Dear all, The following bug was found with AFLFast, a fork of AFL, in a 24 hour fuzzing session on Binutils. Thanks also to Van-Thuan Pham. The linker crashes with an invalid read of size 1 for the following execution on Ubuntu 16.04 x86_64 in Binutils trunk and for preinstalled version v2.26.1 and on Ubuntu 14.04 x86_64 for Binutils in trunk and preinstalled version v2.24. $ printf "\x08\x01\x000\x08\x00\x00\x00\x04\x00\x00\x0000000\x00\x00\x000000\x00\x00\x00\x00\x00\x00\x00\x000000000000000000000000000000000000000\x00\x00\x00\x1400000000000000000000\x00\x00\x0000000000000000000000000000000000000000000000" > test $ ./ld test obj-norm/ld/ld-new: i386 architecture of input file `test' is incompatible with i386:x86-64 output Segmentation fault ASAN says: ==10024==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000d791 at pc 0x000000512db1 bp 0x7fff34f46310 sp 0x7fff34f46308 READ of size 1 at 0x60600000d791 thread T0 #0 0x512db0 in bfd_hash_hash ../../bfd/hash.c:441 #1 0x512f2e in bfd_hash_lookup ../../bfd/hash.c:467 #2 0x519f34 in bfd_link_hash_lookup ../../bfd/linker.c:507 #3 0x51f4a7 in _bfd_generic_link_add_one_symbol ../../bfd/linker.c:1494 #4 0x74339d in linux_add_one_symbol ../../bfd/i386linux.c:357 #5 0x768a0f in aout_link_add_symbols ../../bfd/aoutx.h:3149 #6 0x769334 in aout_link_add_object_symbols ../../bfd/aoutx.h:3214 #7 0x76a682 in aout_32_link_add_symbols ../../bfd/aoutx.h:3475 #8 0x438d89 in load_symbols ../../ld/ldlang.c:2897 #9 0x43c299 in open_input_bfds ../../ld/ldlang.c:3346 #10 0x4568f7 in lang_process ../../ld/ldlang.c:6871 #11 0x465a39 in main ../../ld/ldmain.c:428 #12 0x7fc6d8cddf44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) #13 0x403968 (/home/ubuntu/subjects/binutils-gdb/obj-asan/ld/ld-new+0x403968) 0x60600000d791 is located 0 bytes to the right of 49-byte region [0x60600000d760,0x60600000d791) allocated by thread T0 here: #0 0x7fc6da05e3a8 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc23a8) #1 0x51643f in bfd_malloc ../../bfd/libbfd.c:184 #2 0x7594f3 in aout_get_external_symbols ../../bfd/aoutx.h:1359 #3 0x769313 in aout_link_add_object_symbols ../../bfd/aoutx.h:3212 #4 0x76a682 in aout_32_link_add_symbols ../../bfd/aoutx.h:3475 #5 0x438d89 in load_symbols ../../ld/ldlang.c:2897 #6 0x43c299 in open_input_bfds ../../ld/ldlang.c:3346 #7 0x4568f7 in lang_process ../../ld/ldlang.c:6871 #8 0x465a39 in main ../../ld/ldmain.c:428 #9 0x7fc6d8cddf44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) SUMMARY: AddressSanitizer: heap-buffer-overflow ../../bfd/hash.c:441 in bfd_hash_hash Valgrind also complains about an invalid read of size 8 and a conditional jump depending on an unitialized value: ==10045== Conditional jump or move depends on uninitialised value(s) ==10045== at 0x5681CC: bfd_hash_hash (hash.c:441) ==10045== by 0x5681CC: bfd_hash_lookup (hash.c:467) ==10045== by 0x580D20: bfd_link_hash_lookup (linker.c:507) ==10045== by 0x580D20: _bfd_generic_link_add_one_symbol (linker.c:1494) ==10045== by 0x78EA3A: linux_add_one_symbol (i386linux.c:357) ==10045== by 0x79147B: aout_link_add_symbols (aoutx.h:3149) ==10045== by 0x7A965E: aout_link_add_object_symbols (aoutx.h:3214) ==10045== by 0x7A965E: aout_32_link_add_symbols (aoutx.h:3475) ==10045== by 0x45271A: load_symbols.part.43 (ldlang.c:2897) ==10045== by 0x45D0AA: load_symbols (ldlang.c:3327) ==10045== by 0x45D0AA: open_input_bfds (ldlang.c:3346) ==10045== by 0x46A227: lang_process (ldlang.c:6871) ==10045== by 0x4081AC: main (ldmain.c:428) ==10045== /home/ubuntu/subjects/binutils-gdb/ld/ld-new: i386 architecture of input file `test' is incompatible with i386:x86-64 output ==10045== Invalid read of size 8 ==10045== at 0x47AB18: ldctor_build_sets (ldctor.c:293) ==10045== by 0x46BB3C: lang_process (ldlang.c:6973) ==10045== by 0x4081AC: main (ldmain.c:428) ==10045== Address 0x8 is not stack'd, malloc'd or (recently) free'd ==10045== ==10045== ==10045== Process terminating with default action of signal 11 (SIGSEGV) ==10045== Access not within mapped region at address 0x8 ==10045== at 0x47AB18: ldctor_build_sets (ldctor.c:293) ==10045== by 0x46BB3C: lang_process (ldlang.c:6973) ==10045== by 0x4081AC: main (ldmain.c:428) Best regards, - Marcel
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=531336e3a0b79ed60cfc36ad2d6579b6a71175da commit 531336e3a0b79ed60cfc36ad2d6579b6a71175da Author: Nick Clifton <nickc@redhat.com> Date: Fri Dec 2 16:41:14 2016 +0000 Fix seg-fault in the linker when examining a corrupt binary. PR ld/20909 * aoutx.h (aout_link_add_symbols): Fix off-by-one error in check for an illegal string offset.
Hi Marcel, Thanks for reporting this bug. The problem was an off-by-one error in code that was meant to catch exactly this kind of corrupt binary - how ironic. Oh well, I have checked in a patch to fix the problem. Cheers Nick
This is CVE-2017-7300
The master branch has been updated by Stephen Casner <slcasner@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=31af1e68af26f5cae209de3530d0455b8a944b2d commit 31af1e68af26f5cae209de3530d0455b8a944b2d Author: Stephen Casner <casner@acm.org> Date: Wed Jun 3 17:43:45 2020 -0700 Copy several years of fixes from bfd/aoutx.h to bfd/pdp11.c. * pdp11.c (some_aout_object_p): 4c1534c7a2a - Don't set EXEC_P for files with relocs. (aout_get_external_symbols): 6b8f0fd579d - Return if count is zero. 0301ce1486b PR 22306 - Handle stringsize of zero, and error for any other size that doesn't qcover the header word. bf82069dce1 PR 23056 - Allocate an extra byte at the end of the string table, and zero it. (translate_symbol_table): 0d329c0a83a PR 22887 - Print an error message and set bfd_error on finding an invalid name string offset. (add_to_stringtab): INLINE -> inline (pdp11_aout_swap_reloc_in): 116acb2c268 PR 22887 - Correct r_index bound check. (squirt_out_relocs): e2996cc315d PR 20921 - Check for and report any relocs that could not be recognised. 92744f05809 PR 20929 - Check for relocs without an associated symbol. (find_nearest_line): 808346fcfcf PR 23055 - Check that the symbol name exists and is long enough, before attempting to see if it is for a .o file. c3864421222 - Correct case for N_SO being the last symbol. 50455f1ab29 PR 20891 - Handle the case where the main file name and the directory name are both empty. e82ab856bb4 PR 20892 - Handle the case where function name is empty. (aout_link_add_symbols): e517df3dbf7 PR 19629 - Check for out of range string table offsets. 531336e3a0b PR 20909 - Fix off-by-one error in check for an illegal string offset. (aout_link_includes_newfunc): Add comment. (pdp11_aout_link_input_section): ad756e3f9e6 - Return with an error on unexpected relocation type rather than ASSERT.