Bug 23805

Summary: NULL Pointer Dereference exists in the function elf_link_input_bfd
Product: binutils Reporter: wcventure <wcventure>
Component: ldAssignee: Alan Modra <amodra>
Severity: normal    
Priority: P2    
Version: 2.31   
Target Milestone: 2.32   
Host: Target:
Build: Last reconfirmed: 2018-10-23 00:00:00
Attachments: POC

Description wcventure 2018-10-21 10:52:20 UTC
Created attachment 11357 [details]

Hi, there.

An Invalid Memory Address Dereference problem was discovered in function elf_link_input_bfd in merge.c in bfd of binutils 2.31 the latest code base. A crafted ELF input can cause segment faults and I have confirmed them with address sanitizer too.

Please use the "./ld -E $POC" to reproduce the bug.

The ASAN dumps the stack trace as follows:

> =================================================================
> ==23971==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x000000bdbbe8 bp 0x7fffab7d10f0 sp 0x7fffab7cede0 T0)
>     #0 0xbdbbe7 in elf_link_input_bfd /media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_ASAN_O0/bfd/elflink.c:10492:65
>     #1 0xbbec24 in bfd_elf_final_link /media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_ASAN_O0/bfd/elflink.c:12158:11
>     #2 0x60b09d in ldwrite /media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_ASAN_O0/ld/ldwrite.c:581:8
>     #3 0x5fdaf9 in main /media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_ASAN_O0/ld/./ldmain.c:454:3
>     #4 0x7f0026f3982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
>     #5 0x419638 in _start (/media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_latest_ASAN_O0/build/bin/ld+0x419638)
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV /media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_ASAN_O0/bfd/elflink.c:10492:65 in elf_link_input_bfd
> ==23971==ABORTING
> Aborted
Comment 1 Sourceware Commits 2018-10-23 10:40:25 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:


commit 102def4da826b3d9e169741421e5e67e8731909a
Author: Alan Modra <amodra@gmail.com>
Date:   Tue Oct 23 18:30:22 2018 +1030

    PR23805, NULL pointer dereference in elf_link_input_bfd
    	PR 23805
    	* elflink.c (elf_link_input_bfd): Don't segfault on finding
    	STT_TLS symbols without any TLS sections.  Instead, change the
    	symbol type to STT_NOTYPE.
Comment 2 Alan Modra 2018-10-23 11:17:12 UTC