A heap buffer overflow bug in binutils-2.39

There is a heap buffer overflow bug in binutils-2.39 (commit 49c843e6).

The bug is triggered in find_section_in_set() at binutils/readelf.c:970 when parsing the debug sections of a malformed ELF file.

The bug is caused by improper checks of the array boundary when iterating through the array "section_subset" of ELF debug section.

To reproduce this bug, use:

1. compile binutils-2.39 with clang-6.0 and address sanitizer:

```sh

./configure --disable-shared --disable-gdb --disable-werror

make

```

2. use readelf to process the PoC file (see attachment):

```sh

readelf -w ./PoC

```

The address sanitizer reports are as follows.

readelf: Error: Internal error: out of space in the shndx pool.

Contents of the .debug_names section:

readelf: Warning: Debug info is corrupted, .debug_names header at 0 has length 0x4c457f

Contents of the .debug_names section:

=================================================================

==29074==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a000000bd8 at pc 0x0000005143de bp 0x7fffffffd6c0 sp 0x7fffffffd6b8

READ of size 4 at 0x61a000000bd8 thread T0

#0 0x5143dd in find_section_in_set /binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:970:19

#1 0x5130b6 in load_debug_section /binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:16160:9

#2 0x612472 in load_debug_section_with_follow /binutils-gdb/obj-asan/binutils/../../binutils/dwarf.c:3453:7

#3 0x606ce0 in display_debug_names /binutils-gdb/obj-asan/binutils/../../binutils/dwarf.c:10002:3

#4 0x558c9b in display_debug_section /binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:16258:18

#5 0x558c9b in process_section_contents /binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:16354

#6 0x52ae91 in process_object /binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:22372:9

#7 0x517f9e in process_file /binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:22795:13

#8 0x517f9e in main /binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:22866

#9 0x7ffff6e22c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310

#10 0x41a909 in _start (/binutils-gdb/obj-asan/binutils/readelf+0x41a909)

0x61a000000bd8 is located 0 bytes to the right of 1368-byte region [0x61a000000680,0x61a000000bd8)

allocated by thread T0 here:

#0 0x4dac40 in realloc (/binutils-gdb/obj-asan/binutils/readelf+0x4dac40)

#1 0x74eeed in xrealloc /binutils-gdb/obj-asan/libiberty/../../libiberty/xmalloc.c:181:14

SUMMARY: AddressSanitizer: heap-buffer-overflow /binutils-gdb/obj-asan/binutils/../../binutils/readelf.c:970:19 in find_section_in_set

Shadow bytes around the buggy address:

0x0c347fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x0c347fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x0c347fff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x0c347fff8150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x0c347fff8160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

=>0x0c347fff8170: 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa

0x0c347fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0x0c347fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0x0c347fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0x0c347fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0x0c347fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):

Addressable: 00

Partially addressable: 01 02 03 04 05 06 07

Heap left redzone: fa

Freed heap region: fd

Stack left redzone: f1

Stack mid redzone: f2

Stack right redzone: f3

Stack after return: f5

Stack use after scope: f8

Global redzone: f9

Global init order: f6

Poisoned by user: f7

Container overflow: fc

Array cookie: ac

Intra object redzone: bb

ASan internal: fe

Left alloca redzone: ca

Right alloca redzone: cb

Found by bjchan9an with SyntaxAFL.

From:	bjchan9an
Subject:	A heap buffer overflow bug in binutils-2.39
Date:	Sat, 29 Oct 2022 16:39:46 +0800