Bug 20921

Summary: STRIP crashes when writing stripped file
Product: binutils Reporter: Marcel Böhme <boehme.marcel>
Component: binutilsAssignee: Not yet assigned to anyone <unassigned>
Severity: normal CC: nickc, thuanpv
Priority: P2    
Version: 2.28   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:

Description Marcel Böhme 2016-12-03 08:37:38 UTC
Dear all,

The following bug was found with AFLFast, a fork of AFL, in a 24 hour fuzzing session on Binutils. Thanks also to Van-Thuan Pham. We also thank Nick Clifton for addressing our reported bugs so promptly.

Objcopy/Strip crashes with an invalid read of size 4 for the following execution on Ubuntu 16.04 x86_64 in Binutils trunk and for preinstalled version v2.26.1 and on Ubuntu 14.04 x86_64 for Binutils in trunk and preinstalled version v2.24.

$ printf "\x08\x01\x000\x04\x00\x00\x00\x08\x00\x00\x000000\x00\x00\x00\x000000\x00\x00\x00\x00\x15\x00\x00\x00000000000000000000000000000000000" > test
$ ./strip -S test
Segmentation fault

UBSAN says:
../../bfd/aoutx.h:1958:22: runtime error: member access within null pointer of type 'const struct reloc_howto_type'

VALGRIND tells us:
==47599== Invalid read of size 4
==47599==    at 0x6E6A2B: aout_32_swap_std_reloc_out (aoutx.h:1961)
==47599==    by 0x6E6A2B: aout_32_squirt_out_relocs (aoutx.h:2404)
==47599==    by 0x6D27A2: i386linux_write_object_contents (i386linux.c:77)
==47599==    by 0x4F8809: bfd_close (opncls.c:733)
==47599==    by 0x42F4C7: copy_file (objcopy.c:2886)
==47599==    by 0x41670E: strip_main (objcopy.c:3788)
==47599==    by 0x41670E: main (objcopy.c:4888)
==47599==  Address 0x0 is not stack'd, malloc'd or (recently) free'd

Best regards,
- Marcel
Comment 1 cvs-commit@gcc.gnu.org 2016-12-05 14:34:21 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:


commit e2996cc315d6ea242e1a954dc20246485ccc8512
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Dec 5 14:32:30 2016 +0000

    Fix seg-fault running strip on a corrupt binary.
    	PR binutils/20921
    	* aoutx.h (squirt_out_relocs): Check for and report any relocs
    	that could not be recognised.
Comment 2 Nick Clifton 2016-12-05 14:40:37 UTC
Hi Marcel,

  Thanks for reporting this bug.

  I have checked in a patch to report and ignore any unrecognised relocations
  when copying a binary file.

Comment 3 Thuan Pham 2017-04-13 06:19:48 UTC
This is CVE-2017-7302