Dear all, The following bug was found with AFLFast, a fork of AFL, in a 24 hour fuzzing session on Binutils. Thanks also to Van-Thuan Pham. The is a heap-based buffer overflow in the linker that does *not* actually crash the linker. for the following execution in Binutils trunk on Ubuntu 16.04 x86_64 and 14.04 x86_64. However, it does *not* crash for preinstalled version v2.26.1 on Ubuntu 16.04 or preinstalled version v2.24 on Ubuntu 14.04 x86_64. This bug seems to be related to PR20909 because it gives a similar stack trace. However, neither Valgrind nor ASAN complains about the fix for PR20909 test case. $ printf "\x08\x01\x00\x00\x08\x00\x00\x00\x04\x00\x00\x00\x00\xef\x01\x72\x60\x00\x00\x00\x00\x10\x02\xf1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x23\x00\xee\xff\x00\x00\x00\x7f\x00\x02\x00\x00\x000\x00\x00\x00\x44\xf3\x0a\x00\x06\x00\x00\x00\x01\x07\x00\x00\x7f\xf7\x27\x60\x00\x00\x00\x00\x14\x02\x5a\x00\x44\xe5\x0a\x00\x06\x00\x00\x00\x0b\x0a\xff\xff\xff\xff\x00\x00\x08\x00\x00\x00\x00\xf1\x00\x18\x00\xf7\x23\x60\x00\x00\x00\x00\x18\x80\xff\x00\x44\xf1\x0a\x00\x02\x00\x00\x00\x18\x00\x5a\x00\x44\xdb\x0a\x00\x06\x00\x00\x00\xfc\x09\xff\xff\xff\xff\x00\x00\x08\x00\x00\x00\x00\xf1\x00\x18\x00\x5a" > test $ ld test ASAN shows us a read of size 1: READ of size 1 at 0x60200000c819 thread T0 #0 0x5130d3 in bfd_hash_hash ../../bfd/hash.c:441 #1 0x513251 in bfd_hash_lookup ../../bfd/hash.c:467 #2 0x51a257 in bfd_link_hash_lookup ../../bfd/linker.c:507 #3 0x51ab58 in bfd_wrapped_link_hash_lookup ../../bfd/linker.c:602 #4 0x51f488 in _bfd_generic_link_add_one_symbol ../../bfd/linker.c:1457 #5 0x743870 in linux_add_one_symbol ../../bfd/i386linux.c:357 #6 0x768fc3 in aout_link_add_symbols ../../bfd/aoutx.h:3162 #7 0x7698e8 in aout_link_add_object_symbols ../../bfd/aoutx.h:3227 #8 0x76ac36 in aout_32_link_add_symbols ../../bfd/aoutx.h:3488 #9 0x438d89 in load_symbols ../../ld/ldlang.c:2897 #10 0x43c299 in open_input_bfds ../../ld/ldlang.c:3346 #11 0x4568f7 in lang_process ../../ld/ldlang.c:6871 #12 0x465d20 in main ../../ld/ldmain.c:428 #13 0x7f72b3154f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) #14 0x403968 (/home/ubuntu/subjects/binutils-gdb_fixed/obj-asan/ld/ld-new+0x403968) 0x60200000c819 is located 0 bytes to the right of 9-byte region [0x60200000c810,0x60200000c819) allocated by thread T0 here: #0 0x7f72b44d53a8 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc23a8) #1 0x516762 in bfd_malloc ../../bfd/libbfd.c:184 #2 0x7599c6 in aout_get_external_symbols ../../bfd/aoutx.h:1359 #3 0x7698c7 in aout_link_add_object_symbols ../../bfd/aoutx.h:3225 #4 0x76ac36 in aout_32_link_add_symbols ../../bfd/aoutx.h:3488 #5 0x438d89 in load_symbols ../../ld/ldlang.c:2897 #6 0x43c299 in open_input_bfds ../../ld/ldlang.c:3346 #7 0x4568f7 in lang_process ../../ld/ldlang.c:6871 #8 0x465d20 in main ../../ld/ldmain.c:428 #9 0x7f72b3154f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) SUMMARY: AddressSanitizer: heap-buffer-overflow ../../bfd/hash.c:441 in bfd_hash_hash VALGRIND only reports two conditional jumps depending on unitialized values: ==100826== Conditional jump or move depends on uninitialised value(s) ==100826== at 0x5681CC: bfd_hash_hash (hash.c:441) ==100826== by 0x5681CC: bfd_hash_lookup (hash.c:467) ==100826== by 0x573B4D: bfd_link_hash_lookup (linker.c:507) ==100826== by 0x573B4D: bfd_wrapped_link_hash_lookup (linker.c:602) ==100826== by 0x57F4E1: _bfd_generic_link_add_one_symbol (linker.c:1457) ==100826== by 0x78EA3A: linux_add_one_symbol (i386linux.c:357) ==100826== by 0x79147B: aout_link_add_symbols (aoutx.h:3149) ==100826== by 0x7A965E: aout_link_add_object_symbols (aoutx.h:3214) ==100826== by 0x7A965E: aout_32_link_add_symbols (aoutx.h:3475) ==100826== by 0x45271A: load_symbols.part.43 (ldlang.c:2897) ==100826== by 0x45D0AA: load_symbols (ldlang.c:3327) ==100826== by 0x45D0AA: open_input_bfds (ldlang.c:3346) ==100826== by 0x46A227: lang_process (ldlang.c:6871) ==100826== by 0x4081AC: main (ldmain.c:428) ==100826== ==100826== Conditional jump or move depends on uninitialised value(s) ==100826== at 0x4C2F1BC: strcmp (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==100826== by 0x5683EB: bfd_hash_lookup (hash.c:474) ==100826== by 0x573B4D: bfd_link_hash_lookup (linker.c:507) ==100826== by 0x573B4D: bfd_wrapped_link_hash_lookup (linker.c:602) ==100826== by 0x57F4E1: _bfd_generic_link_add_one_symbol (linker.c:1457) ==100826== by 0x78EA3A: linux_add_one_symbol (i386linux.c:357) ==100826== by 0x79147B: aout_link_add_symbols (aoutx.h:3149) ==100826== by 0x7A965E: aout_link_add_object_symbols (aoutx.h:3214) ==100826== by 0x7A965E: aout_32_link_add_symbols (aoutx.h:3475) ==100826== by 0x45271A: load_symbols.part.43 (ldlang.c:2897) ==100826== by 0x45D0AA: load_symbols (ldlang.c:3327) ==100826== by 0x45D0AA: open_input_bfds (ldlang.c:3346) ==100826== by 0x46A227: lang_process (ldlang.c:6871) ==100826== by 0x4081AC: main (ldmain.c:428) Best regards, - Marcel
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=daae68f4f372e0618d6b9c64ec0f1f74eae6ab3d commit daae68f4f372e0618d6b9c64ec0f1f74eae6ab3d Author: Nick Clifton <nickc@redhat.com> Date: Mon Dec 5 12:25:34 2016 +0000 Fix seg-fault in linker parsing a corrupt input file. PR ld/20924 (aout_link_add_symbols): Fix off by one error checking for overflow of string offset.
Hi Marcel, Thanks for reporting this bug. It was indeed very similar to PR 20909. In this case it was another off-by-one error when checking for a string buffer overflow. I have checked in a patch to resolve the problem. Cheers Nick
This is CVE-2017-7301