Bug 20909 - LD crashes when loading symbols
Summary: LD crashes when loading symbols
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: ld (show other bugs)
Version: 2.28
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-12-02 08:37 UTC by Marcel Böhme
Modified: 2017-04-13 06:17 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcel Böhme 2016-12-02 08:37:17 UTC
Dear all,

The following bug was found with AFLFast, a fork of AFL, in a 24 hour fuzzing session on Binutils. Thanks also to Van-Thuan Pham.

The linker crashes with an invalid read of size 1 for the following execution on Ubuntu 16.04 x86_64 in Binutils trunk and for preinstalled version v2.26.1 and on Ubuntu 14.04 x86_64 for Binutils in trunk and preinstalled version v2.24.

$ printf "\x08\x01\x000\x08\x00\x00\x00\x04\x00\x00\x0000000\x00\x00\x000000\x00\x00\x00\x00\x00\x00\x00\x000000000000000000000000000000000000000\x00\x00\x00\x1400000000000000000000\x00\x00\x0000000000000000000000000000000000000000000000" > test
$ ./ld test
obj-norm/ld/ld-new: i386 architecture of input file `test' is incompatible with i386:x86-64 output
Segmentation fault

ASAN says:
==10024==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000d791 at pc 0x000000512db1 bp 0x7fff34f46310 sp 0x7fff34f46308
READ of size 1 at 0x60600000d791 thread T0
    #0 0x512db0 in bfd_hash_hash ../../bfd/hash.c:441
    #1 0x512f2e in bfd_hash_lookup ../../bfd/hash.c:467
    #2 0x519f34 in bfd_link_hash_lookup ../../bfd/linker.c:507
    #3 0x51f4a7 in _bfd_generic_link_add_one_symbol ../../bfd/linker.c:1494
    #4 0x74339d in linux_add_one_symbol ../../bfd/i386linux.c:357
    #5 0x768a0f in aout_link_add_symbols ../../bfd/aoutx.h:3149
    #6 0x769334 in aout_link_add_object_symbols ../../bfd/aoutx.h:3214
    #7 0x76a682 in aout_32_link_add_symbols ../../bfd/aoutx.h:3475
    #8 0x438d89 in load_symbols ../../ld/ldlang.c:2897
    #9 0x43c299 in open_input_bfds ../../ld/ldlang.c:3346
    #10 0x4568f7 in lang_process ../../ld/ldlang.c:6871
    #11 0x465a39 in main ../../ld/ldmain.c:428
    #12 0x7fc6d8cddf44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #13 0x403968  (/home/ubuntu/subjects/binutils-gdb/obj-asan/ld/ld-new+0x403968)

0x60600000d791 is located 0 bytes to the right of 49-byte region [0x60600000d760,0x60600000d791)
allocated by thread T0 here:
    #0 0x7fc6da05e3a8 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc23a8)
    #1 0x51643f in bfd_malloc ../../bfd/libbfd.c:184
    #2 0x7594f3 in aout_get_external_symbols ../../bfd/aoutx.h:1359
    #3 0x769313 in aout_link_add_object_symbols ../../bfd/aoutx.h:3212
    #4 0x76a682 in aout_32_link_add_symbols ../../bfd/aoutx.h:3475
    #5 0x438d89 in load_symbols ../../ld/ldlang.c:2897
    #6 0x43c299 in open_input_bfds ../../ld/ldlang.c:3346
    #7 0x4568f7 in lang_process ../../ld/ldlang.c:6871
    #8 0x465a39 in main ../../ld/ldmain.c:428
    #9 0x7fc6d8cddf44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../bfd/hash.c:441 in bfd_hash_hash

Valgrind also complains about an invalid read of size 8 and a conditional jump depending on an unitialized value:
==10045== Conditional jump or move depends on uninitialised value(s)
==10045==    at 0x5681CC: bfd_hash_hash (hash.c:441)
==10045==    by 0x5681CC: bfd_hash_lookup (hash.c:467)
==10045==    by 0x580D20: bfd_link_hash_lookup (linker.c:507)
==10045==    by 0x580D20: _bfd_generic_link_add_one_symbol (linker.c:1494)
==10045==    by 0x78EA3A: linux_add_one_symbol (i386linux.c:357)
==10045==    by 0x79147B: aout_link_add_symbols (aoutx.h:3149)
==10045==    by 0x7A965E: aout_link_add_object_symbols (aoutx.h:3214)
==10045==    by 0x7A965E: aout_32_link_add_symbols (aoutx.h:3475)
==10045==    by 0x45271A: load_symbols.part.43 (ldlang.c:2897)
==10045==    by 0x45D0AA: load_symbols (ldlang.c:3327)
==10045==    by 0x45D0AA: open_input_bfds (ldlang.c:3346)
==10045==    by 0x46A227: lang_process (ldlang.c:6871)
==10045==    by 0x4081AC: main (ldmain.c:428)
==10045== 
/home/ubuntu/subjects/binutils-gdb/ld/ld-new: i386 architecture of input file `test' is incompatible with i386:x86-64 output
==10045== Invalid read of size 8
==10045==    at 0x47AB18: ldctor_build_sets (ldctor.c:293)
==10045==    by 0x46BB3C: lang_process (ldlang.c:6973)
==10045==    by 0x4081AC: main (ldmain.c:428)
==10045==  Address 0x8 is not stack'd, malloc'd or (recently) free'd
==10045== 
==10045== 
==10045== Process terminating with default action of signal 11 (SIGSEGV)
==10045==  Access not within mapped region at address 0x8
==10045==    at 0x47AB18: ldctor_build_sets (ldctor.c:293)
==10045==    by 0x46BB3C: lang_process (ldlang.c:6973)
==10045==    by 0x4081AC: main (ldmain.c:428)

Best regards,
- Marcel
Comment 1 cvs-commit@gcc.gnu.org 2016-12-02 16:42:16 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=531336e3a0b79ed60cfc36ad2d6579b6a71175da

commit 531336e3a0b79ed60cfc36ad2d6579b6a71175da
Author: Nick Clifton <nickc@redhat.com>
Date:   Fri Dec 2 16:41:14 2016 +0000

    Fix seg-fault in the linker when examining a corrupt binary.
    
    	PR ld/20909
    	* aoutx.h (aout_link_add_symbols): Fix off-by-one error in check
    	for an illegal string offset.
Comment 2 Nick Clifton 2016-12-02 16:46:50 UTC
Hi Marcel,

  Thanks for reporting this bug.  The problem was an off-by-one error in code that was meant to catch exactly this kind of corrupt binary - how ironic.

  Oh well, I have checked in a patch to fix the problem.

Cheers
  Nick
Comment 3 Thuan Pham 2017-04-13 06:17:10 UTC
This is CVE-2017-7300