Bug 22794

Summary: Unchecked strnlen operation in bfd_get_debug_link_info_1 (./src/bfd/opncls.c)
Product: binutils Reporter: probefuzzer <probefuzzer>
Component: binutilsAssignee: Not yet assigned to anyone <unassigned>
Severity: normal CC: jeremip11, nickc
Priority: P2    
Version: 2.30   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:

Description probefuzzer 2018-02-06 08:43:44 UTC
(this issue is discovered when UBSAN is enabled)

On version and master branch of binutils:
there is an unchecked strnlen operation, which could be triggered by the POC below. 

As shown in line 1201, the first parameter ("name") of strnlen could be manipulated by the input file. When "name" is NULL and the second parameter is larger than NULL, the program would fail with segmentation fault.

 1174 static char *
   1175 bfd_get_debug_link_info_1 (bfd *abfd, void *crc32_out)
   1176 {
   1199   name = (char *) contents;
   1200   /* PR 17597: avoid reading off the end of the buffer.  */
   1201   crc_offset = strnlen (name, bfd_get_section_size (sect)) + 1;
   1202   crc_offset = (crc_offset + 3) & ~3;
   1208 }

./src/bfd/opncls.c:1201:16: runtime error: null pointer passed as argument 1, which is declared to never be null

To reproduce the issue, run: ./bin/nm -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D $POC

POC: https://github.com/ProbeFuzzer/poc/blob/master/binutils/binutils_2-30-51_nm_unchecked_strlen_bfd_get_debug_link_info_1
Comment 1 cvs-commit@gcc.gnu.org 2018-02-06 15:49:49 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:


commit 64e234d417d5685a4aec0edc618114d9991c031b
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Feb 6 15:48:29 2018 +0000

    Prevent attempts to call strncpy with a zero-length field by chacking the size of debuglink sections.
    	PR 22794
    	* opncls.c (bfd_get_debug_link_info_1): Check the size of the
    	section before attempting to read it in.
    	(bfd_get_alt_debug_link_info): Likewise.
Comment 2 Nick Clifton 2018-02-06 15:51:37 UTC
Thanks for reporting this bug.

I have applied a small patch to check the size of the debuglink sections before attempting to load their contents.