[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug ld/24338] New: Heap-buffer-overflow in elf_x86_64_relocate_section
From: |
wcventure at 126 dot com |
Subject: |
[Bug ld/24338] New: Heap-buffer-overflow in elf_x86_64_relocate_section in elf64-x86-64.c in bfd |
Date: |
Thu, 14 Mar 2019 12:46:54 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=24338
Bug ID: 24338
Summary: Heap-buffer-overflow in elf_x86_64_relocate_section in
elf64-x86-64.c in bfd
Product: binutils
Version: 2.32
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: ld
Assignee: unassigned at sourceware dot org
Reporter: wcventure at 126 dot com
Target Milestone: ---
Created attachment 11677
--> https://sourceware.org/bugzilla/attachment.cgi?id=11677&action=edit
POC
Hi,
A Heap-buffer-overflow problem was discovered in elf_x86_64_relocate_section in
elf64-x86-64.c in bfd, as distributed in binutils v2.32. A crafted ELF input
can cause segment faults and I have confirmed them with address sanitizer too.
Here are the POC files. Please use "./ld -E $POC" to reproduce the error.
ASAN dumps the backtrace as follow:
> ==21164==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x6290000141fc at pc 0x0000004a342d bp 0x7ffda9dc6a30 sp 0x7ffda9dc61e0
> WRITE of size 16 at 0x6290000141fc thread T0
> #0 0x4a342c in __asan_memcpy (/binutils_2.32/build/bin/ld+0x4a342c)
> #1 0x7267d0 in elf_x86_64_relocate_section
> /binutils_2.32/bfd/elf64-x86-64.c:3348:7
> #2 0x874c6c in elf_link_input_bfd /binutils_2.32/bfd/elflink.c:10856:10
> #3 0x874c6c in bfd_elf_final_link /binutils_2.32/bfd/elflink.c:12183
> #4 0x59a4dc in ldwrite /binutils_2.32/ld/ldwrite.c:581:8
> #5 0x58fe8c in main /binutils_2.32/ld/./ldmain.c:456:3
> #6 0x7f479a46f82f in __libc_start_main
> /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
> #7 0x4195f8 in _start (/binutils_2.32/build/bin/ld+0x4195f8)
>
> 0x6290000141fc is located 4 bytes to the left of 17086-byte region
> [0x629000014200,0x6290000184be)
> allocated by thread T0 here:
> #0 0x4b9728 in malloc (/binutils_2.32/build/bin/ld+0x4b9728)
> #1 0x69b928 in bfd_malloc /binutils_2.32/bfd/libbfd.c:275:9
> #2 0x59a4dc in ldwrite /binutils_2.32/ld/ldwrite.c:581:8
> #3 0x58fe8c in main /binutils_2.32/ld/./ldmain.c:456:3
> #4 0x7f479a46f82f in __libc_start_main
> /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow
> (/binutils_2.32/build/bin/ld+0x4a342c) in __asan_memcpy
> Shadow bytes around the buggy address:
> 0x0c527fffa7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c527fffa7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c527fffa800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c527fffa810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c527fffa820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> =>0x0c527fffa830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
> 0x0c527fffa840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c527fffa850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c527fffa860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c527fffa870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c527fffa880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap right redzone: fb
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
> ==21164==ABORTING
> Aborted
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug ld/24338] New: Heap-buffer-overflow in elf_x86_64_relocate_section in elf64-x86-64.c in bfd,
wcventure at 126 dot com <=