[Bug ld/24336] New: Heap-buffer-overflow in bfd_elf64_swap_reloca

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug ld/24336] New: Heap-buffer-overflow in bfd_elf64_swap_reloca_in fun

From:	wcventure at 126 dot com
Subject:	[Bug ld/24336] New: Heap-buffer-overflow in bfd_elf64_swap_reloca_in function in elfcode.h in bfd
Date:	Thu, 14 Mar 2019 12:37:15 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=24336

            Bug ID: 24336
           Summary: Heap-buffer-overflow in bfd_elf64_swap_reloca_in
                    function in elfcode.h in bfd
           Product: binutils
           Version: 2.32
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: ld
          Assignee: unassigned at sourceware dot org
          Reporter: wcventure at 126 dot com
  Target Milestone: ---

Created attachment 11675
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11675&action=edit
POC

Hi, 

A Heap-buffer-overflow problem was discovered in bfd_elf64_swap_reloca_in
function in elfcode.h in bfd, as distributed in binutils v2.32. A crafted ELF
input can cause segment faults and I have confirmed them with address sanitizer
too.

Here are the POC files. Please use "./ld -E $POC" to reproduce the error.


ASAN dumps the backtrace as follow:
> =================================================================
> ==1521==ERROR: AddressSanitizer: heap-buffer-overflow on address 
> 0x62100002cd00 at pc 0x00000076b98b bp 0x7ffd69de5650 sp 0x7ffd69de5648
> WRITE of size 8 at 0x62100002cd00 thread T0
>     #0 0x76b98a in bfd_elf64_swap_reloca_in 
> /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/bfd/./elfcode.h:422:17
>     #1 0x81c49e in elf_link_read_relocs_from_section 
> /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/bfd/elflink.c:2531:7
>     #2 0x81bb4c in _bfd_elf_link_read_relocs 
> /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/bfd/elflink.c:2639:12
>     #3 0x820ba4 in _bfd_elf_link_check_relocs 
> /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/bfd/elflink.c:3844:22
>     #4 0x555a6c in lang_check_relocs 
> /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/ld/ldlang.c:7327:7
>     #5 0x555a6c in lang_process 
> /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/ld/ldlang.c:7538
>     #6 0x58fb7f in main 
> /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/ld/./ldmain.c:440:3
>     #7 0x7f946339682f in __libc_start_main 
> /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
>     #8 0x4195f8 in _start 
> (/home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/build/bin/ld+0x4195f8)
> 
> 0x62100002cd00 is located 0 bytes to the right of 4096-byte region 
> [0x62100002bd00,0x62100002cd00)
> allocated by thread T0 here:
>     #0 0x4b9728 in malloc 
> (/home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/build/bin/ld+0x4b9728)
>     #1 0xc35593 in _objalloc_alloc 
> /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/libiberty/./objalloc.c:143:22
> 
> SUMMARY: AddressSanitizer: heap-buffer-overflow 
> /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/bfd/./elfcode.h:422:17 in 
> bfd_elf64_swap_reloca_in
> Shadow bytes around the buggy address:
>   0x0c427fffd950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c427fffd960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c427fffd970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c427fffd980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c427fffd990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0c427fffd9a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c427fffd9b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c427fffd9c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c427fffd9d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c427fffd9e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c427fffd9f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Heap right redzone:      fb
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack partial redzone:   f4
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
>   Left alloca redzone:     ca
>   Right alloca redzone:    cb
> ==1521==ABORTING
> Aborted

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug ld/24336] New: Heap-buffer-overflow in bfd_elf64_swap_reloca_in function in elfcode.h in bfd, wcventure at 126 dot com <=
- [Bug ld/24336] Heap-buffer-overflow in bfd_elf64_swap_reloca_in function in elfcode.h in bfd, amodra at gmail dot com, 2019/03/15
- [Bug ld/24336] Heap-buffer-overflow in bfd_elf64_swap_reloca_in function in elfcode.h in bfd, cvs-commit at gcc dot gnu.org, 2019/03/15
- [Bug ld/24336] Heap-buffer-overflow in bfd_elf64_swap_reloca_in function in elfcode.h in bfd, amodra at gmail dot com, 2019/03/15

Prev by Date: [Bug ld/24334] New: Heap-buffer-overflow in section_vma_same function in dwarf2.c in bfd
Next by Date: [Bug ld/24337] New: An Invalid Memory Address Dereference problem was discovered in function _bfd_elf_rela_local_sym in elf.c in bfd
Previous by thread: [Bug ld/24334] New: Heap-buffer-overflow in section_vma_same function in dwarf2.c in bfd
Next by thread: [Bug ld/24336] Heap-buffer-overflow in bfd_elf64_swap_reloca_in function in elfcode.h in bfd
Index(es):
- Date
- Thread