Created attachment 14528 [details] POC #Summary There is a huge memory allocation vulnerability in nm-new, which can be triggered by a craft elf file. #Verification git clone git://sourceware.org/git/binutils-gdb.git CC="clang -fsanitize=address" CXX="clang++ -fsanitize=address" ./configure --disable-shared && make -j$(nproc) ./binutils/nm-new -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D poc #ASAN ./binutils/nm-new: poc: invalid string offset 2147483648 >= 472 for section `.ung.ab' ./binutils/nm-new: poc: invalid string offset 32768 >= 472 for section `.ung.ab' ./binutils/nm-new: poc: invalid string offset 65280 >= 472 for section `.ung.ab' ./binutils/nm-new: poc: invalid string offset 4076863487 >= 472 for section `.ung.ab' ./binutils/nm-new: poc: invalid string offset 65408 >= 472 for section `.ung.ab' poc:0000000000050000 a poc: U poc: U poc: U poc: U poc: U poc: U poc: U poc: U poc: U poc:0000000000130003 a poc: U poc: U poc: U poc: U poc: U poc: U poc: U poc: U poc: U poc: U poc: U poc: U poc: U poc: U poc: U poc: U poc:0000000000000008 0000000000000008 C __afl_global_area_ptr poc:0000000000000650 00000000e8ff00c9 T CatPath./binutils/nm-new: BFD (GNU Binutils) 2.39.50.20221220 assertion fail ./dwarf2.c:5038 ./binutils/nm-new: BFD (GNU Binutils) 2.39.50.20221220 assertion fail ./dwarf2.c:5038 ================================================================= ==7488==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x5100001e69 bytes #0 0x493fed in malloc (/binutils-gdb/binutils/nm-new+0x493fed) #1 0x4e3683 in bfd_malloc /binutils-gdb/bfd/libbfd.c:289:9 #2 0x5f4d44 in _bfd_dwarf2_find_nearest_line_with_alt /binutils-gdb/bfd/./dwarf2.c:5777:9 #3 0x5f4b7b in _bfd_dwarf2_find_nearest_line /binutils-gdb/bfd/./dwarf2.c:5717:10 #4 0x4c8224 in print_symbols /binutils-gdb/binutils/nm.c:1403:7 #5 0x4c8224 in display_rel_file /binutils-gdb/binutils/nm.c:1530:5 #6 0x4c4b42 in display_file /binutils-gdb/binutils/nm.c:1680:7 #7 0x4c3f0d in main /binutils-gdb/binutils/nm.c:2197:12 #8 0x7f36e8907c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310 ==7488==HINT: if you don't care about these errors you may set allocator_may_return_null=1 SUMMARY: AddressSanitizer: out-of-memory (/binutils-gdb/binutils/nm-new+0x493fed) in malloc ==7488==ABORTING #Envieonment Ubuntu 18.04 clang 10.0.0
Created attachment 14529 [details] proposed fix
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8f2c64de86bc3d7556121fe296dd679000283931 commit 8f2c64de86bc3d7556121fe296dd679000283931 Author: Alan Modra <amodra@gmail.com> Date: Tue Dec 20 23:47:03 2022 +1030 PR29922, SHT_NOBITS section avoids section size sanity check PR 29922 * dwarf2.c (find_debug_info): Ignore sections without SEC_HAS_CONTENTS.
Fixed.