Bug 23056

Summary: Multiple memory corruption in gprof (binuitils-2.30-15ubuntu1)
Product: binutils Reporter: Sergej Schumilo <sergej>
Component: gprofAssignee: Not yet assigned to anyone <unassigned>
Severity: normal CC: nickc
Priority: P2    
Version: 2.30   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed: 2018-04-18 00:00:00
Attachments: gprof ASAN executable, ASAN reports and crashing inputs
Proposed patch

Description Sergej Schumilo 2018-04-13 13:23:17 UTC
Created attachment 10944 [details]
gprof ASAN executable, ASAN reports and crashing inputs

Dear all,
after reporting the following bugs to the Ubuntu security team (https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763098), we were ask to report them directly to the binutils developers: 


Dear all,
The following binutils gprof memory corruptions were found by a modified version of the kAFL fuzzer (https://github.com/RUB-SysSec/kAFL). I have attached the crashing inputs and each ASAN report.

Steps to reproduce:

Build current verison of binutils:
pull-lp-source binutils
cd binutils-2.30
CC=clang CXX=clang++ CFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" CXXFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" LDFLAGS="-fsanitize=address" ./configure
CC=clang CXX=clang++ CFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" CXXFLAGS="-fsanitize=address
-fsanitize-recover=address -ggdb" LDFLAGS="-fsanitize=address" make

Run inputs under ASAN:

ASAN_OPTIONS=halt_on_error=false:allow_addr2line=true ./gprof $file

We can verify those issues for gprof binuitils-2.30-15ubuntu1 (Ubuntu 16.04.4 LTS / sources from "pull-lp-source bintuils").

Credits: Sergej Schumilo, Cornelius Aschermann (both of Ruhr-Universit├Ąt Bochum)

Best regards,
Sergej Schumilo
Comment 1 Nick Clifton 2018-04-18 11:34:40 UTC
Hi Sergej,

  Thanks for reporting these bugs.  Unfortunately I cannot reproduce them.
  Are you sure that the command line is correct ?  When I run "gprof $file"
  I just get an error message: "not in executable format".   I suspect that
  this is because I am running the tests on a 64-bit x86_64 host...  Are you
  able to reproduce the failures in a 64-bit environment ?

  Also gprof normally needs a gmon.out file to go along with the executable,
  and this file is missing from the zip file you uploaded.

  I suspect that the "global-buffer-overflow" failure has already been
  addressed by the fix for PR 23055.  However the "heap-buffer-overflow"
  bug is in the gprof sources, and presumably still exists.

Comment 2 Sergej Schumilo 2018-04-18 15:02:23 UTC
Hi Nick,
yes we can reproduce both ASAN reports on a 64-bit Linux environment (Ubuntu 16.04.2 LTS) using the attached 64-bit ASAN executable with only one command line argument (global-buffer-overflow or heap-overflow-0x0000004fae16). To reproduce our findings, you don't need an additional file or to pass an additional command line argument to gprof. The ASAN executable of gprof is based on the source files of binuitils-2.30-15ubuntu1.

Comment 3 Nick Clifton 2018-04-20 10:06:56 UTC
Created attachment 10967 [details]
Proposed patch

Hi Sergej,

  Well unfortunately I am still unable to reproduce the failures.  So we will
  have to resort to the slow method...

  Please could you try out the uploaded patch which *might* fix the heap 
  overflow bug.  Thanks.

Comment 4 Sergej Schumilo 2018-04-23 11:36:09 UTC
Hi Nick, 

it seems like that your patch has fixed the heap overflow bug (or at least the POC file does not reproduce the ASAN report anymore). 
I can also confirm that the patch for PR 23055 fixed the global buffer overflow. 

Comment 5 cvs-commit@gcc.gnu.org 2018-04-23 11:54:10 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:


commit bf82069dce1b1a88560e5d7320342c78372b627e
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Apr 23 12:52:42 2018 +0100

    Prevent an illegal memory access in gprof by ensuring that string tables for aout format files are always zero-terminated.
    	PR 23056
    	* aoutx.h (aout_get_external_symbols): Allocate an extra byte at
    	the end of the string table, and zero it.
Comment 6 Nick Clifton 2018-04-23 11:55:00 UTC
Patch applied.
Comment 7 cvs-commit@gcc.gnu.org 2020-06-04 00:44:14 UTC
The master branch has been updated by Stephen Casner <slcasner@sourceware.org>:


commit 31af1e68af26f5cae209de3530d0455b8a944b2d
Author: Stephen Casner <casner@acm.org>
Date:   Wed Jun 3 17:43:45 2020 -0700

    Copy several years of fixes from bfd/aoutx.h to bfd/pdp11.c.
    * pdp11.c (some_aout_object_p): 4c1534c7a2a - Don't set EXEC_P for
    files with relocs.
    (aout_get_external_symbols): 6b8f0fd579d - Return if count is zero.
    0301ce1486b PR 22306 - Handle stringsize of zero, and error for any
    other size that doesn't qcover the header word.
    bf82069dce1 PR 23056 - Allocate an extra byte at the end of the
    string table, and zero it.
    (translate_symbol_table): 0d329c0a83a PR 22887 - Print an error
    message and set bfd_error on finding an invalid name string offset.
    (add_to_stringtab): INLINE -> inline
    (pdp11_aout_swap_reloc_in): 116acb2c268 PR 22887 - Correct r_index
    bound check.
    (squirt_out_relocs): e2996cc315d PR 20921 - Check for and report
    any relocs that could not be recognised.
    92744f05809 PR 20929 - Check for relocs without an associated symbol.
    (find_nearest_line):  808346fcfcf PR 23055 - Check that the symbol
    name exists and is long enough, before attempting to see if it is
    for a .o file.
    c3864421222 - Correct case for N_SO being the last symbol.
    50455f1ab29 PR 20891 - Handle the case where the main file name
    and the directory name are both empty.
    e82ab856bb4 PR 20892 - Handle the case where function name is empty.
    (aout_link_add_symbols): e517df3dbf7 PR 19629 - Check for out of
    range string table offsets.
    531336e3a0b PR 20909 - Fix off-by-one error in check for an
    illegal string offset.
    (aout_link_includes_newfunc): Add comment.
    (pdp11_aout_link_input_section): ad756e3f9e6 - Return with an error
    on unexpected relocation type rather than ASSERT.