21139 – readelf crashes - corrupted double-linked list because of use after free

Bug 21139 - readelf crashes - corrupted double-linked list because of use after free

Summary: readelf crashes - corrupted double-linked list because of use after free

Status:	RESOLVED FIXED

Alias:	None

Product:	binutils
Classification:	Unclassified
Component:	binutils (show other bugs)
Version:	2.29

Importance:	P2 normal
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Duplicates (5):	21136 21142 21143 21144 21145 (view as bug list)
Depends on:
Blocks:

Reported:	2017-02-13 09:27 UTC by Thuan Pham
Modified:	2017-04-13 06:06 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
Crashing input (1.33 KB, application/x-object) 2017-02-13 09:27 UTC, Thuan Pham	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thuan Pham 2017-02-13 09:27:41 UTC

Created attachment 9806 [details]
Crashing input

Dear all,

This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks also to Marcel Böhme. 

This bug was found on Ubuntu 14.04 64-bit & binutils was checkout from main repository at git://sourceware.org/git/binutils-gdb.git. Its commit is 53f7e8ea7fad1fcff1b58f4cbd74e192e0bcbc1d (Fri Feb 10 00:00:16 2017) 

binutils was built with ASAN using gcc-6.2 and clang-3.4. The configure command was:

CC=clang CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=undefined,address -fno-omit-frame-pointer -g -Wno-error" ../configure --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim

To reproduce:
Download the attached file - bug_5
readelf -w bug_5
ASAN says:
==20954==ERROR: AddressSanitizer: heap-use-after-free on address 0x61700000fe00 at pc 0x54aa2e bp 0x7ffe965bcb50 sp 0x7ffe965bcb48
READ of size 8 at 0x61700000fe00 thread T0
    #0 0x54aa2d in target_specific_reloc_handling /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:11637
    #1 0x52e6dc in apply_relocations /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:12343
    #2 0x4846b5 in load_specific_debug_section /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:12905
    #3 0x564b4c in display_debug_section /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:13009
    #4 0x4e194f in process_section_contents /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:13091
    #5 0x48d610 in process_object /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:16780
    #6 0x488365 in process_file /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:17154
    #7 0x4855c3 in main /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:17225
    #8 0x7f019152bf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #9 0x47ddfc in _start (/home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/readelf+0x47ddfc)

Comment 1 Sourceware Commits 2017-02-13 14:04:57 UTC

The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f84ce13b6708801ca1d6289b7c4003e2f5a6d7f9

commit f84ce13b6708801ca1d6289b7c4003e2f5a6d7f9
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Feb 13 14:03:22 2017 +0000

    Fix read-after-free error in readelf when processing multiple, relocated sections in an MSP430 binary.
    
    	PR binutils/21139
    	* readelf.c (target_specific_reloc_handling): Add num_syms
    	parameter.  Check for symbol table overflow before accessing
    	symbol value.  If reloc pointer is NULL, discard all saved state.
    	(apply_relocations): Pass num_syms to target_specific_reloc_handling.
    	Call target_specific_reloc_handling with a NULL reloc pointer
    	after processing all of the relocs.

Comment 2 Nick Clifton 2017-02-13 14:07:17 UTC

Hi Thuan,

  Thanks for reporting this bug.  I have checked in a patch to fix it.

  There were two problems here.  The first was that the target specific
  relocation processing code in readelf was not checking for an invalid
  symbol index in the relocation.  The second was that the code was 
  maintaining state across multiple invocations, resulting in the use of
  a stale pointer.

Cheers
  Nick

Comment 3 Nick Clifton 2017-02-13 14:08:25 UTC

*** Bug 21142 has been marked as a duplicate of this bug. ***

Comment 4 Nick Clifton 2017-02-13 14:09:10 UTC

*** Bug 21143 has been marked as a duplicate of this bug. ***

Comment 5 Nick Clifton 2017-02-13 14:10:12 UTC

*** Bug 21144 has been marked as a duplicate of this bug. ***

Comment 6 Nick Clifton 2017-02-13 14:11:07 UTC

*** Bug 21145 has been marked as a duplicate of this bug. ***

Comment 7 Nick Clifton 2017-02-13 16:54:16 UTC

*** Bug 21136 has been marked as a duplicate of this bug. ***

Comment 8 Thuan Pham 2017-04-13 06:06:31 UTC

This is CVE-2017-6966