Dear all, The following bug was found with AFLFast, a fork of AFL, in a 24 hour fuzzing session on Binutils. Thanks also to Van-Thuan Pham. We also thank Nick Clifton for addressing our reported bugs so promptly. Objcopy/Strip crashes with an invalid read of size 4 for the following execution on Ubuntu 16.04 x86_64 in Binutils trunk and for preinstalled version v2.26.1 and on Ubuntu 14.04 x86_64 for Binutils in trunk and preinstalled version v2.24. $ printf "\x08\x01\x000\x04\x00\x00\x00\x08\x00\x00\x000000\x00\x00\x00\x000000\x00\x00\x00\x00\x15\x00\x00\x00000000000000000000000000000000000" > test $ ./strip -S test Segmentation fault UBSAN says: ../../bfd/aoutx.h:1958:22: runtime error: member access within null pointer of type 'const struct reloc_howto_type' VALGRIND tells us: ==47599== Invalid read of size 4 ==47599== at 0x6E6A2B: aout_32_swap_std_reloc_out (aoutx.h:1961) ==47599== by 0x6E6A2B: aout_32_squirt_out_relocs (aoutx.h:2404) ==47599== by 0x6D27A2: i386linux_write_object_contents (i386linux.c:77) ==47599== by 0x4F8809: bfd_close (opncls.c:733) ==47599== by 0x42F4C7: copy_file (objcopy.c:2886) ==47599== by 0x41670E: strip_main (objcopy.c:3788) ==47599== by 0x41670E: main (objcopy.c:4888) ==47599== Address 0x0 is not stack'd, malloc'd or (recently) free'd Best regards, - Marcel
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e2996cc315d6ea242e1a954dc20246485ccc8512 commit e2996cc315d6ea242e1a954dc20246485ccc8512 Author: Nick Clifton <nickc@redhat.com> Date: Mon Dec 5 14:32:30 2016 +0000 Fix seg-fault running strip on a corrupt binary. PR binutils/20921 * aoutx.h (squirt_out_relocs): Check for and report any relocs that could not be recognised.
Hi Marcel, Thanks for reporting this bug. I have checked in a patch to report and ignore any unrecognised relocations when copying a binary file. Cheers Nick
This is CVE-2017-7302
The master branch has been updated by Stephen Casner <slcasner@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=31af1e68af26f5cae209de3530d0455b8a944b2d commit 31af1e68af26f5cae209de3530d0455b8a944b2d Author: Stephen Casner <casner@acm.org> Date: Wed Jun 3 17:43:45 2020 -0700 Copy several years of fixes from bfd/aoutx.h to bfd/pdp11.c. * pdp11.c (some_aout_object_p): 4c1534c7a2a - Don't set EXEC_P for files with relocs. (aout_get_external_symbols): 6b8f0fd579d - Return if count is zero. 0301ce1486b PR 22306 - Handle stringsize of zero, and error for any other size that doesn't qcover the header word. bf82069dce1 PR 23056 - Allocate an extra byte at the end of the string table, and zero it. (translate_symbol_table): 0d329c0a83a PR 22887 - Print an error message and set bfd_error on finding an invalid name string offset. (add_to_stringtab): INLINE -> inline (pdp11_aout_swap_reloc_in): 116acb2c268 PR 22887 - Correct r_index bound check. (squirt_out_relocs): e2996cc315d PR 20921 - Check for and report any relocs that could not be recognised. 92744f05809 PR 20929 - Check for relocs without an associated symbol. (find_nearest_line): 808346fcfcf PR 23055 - Check that the symbol name exists and is long enough, before attempting to see if it is for a .o file. c3864421222 - Correct case for N_SO being the last symbol. 50455f1ab29 PR 20891 - Handle the case where the main file name and the directory name are both empty. e82ab856bb4 PR 20892 - Handle the case where function name is empty. (aout_link_add_symbols): e517df3dbf7 PR 19629 - Check for out of range string table offsets. 531336e3a0b PR 20909 - Fix off-by-one error in check for an illegal string offset. (aout_link_includes_newfunc): Add comment. (pdp11_aout_link_input_section): ad756e3f9e6 - Return with an error on unexpected relocation type rather than ASSERT.