Bug 24333

Summary: An Invalid Memory Address Dereference problem was discovered in function _bfd_elf_add_default_symbol in elflink.c in bfd
Product: binutils Reporter: wcventure <wcventure>
Component: ldAssignee: Not yet assigned to anyone <unassigned>
Status: RESOLVED FIXED    
Severity: normal CC: nickc
Priority: P2    
Version: 2.32   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:
Attachments: POC

Description wcventure 2019-03-14 12:27:25 UTC
Created attachment 11673 [details]
POC

Hi, there.

An Invalid Memory Address Dereference problem was discovered in function _bfd_elf_add_default_symbol in elflink.c in bfd of binutils 2.32 the latest code base. A crafted ELF input can cause segment faults and I have confirmed them with address sanitizer too.

Please use the "./ld -E $POC" to reproduce the bug.


The ASAN dumps the stack trace as follows:

> ASAN:DEADLYSIGNAL
> =================================================================
> ==5224==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000046 (pc 0x00000082f74c bp 0x7ffd57a0b290 sp 0x7ffd57a0abe0 T0)
>     #0 0x82f74b in _bfd_elf_add_default_symbol /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/bfd/elflink.c:1944:58
>     #1 0x82f74b in elf_link_add_object_symbols /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/bfd/elflink.c:4842
>     #2 0x82165a in bfd_elf_link_add_symbols /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/bfd/elflink.c:5740:14
>     #3 0x534ff0 in load_symbols /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/ld/ldlang.c:3080:7
>     #4 0x563440 in open_input_bfds /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/ld/ldlang.c:3529:13
>     #5 0x55124f in lang_process /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/ld/ldlang.c:7383:3
>     #6 0x58fb7f in main /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/ld/./ldmain.c:440:3
>     #7 0x7f3feb64582f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
>     #8 0x4195f8 in _start (/home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/build/bin/ld+0x4195f8)
> 
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/bfd/elflink.c:1944:58 in _bfd_elf_add_default_symbol
> ==5224==ABORTING
> Aborted
Comment 1 cvs-commit@gcc.gnu.org 2019-03-14 16:04:13 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6cc71b820cc70b63711e9d7f584550b56e172b0a

commit 6cc71b820cc70b63711e9d7f584550b56e172b0a
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Mar 14 16:03:07 2019 +0000

    Fix an illegal memory access when parsing a corrupt ELF file.
    
    	PR 24333
    	* elflink.c (_bfd_elf_add_default_symbol): Add a check for a NULL
    	section owner pointer when adding the default symbol.
Comment 2 Nick Clifton 2019-03-14 16:04:52 UTC
Hi wcventure,

  Thanks for reporting this bug.  I have checked in a small patch which
  fixes the problem.

Cheers
  Nick