Bug 21431

Summary: objcopy segfault - null pointer dereferencing
Product: binutils Reporter: Manh-Dung Nguyen <dungnguy>
Component: binutilsAssignee: Not yet assigned to anyone <unassigned>
Status: RESOLVED FIXED    
Severity: normal CC: boehme.marcel, nickc
Priority: P2    
Version: 2.28   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:
Attachments: Crashing input
Another crashing input

Description Manh-Dung Nguyen 2017-04-26 10:45:58 UTC 
Created attachment 10016 [details]
Crashing input

Dear All,

This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks also to Marcel Böhme and Van-Thuan Pham.

This bug was found on Ubuntu 14.04 64-bit & binutils was checked out from main repository at git://sourceware.org/git/binutils-gdb.git. Its commit is a49abe0bb18e04d3a4b692995fcfae70cd470775 (Tue Apr 25 00:00:36 2017).

binutils was built with ASAN using gcc-6.2 and clang-3.4. The configure command was:

CC=clang CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=undefined,address -fno-omit-frame-pointer -g -Wno-error" ../configure --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim

To reproduce:
Download the attached file - bug_2
objcopy --compress-debug-section bug_2

ASAN says:
==51590==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f7ff19be7db bp 0x000000000bba sp 0x7ffec363a3d8 T0)
    #0 0x7f7ff19be7da  /build/eglibc-MjiXCM/eglibc-2.19/string/../sysdeps/x86_64/multiarch/../memcpy.S:270
    #1 0x7f7ff19a6322 in __GI__IO_file_xsgetn /build/eglibc-MjiXCM/eglibc-2.19/libio/fileops.c:1387
    #2 0x7f7ff199b86e in fread /build/eglibc-MjiXCM/eglibc-2.19/libio/iofread.c:42
    #3 0x100e98d in cache_bread_1 /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/cache.c:337:11
    #4 0x100d2ed in cache_bread /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/cache.c:371:21
    #5 0x6b92df in bfd_bread /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/bfdio.c:196:13
    #6 0x6e0c2b in _bfd_generic_get_section_contents /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/libbfd.c:813:10
    #7 0x6f998a in bfd_get_section_contents /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/section.c:1619:10
    #8 0x6c7a3c in bfd_init_section_compress_status /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/compress.c:561:8
    #9 0x868dba in _bfd_elf_make_section_from_shdr /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/elf.c:1164:9
    #10 0x88f6cb in bfd_section_from_shdr /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/elf.c:2013:13
    #11 0x827b18 in bfd_elf64_object_p /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/elfcode.h:805:7
    #12 0x6ca22f in bfd_check_format_matches /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/format.c:253:20
    #13 0x6c9148 in bfd_check_format /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/format.c:94:10
    #14 0x6799c4 in bfd_generic_archive_p /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/archive.c:887:8
    #15 0x6caccc in bfd_check_format_matches /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/format.c:311:14
    #16 0x6c9148 in bfd_check_format /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/format.c:94:10
    #17 0x4fdba1 in copy_file /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objcopy.c:3286:7
    #18 0x4fb9e9 in copy_main /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objcopy.c:5266:3
    #19 0x4f4064 in main /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objcopy.c:5367:5
    #20 0x7f7ff194ef44 in __libc_start_main /build/eglibc-MjiXCM/eglibc-2.19/csu/libc-start.c:287
    #21 0x41b635 in _start (/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/objcopy+0x41b635)

SUMMARY: AddressSanitizer: SEGV /build/eglibc-MjiXCM/eglibc-2.19/string/../sysdeps/x86_64/multiarch/../memcpy.S:270

VALGRIND says:
==151260== Invalid write of size 8
==151260==    at 0x4C2FD73: __GI_memcpy (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==151260==    by 0x50B4322: _IO_file_xsgetn (fileops.c:1387)
==151260==    by 0x50A986E: fread (iofread.c:42)
==151260==    by 0x4AF987: fread (stdio2.h:295)
==151260==    by 0x4AF987: cache_bread_1 (cache.c:337)
==151260==    by 0x4AF987: cache_bread (cache.c:371)
==151260==    by 0x42C001: bfd_bread (bfdio.c:196)
==151260==    by 0x42EC8B: _bfd_generic_get_section_contents (libbfd.c:813)
==151260==    by 0x42CF1B: bfd_init_section_compress_status (compress.c:561)
==151260==    by 0x448E2D: _bfd_elf_make_section_from_shdr (elf.c:1164)
==151260==    by 0x4475B7: bfd_section_from_shdr (elf.c:2509)
==151260==    by 0x443443: bfd_elf64_object_p (elfcode.h:805)
==151260==    by 0x42D77C: bfd_check_format_matches (format.c:253)
==151260==    by 0x4274FA: bfd_generic_archive_p (archive.c:887)
==151260==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==151260== 
==151260== 
==151260== Process terminating with default action of signal 11 (SIGSEGV)
==151260==  Access not within mapped region at address 0x0
==151260==    at 0x4C2FD73: __GI_memcpy (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==151260==    by 0x50B4322: _IO_file_xsgetn (fileops.c:1387)
==151260==    by 0x50A986E: fread (iofread.c:42)
==151260==    by 0x4AF987: fread (stdio2.h:295)
==151260==    by 0x4AF987: cache_bread_1 (cache.c:337)
==151260==    by 0x4AF987: cache_bread (cache.c:371)
==151260==    by 0x42C001: bfd_bread (bfdio.c:196)
==151260==    by 0x42EC8B: _bfd_generic_get_section_contents (libbfd.c:813)
==151260==    by 0x42CF1B: bfd_init_section_compress_status (compress.c:561)
==151260==    by 0x448E2D: _bfd_elf_make_section_from_shdr (elf.c:1164)
==151260==    by 0x4475B7: bfd_section_from_shdr (elf.c:2509)
==151260==    by 0x443443: bfd_elf64_object_p (elfcode.h:805)
==151260==    by 0x42D77C: bfd_check_format_matches (format.c:253)
==151260==    by 0x4274FA: bfd_generic_archive_p (archive.c:887)
Comment 1 Manh-Dung Nguyen 2017-04-26 10:47:01 UTC 
Created attachment 10017 [details]
Another crashing input
Comment 2 Sourceware Commits 2017-04-26 12:09:00 UTC 
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e63d123268f23a4cbc45ee55fb6dbc7d84729da3

commit e63d123268f23a4cbc45ee55fb6dbc7d84729da3
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Apr 26 13:07:49 2017 +0100

    Fix seg-fault attempting to compress a debug section in a corrupt binary.
    
    	PR binutils/21431
    	* compress.c (bfd_init_section_compress_status): Check the return
    	value from bfd_malloc.
Comment 3 Nick Clifton 2017-04-26 13:18:35 UTC 
Hi Manh-Dung,

  Thanks for reporting this problem.  I have checked in a small patch to fix the bug.  It was a simple matter of not checking the return from a call to malloc() to see if memory had actually been allocated.

Cheers
  Nick
Comment 4 Manh-Dung Nguyen 2017-05-02 01:38:51 UTC 
Thanks Nick. This is CVE-2017-8395.