Bug 23765

Summary: Malformed ELF header causes Out of Bounds read
Product: binutils Reporter: Dusan Repel <dusan.repel.2013>
Component: goldAssignee: Cary Coutant <ccoutant>
Status: RESOLVED FIXED    
Severity: normal CC: ccoutant, ian, iant, lokeshjanghel91, nickc, pgowda.cve, rwmacleod
Priority: P2    
Version: 2.31   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed: 2019-08-06 00:00:00
Attachments: 64-byte ELF header

Description Dusan Repel 2018-10-12 14:06:14 UTC 
Created attachment 11320 [details]
64-byte ELF header

An improper validation of the e_shoff ELF header field causes an out-of-bounds read when calculating a view offset into a mapped input file.

Occurs in gold v1.11-v1.16 (Binutils v2.21-v2.31).

Tested on 64-bit Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.

Reproduce with "./gold testcase.o".
Comment 1 Nick Clifton 2019-08-06 13:17:57 UTC 
I have proposed a patch here:

https://www.sourceware.org/ml/binutils/2019-08/msg00022.html
Comment 2 Lokesh Janghel 2020-02-21 08:22:18 UTC 
Hi Nick,
The proposed patch from your side seems to be ok.
I have verified for the error generated without segmentation fault on the latest trunk sources.

Please let me know is it ok to go with this.
Comment 3 Lokesh Janghel 2020-02-21 08:23:50 UTC 
Hi Nick,
The proposed patch from your side seems to be ok.
I have verified for the error generated without segmentation fault on the latest trunk sources.

Please let me know is it ok to go with this.
Comment 4 Nick Clifton 2020-02-21 11:02:55 UTC 
(In reply to Lokesh Janghel from comment #3)

> Please let me know is it ok to go with this.

Sorry - I am not a maintainer for gold.  You will need to ping Ian  <iant@google.com> and/or Cary  <ccoutant@gmail.com>.

Cheers
  Nick
Comment 5 Randy Macleod 2021-02-22 22:58:56 UTC 
The simple patch that calls gold_fatal() on:
   if (((ssize_t) start) < 0)
has been on the list since Feb 2020. Not a big deal but distro maintainers like moi would like to close CVEs without carrying local commits where possible...
Comment 6 pgowda 2022-04-18 11:02:07 UTC 
Hi @Ian @Cary,

Can you please let us know whether this patch will be committed?

Thanks,
Pgowda
Comment 7 Ian Lance Taylor 2022-04-18 19:45:27 UTC 
The patch in comment #1 is fine.  Nick, go ahead and commit.  Thanks.
Comment 8 pgowda 2022-06-27 09:47:07 UTC 
Hi @Nick

Can you please commit the patch as its approved.
It would help us pick the committed sources.

Thanks,
Pgowda
Comment 9 Sourceware Commits 2022-06-27 12:08:11 UTC 
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=2a4fc266dbf77ed7ab83da16468e9ba627b8bc2d

commit 2a4fc266dbf77ed7ab83da16468e9ba627b8bc2d
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Jun 27 13:07:40 2022 +0100

    Have gold's File_read::do_read() function check the start parameter
    
            PR 23765
            * fileread.cc (File_read::do_read): Check start parameter before
            computing number of bytes to read.
Comment 10 Nick Clifton 2022-06-27 12:08:41 UTC 
Patch applied.
Comment 11 Nick Clifton 2022-06-27 12:09:56 UTC 
Hi Pgowda,

> https://sourceware.org/bugzilla/show_bug.cgi?id=23765

> Can you please commit the patch as its approved.
> It would help us pick the committed sources.

Done.

Sorry about that - I missed Ian's approval of the patch and just,
well, forgot about it!  Doh.

Cheers
   Nick
Comment 12 pgowda 2022-06-27 13:59:41 UTC 
@Nick

Thanks very much for committing the patch.

Pgowda