[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug ld/24336] New: Heap-buffer-overflow in bfd_elf64_swap_reloca_in fun
From: |
wcventure at 126 dot com |
Subject: |
[Bug ld/24336] New: Heap-buffer-overflow in bfd_elf64_swap_reloca_in function in elfcode.h in bfd |
Date: |
Thu, 14 Mar 2019 12:37:15 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=24336
Bug ID: 24336
Summary: Heap-buffer-overflow in bfd_elf64_swap_reloca_in
function in elfcode.h in bfd
Product: binutils
Version: 2.32
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: ld
Assignee: unassigned at sourceware dot org
Reporter: wcventure at 126 dot com
Target Milestone: ---
Created attachment 11675
--> https://sourceware.org/bugzilla/attachment.cgi?id=11675&action=edit
POC
Hi,
A Heap-buffer-overflow problem was discovered in bfd_elf64_swap_reloca_in
function in elfcode.h in bfd, as distributed in binutils v2.32. A crafted ELF
input can cause segment faults and I have confirmed them with address sanitizer
too.
Here are the POC files. Please use "./ld -E $POC" to reproduce the error.
ASAN dumps the backtrace as follow:
> =================================================================
> ==1521==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x62100002cd00 at pc 0x00000076b98b bp 0x7ffd69de5650 sp 0x7ffd69de5648
> WRITE of size 8 at 0x62100002cd00 thread T0
> #0 0x76b98a in bfd_elf64_swap_reloca_in
> /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/bfd/./elfcode.h:422:17
> #1 0x81c49e in elf_link_read_relocs_from_section
> /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/bfd/elflink.c:2531:7
> #2 0x81bb4c in _bfd_elf_link_read_relocs
> /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/bfd/elflink.c:2639:12
> #3 0x820ba4 in _bfd_elf_link_check_relocs
> /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/bfd/elflink.c:3844:22
> #4 0x555a6c in lang_check_relocs
> /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/ld/ldlang.c:7327:7
> #5 0x555a6c in lang_process
> /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/ld/ldlang.c:7538
> #6 0x58fb7f in main
> /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/ld/./ldmain.c:440:3
> #7 0x7f946339682f in __libc_start_main
> /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
> #8 0x4195f8 in _start
> (/home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/build/bin/ld+0x4195f8)
>
> 0x62100002cd00 is located 0 bytes to the right of 4096-byte region
> [0x62100002bd00,0x62100002cd00)
> allocated by thread T0 here:
> #0 0x4b9728 in malloc
> (/home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/build/bin/ld+0x4b9728)
> #1 0xc35593 in _objalloc_alloc
> /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/libiberty/./objalloc.c:143:22
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow
> /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/bfd/./elfcode.h:422:17 in
> bfd_elf64_swap_reloca_in
> Shadow bytes around the buggy address:
> 0x0c427fffd950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c427fffd960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c427fffd970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c427fffd980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c427fffd990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0c427fffd9a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c427fffd9b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c427fffd9c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c427fffd9d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c427fffd9e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c427fffd9f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap right redzone: fb
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
> ==1521==ABORTING
> Aborted
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug ld/24336] New: Heap-buffer-overflow in bfd_elf64_swap_reloca_in function in elfcode.h in bfd,
wcventure at 126 dot com <=