bug-binutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug ld/24338] New: Heap-buffer-overflow in elf_x86_64_relocate_section


From: wcventure at 126 dot com
Subject: [Bug ld/24338] New: Heap-buffer-overflow in elf_x86_64_relocate_section in elf64-x86-64.c in bfd
Date: Thu, 14 Mar 2019 12:46:54 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=24338

            Bug ID: 24338
           Summary: Heap-buffer-overflow in elf_x86_64_relocate_section in
                    elf64-x86-64.c in bfd
           Product: binutils
           Version: 2.32
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: ld
          Assignee: unassigned at sourceware dot org
          Reporter: wcventure at 126 dot com
  Target Milestone: ---

Created attachment 11677
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11677&action=edit
POC

Hi, 

A Heap-buffer-overflow problem was discovered in elf_x86_64_relocate_section in
elf64-x86-64.c in bfd, as distributed in binutils v2.32. A crafted ELF input
can cause segment faults and I have confirmed them with address sanitizer too.

Here are the POC files. Please use "./ld -E $POC" to reproduce the error.


ASAN dumps the backtrace as follow:

> ==21164==ERROR: AddressSanitizer: heap-buffer-overflow on address 
> 0x6290000141fc at pc 0x0000004a342d bp 0x7ffda9dc6a30 sp 0x7ffda9dc61e0
> WRITE of size 16 at 0x6290000141fc thread T0
>     #0 0x4a342c in __asan_memcpy (/binutils_2.32/build/bin/ld+0x4a342c)
>     #1 0x7267d0 in elf_x86_64_relocate_section 
> /binutils_2.32/bfd/elf64-x86-64.c:3348:7
>     #2 0x874c6c in elf_link_input_bfd /binutils_2.32/bfd/elflink.c:10856:10
>     #3 0x874c6c in bfd_elf_final_link /binutils_2.32/bfd/elflink.c:12183
>     #4 0x59a4dc in ldwrite /binutils_2.32/ld/ldwrite.c:581:8
>     #5 0x58fe8c in main /binutils_2.32/ld/./ldmain.c:456:3
>     #6 0x7f479a46f82f in __libc_start_main 
> /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
>     #7 0x4195f8 in _start (/binutils_2.32/build/bin/ld+0x4195f8)
> 
> 0x6290000141fc is located 4 bytes to the left of 17086-byte region 
> [0x629000014200,0x6290000184be)
> allocated by thread T0 here:
>     #0 0x4b9728 in malloc (/binutils_2.32/build/bin/ld+0x4b9728)
>     #1 0x69b928 in bfd_malloc /binutils_2.32/bfd/libbfd.c:275:9
>     #2 0x59a4dc in ldwrite /binutils_2.32/ld/ldwrite.c:581:8
>     #3 0x58fe8c in main /binutils_2.32/ld/./ldmain.c:456:3
>     #4 0x7f479a46f82f in __libc_start_main 
> /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
> 
> SUMMARY: AddressSanitizer: heap-buffer-overflow 
> (/binutils_2.32/build/bin/ld+0x4a342c) in __asan_memcpy
> Shadow bytes around the buggy address:
>   0x0c527fffa7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c527fffa7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c527fffa800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c527fffa810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c527fffa820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> =>0x0c527fffa830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
>   0x0c527fffa840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c527fffa850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c527fffa860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c527fffa870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c527fffa880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Heap right redzone:      fb
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack partial redzone:   f4
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
>   Left alloca redzone:     ca
>   Right alloca redzone:    cb
> ==21164==ABORTING
> Aborted

-- 
You are receiving this mail because:
You are on the CC list for the bug.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]