
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: ld
          Assignee: unassigned at sourceware dot org
          Reporter: wcventure at 126 dot com
  Target Milestone: ---

Created attachment 11674
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11674&action=edit
POC

Hi, 

A Heap-buffer-overflow problem was discovered in section_vma_same function in
dwarf2.c in bfd, as distributed in binutils v2.32. A crafted ELF input can
cause segment faults and I have confirmed them with address sanitizer too.

Here are the POC files. Please use "./ld -E $POC" to reproduce the error.


for function bfd_getl16, ASAN dumps the backtrace as follow:

> ==19552==ERROR: AddressSanitizer: heap-buffer-overflow on address 
> 0x60d00000d000 at pc 0x000000901f1c bp 0x7fff47250bb0 sp 0x7fff47250ba8
> READ of size 8 at 0x60d00000d000 thread T0
>     #0 0x901f1b in section_vma_same /binutils_2.32/bfd/./dwarf2.c:4303:18
>     #1 0x901f1b in _bfd_dwarf2_slurp_debug_info 
> /binutils_2.32/bfd/./dwarf2.c:4329
>     #2 0x9123fc in _bfd_dwarf2_find_nearest_line 
> /binutils_2.32/bfd/./dwarf2.c:4562:9
>     #3 0x7f892e in _bfd_elf_find_nearest_line /binutils_2.32/bfd/elf.c:8869:7
>     #4 0x5ba463 in vfinfo /binutils_2.32/ld/ldmisc.c:350:10
>     #5 0x5be6f9 in einfo /binutils_2.32/ld/ldmisc.c:624:3
>     #6 0x59489c in multiple_definition /binutils_2.32/ld/./ldmain.c:1001:3
>     #7 0x8b2afd in _bfd_elf_merge_symbol /binutils_2.32/bfd/elflink.c:1595:7
>     #8 0x829acb in elf_link_add_object_symbols 
> /binutils_2.32/bfd/elflink.c:4675:9
>     #9 0x82165a in bfd_elf_link_add_symbols 
> /binutils_2.32/bfd/elflink.c:5740:14
>     #10 0x534ff0 in load_symbols /binutils_2.32/ld/ldlang.c:3080:7
>     #11 0x563440 in open_input_bfds /binutils_2.32/ld/ldlang.c:3529:13
>     #12 0x55124f in lang_process /binutils_2.32/ld/ldlang.c:7383:3
>     #13 0x58fb7f in main /binutils_2.32/ld/./ldmain.c:440:3
>     #14 0x7fd90ef1d82f in __libc_start_main 
> /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
>     #15 0x4195f8 in _start (/binutils_2.32/build/bin/ld+0x4195f8)
> 
> 0x60d00000d000 is located 0 bytes to the right of 144-byte region 
> [0x60d00000cf70,0x60d00000d000)
> allocated by thread T0 here:
>     #0 0x4b9728 in malloc (/binutils_2.32/build/bin/ld+0x4b9728)
>     #1 0x69b928 in bfd_malloc /binutils_2.32/bfd/libbfd.c:275:9
>     #2 0x9123fc in _bfd_dwarf2_find_nearest_line 
> /binutils_2.32/bfd/./dwarf2.c:4562:9
>     #3 0x7f892e in _bfd_elf_find_nearest_line /binutils_2.32/bfd/elf.c:8869:7
>     #4 0x5ba463 in vfinfo /binutils_2.32/ld/ldmisc.c:350:10
>     #5 0x5be6f9 in einfo /binutils_2.32/ld/ldmisc.c:624:3
>     #6 0x59489c in multiple_definition /binutils_2.32/ld/./ldmain.c:1001:3
> 
> SUMMARY: AddressSanitizer: heap-buffer-overflow 
> /binutils_2.32/bfd/./dwarf2.c:4303:18 in section_vma_same
> Shadow bytes around the buggy address:
>   0x0c1a7fff99b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c1a7fff99c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c1a7fff99d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c1a7fff99e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 00
>   0x0c1a7fff99f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0c1a7fff9a00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c1a7fff9a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c1a7fff9a20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c1a7fff9a30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c1a7fff9a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c1a7fff9a50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Heap right redzone:      fb
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack partial redzone:   f4
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
>   Left alloca redzone:     ca
>   Right alloca redzone:    cb
> ==19552==ABORTING
> Aborted

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug ld/24334] New: Heap-buffer-overflow in section_vma_same function in dwarf2.c in bfd, wcventure at 126 dot com <=
- [Bug ld/24334] Heap-buffer-overflow in section_vma_same function in dwarf2.c in bfd, cvs-commit at gcc dot gnu.org, 2019/03/14
- [Bug ld/24334] Heap-buffer-overflow in section_vma_same function in dwarf2.c in bfd, nickc at redhat dot com, 2019/03/14

Prev by Date: [Bug ld/24333] New: An Invalid Memory Address Dereference problem was discovered in function _bfd_elf_add_default_symbol in elflink.c in bfd
Next by Date: [Bug ld/24336] New: Heap-buffer-overflow in bfd_elf64_swap_reloca_in function in elfcode.h in bfd
Previous by thread: [Bug ld/24333] New: An Invalid Memory Address Dereference problem was discovered in function _bfd_elf_add_default_symbol in elflink.c in bfd
Next by thread: [Bug ld/24334] Heap-buffer-overflow in section_vma_same function in dwarf2.c in bfd
Index(es):
- Date
- Thread