Bug 21139

Summary: readelf crashes - corrupted double-linked list because of use after free
Product: binutils Reporter: Thuan Pham <thuanpv>
Component: binutilsAssignee: Not yet assigned to anyone <unassigned>
Severity: normal CC: nickc
Priority: P2    
Version: 2.29   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:
Attachments: Crashing input

Description Thuan Pham 2017-02-13 09:27:41 UTC
Created attachment 9806 [details]
Crashing input

Dear all,

This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks also to Marcel Böhme. 

This bug was found on Ubuntu 14.04 64-bit & binutils was checkout from main repository at git://sourceware.org/git/binutils-gdb.git. Its commit is 53f7e8ea7fad1fcff1b58f4cbd74e192e0bcbc1d (Fri Feb 10 00:00:16 2017) 

binutils was built with ASAN using gcc-6.2 and clang-3.4. The configure command was:

CC=clang CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=undefined,address -fno-omit-frame-pointer -g -Wno-error" ../configure --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim

To reproduce:
Download the attached file - bug_5
readelf -w bug_5
ASAN says:
==20954==ERROR: AddressSanitizer: heap-use-after-free on address 0x61700000fe00 at pc 0x54aa2e bp 0x7ffe965bcb50 sp 0x7ffe965bcb48
READ of size 8 at 0x61700000fe00 thread T0
    #0 0x54aa2d in target_specific_reloc_handling /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:11637
    #1 0x52e6dc in apply_relocations /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:12343
    #2 0x4846b5 in load_specific_debug_section /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:12905
    #3 0x564b4c in display_debug_section /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:13009
    #4 0x4e194f in process_section_contents /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:13091
    #5 0x48d610 in process_object /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:16780
    #6 0x488365 in process_file /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:17154
    #7 0x4855c3 in main /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:17225
    #8 0x7f019152bf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #9 0x47ddfc in _start (/home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/readelf+0x47ddfc)
Comment 1 cvs-commit@gcc.gnu.org 2017-02-13 14:04:57 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:


commit f84ce13b6708801ca1d6289b7c4003e2f5a6d7f9
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Feb 13 14:03:22 2017 +0000

    Fix read-after-free error in readelf when processing multiple, relocated sections in an MSP430 binary.
    	PR binutils/21139
    	* readelf.c (target_specific_reloc_handling): Add num_syms
    	parameter.  Check for symbol table overflow before accessing
    	symbol value.  If reloc pointer is NULL, discard all saved state.
    	(apply_relocations): Pass num_syms to target_specific_reloc_handling.
    	Call target_specific_reloc_handling with a NULL reloc pointer
    	after processing all of the relocs.
Comment 2 Nick Clifton 2017-02-13 14:07:17 UTC
Hi Thuan,

  Thanks for reporting this bug.  I have checked in a patch to fix it.

  There were two problems here.  The first was that the target specific
  relocation processing code in readelf was not checking for an invalid
  symbol index in the relocation.  The second was that the code was 
  maintaining state across multiple invocations, resulting in the use of
  a stale pointer.

Comment 3 Nick Clifton 2017-02-13 14:08:25 UTC
*** Bug 21142 has been marked as a duplicate of this bug. ***
Comment 4 Nick Clifton 2017-02-13 14:09:10 UTC
*** Bug 21143 has been marked as a duplicate of this bug. ***
Comment 5 Nick Clifton 2017-02-13 14:10:12 UTC
*** Bug 21144 has been marked as a duplicate of this bug. ***
Comment 6 Nick Clifton 2017-02-13 14:11:07 UTC
*** Bug 21145 has been marked as a duplicate of this bug. ***
Comment 7 Nick Clifton 2017-02-13 16:54:16 UTC
*** Bug 21136 has been marked as a duplicate of this bug. ***
Comment 8 Thuan Pham 2017-04-13 06:06:31 UTC
This is CVE-2017-6966