Bug 20924 - LD: Buffer Overflow when loading symbols
Summary: LD: Buffer Overflow when loading symbols
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: ld (show other bugs)
Version: 2.28
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-12-03 10:01 UTC by Marcel Böhme
Modified: 2017-04-13 06:18 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcel Böhme 2016-12-03 10:01:02 UTC
Dear all,

The following bug was found with AFLFast, a fork of AFL, in a 24 hour fuzzing session on Binutils. Thanks also to Van-Thuan Pham.

The is a heap-based buffer overflow in the linker that does *not* actually crash the linker. for the following execution in Binutils trunk on Ubuntu 16.04 x86_64 and 14.04 x86_64. However, it does *not* crash for preinstalled version v2.26.1 on Ubuntu 16.04 or preinstalled version v2.24 on Ubuntu 14.04 x86_64.

This bug seems to be related to PR20909 because it gives a similar stack trace. However, neither Valgrind nor ASAN complains about the fix for PR20909 test case.

$ printf "\x08\x01\x00\x00\x08\x00\x00\x00\x04\x00\x00\x00\x00\xef\x01\x72\x60\x00\x00\x00\x00\x10\x02\xf1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x23\x00\xee\xff\x00\x00\x00\x7f\x00\x02\x00\x00\x000\x00\x00\x00\x44\xf3\x0a\x00\x06\x00\x00\x00\x01\x07\x00\x00\x7f\xf7\x27\x60\x00\x00\x00\x00\x14\x02\x5a\x00\x44\xe5\x0a\x00\x06\x00\x00\x00\x0b\x0a\xff\xff\xff\xff\x00\x00\x08\x00\x00\x00\x00\xf1\x00\x18\x00\xf7\x23\x60\x00\x00\x00\x00\x18\x80\xff\x00\x44\xf1\x0a\x00\x02\x00\x00\x00\x18\x00\x5a\x00\x44\xdb\x0a\x00\x06\x00\x00\x00\xfc\x09\xff\xff\xff\xff\x00\x00\x08\x00\x00\x00\x00\xf1\x00\x18\x00\x5a" > test
$ ld test

ASAN shows us a read of size 1:
READ of size 1 at 0x60200000c819 thread T0
    #0 0x5130d3 in bfd_hash_hash ../../bfd/hash.c:441
    #1 0x513251 in bfd_hash_lookup ../../bfd/hash.c:467
    #2 0x51a257 in bfd_link_hash_lookup ../../bfd/linker.c:507
    #3 0x51ab58 in bfd_wrapped_link_hash_lookup ../../bfd/linker.c:602
    #4 0x51f488 in _bfd_generic_link_add_one_symbol ../../bfd/linker.c:1457
    #5 0x743870 in linux_add_one_symbol ../../bfd/i386linux.c:357
    #6 0x768fc3 in aout_link_add_symbols ../../bfd/aoutx.h:3162
    #7 0x7698e8 in aout_link_add_object_symbols ../../bfd/aoutx.h:3227
    #8 0x76ac36 in aout_32_link_add_symbols ../../bfd/aoutx.h:3488
    #9 0x438d89 in load_symbols ../../ld/ldlang.c:2897
    #10 0x43c299 in open_input_bfds ../../ld/ldlang.c:3346
    #11 0x4568f7 in lang_process ../../ld/ldlang.c:6871
    #12 0x465d20 in main ../../ld/ldmain.c:428
    #13 0x7f72b3154f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #14 0x403968  (/home/ubuntu/subjects/binutils-gdb_fixed/obj-asan/ld/ld-new+0x403968)

0x60200000c819 is located 0 bytes to the right of 9-byte region [0x60200000c810,0x60200000c819)
allocated by thread T0 here:
    #0 0x7f72b44d53a8 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc23a8)
    #1 0x516762 in bfd_malloc ../../bfd/libbfd.c:184
    #2 0x7599c6 in aout_get_external_symbols ../../bfd/aoutx.h:1359
    #3 0x7698c7 in aout_link_add_object_symbols ../../bfd/aoutx.h:3225
    #4 0x76ac36 in aout_32_link_add_symbols ../../bfd/aoutx.h:3488
    #5 0x438d89 in load_symbols ../../ld/ldlang.c:2897
    #6 0x43c299 in open_input_bfds ../../ld/ldlang.c:3346
    #7 0x4568f7 in lang_process ../../ld/ldlang.c:6871
    #8 0x465d20 in main ../../ld/ldmain.c:428
    #9 0x7f72b3154f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../bfd/hash.c:441 in bfd_hash_hash


VALGRIND only reports two conditional jumps depending on unitialized values:
==100826== Conditional jump or move depends on uninitialised value(s)
==100826==    at 0x5681CC: bfd_hash_hash (hash.c:441)
==100826==    by 0x5681CC: bfd_hash_lookup (hash.c:467)
==100826==    by 0x573B4D: bfd_link_hash_lookup (linker.c:507)
==100826==    by 0x573B4D: bfd_wrapped_link_hash_lookup (linker.c:602)
==100826==    by 0x57F4E1: _bfd_generic_link_add_one_symbol (linker.c:1457)
==100826==    by 0x78EA3A: linux_add_one_symbol (i386linux.c:357)
==100826==    by 0x79147B: aout_link_add_symbols (aoutx.h:3149)
==100826==    by 0x7A965E: aout_link_add_object_symbols (aoutx.h:3214)
==100826==    by 0x7A965E: aout_32_link_add_symbols (aoutx.h:3475)
==100826==    by 0x45271A: load_symbols.part.43 (ldlang.c:2897)
==100826==    by 0x45D0AA: load_symbols (ldlang.c:3327)
==100826==    by 0x45D0AA: open_input_bfds (ldlang.c:3346)
==100826==    by 0x46A227: lang_process (ldlang.c:6871)
==100826==    by 0x4081AC: main (ldmain.c:428)
==100826== 
==100826== Conditional jump or move depends on uninitialised value(s)
==100826==    at 0x4C2F1BC: strcmp (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==100826==    by 0x5683EB: bfd_hash_lookup (hash.c:474)
==100826==    by 0x573B4D: bfd_link_hash_lookup (linker.c:507)
==100826==    by 0x573B4D: bfd_wrapped_link_hash_lookup (linker.c:602)
==100826==    by 0x57F4E1: _bfd_generic_link_add_one_symbol (linker.c:1457)
==100826==    by 0x78EA3A: linux_add_one_symbol (i386linux.c:357)
==100826==    by 0x79147B: aout_link_add_symbols (aoutx.h:3149)
==100826==    by 0x7A965E: aout_link_add_object_symbols (aoutx.h:3214)
==100826==    by 0x7A965E: aout_32_link_add_symbols (aoutx.h:3475)
==100826==    by 0x45271A: load_symbols.part.43 (ldlang.c:2897)
==100826==    by 0x45D0AA: load_symbols (ldlang.c:3327)
==100826==    by 0x45D0AA: open_input_bfds (ldlang.c:3346)
==100826==    by 0x46A227: lang_process (ldlang.c:6871)
==100826==    by 0x4081AC: main (ldmain.c:428)

Best regards,
- Marcel
Comment 1 cvs-commit@gcc.gnu.org 2016-12-05 12:26:39 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=daae68f4f372e0618d6b9c64ec0f1f74eae6ab3d

commit daae68f4f372e0618d6b9c64ec0f1f74eae6ab3d
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Dec 5 12:25:34 2016 +0000

    Fix seg-fault in linker parsing a corrupt input file.
    
    	PR ld/20924
    	(aout_link_add_symbols): Fix off by one error checking for
    	overflow of string offset.
Comment 2 Nick Clifton 2016-12-05 12:28:50 UTC
Hi Marcel,

  Thanks for reporting this bug.  It was indeed very similar to PR 20909.  In
  this case it was another off-by-one error when checking for a string buffer
  overflow.  I have checked in a patch to resolve the problem.

Cheers
  Nick
Comment 3 Thuan Pham 2017-04-13 06:18:47 UTC
This is CVE-2017-7301