Created attachment 9806 [details]
This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks also to Marcel Böhme.
This bug was found on Ubuntu 14.04 64-bit & binutils was checkout from main repository at git://sourceware.org/git/binutils-gdb.git. Its commit is 53f7e8ea7fad1fcff1b58f4cbd74e192e0bcbc1d (Fri Feb 10 00:00:16 2017)
binutils was built with ASAN using gcc-6.2 and clang-3.4. The configure command was:
CC=clang CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=undefined,address -fno-omit-frame-pointer -g -Wno-error" ../configure --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim
Download the attached file - bug_5
readelf -w bug_5
==20954==ERROR: AddressSanitizer: heap-use-after-free on address 0x61700000fe00 at pc 0x54aa2e bp 0x7ffe965bcb50 sp 0x7ffe965bcb48
READ of size 8 at 0x61700000fe00 thread T0
#0 0x54aa2d in target_specific_reloc_handling /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:11637
#1 0x52e6dc in apply_relocations /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:12343
#2 0x4846b5 in load_specific_debug_section /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:12905
#3 0x564b4c in display_debug_section /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:13009
#4 0x4e194f in process_section_contents /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:13091
#5 0x48d610 in process_object /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:16780
#6 0x488365 in process_file /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:17154
#7 0x4855c3 in main /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/readelf.c:17225
#8 0x7f019152bf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#9 0x47ddfc in _start (/home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/readelf+0x47ddfc)
The master branch has been updated by Nick Clifton <email@example.com>:
Author: Nick Clifton <firstname.lastname@example.org>
Date: Mon Feb 13 14:03:22 2017 +0000
Fix read-after-free error in readelf when processing multiple, relocated sections in an MSP430 binary.
* readelf.c (target_specific_reloc_handling): Add num_syms
parameter. Check for symbol table overflow before accessing
symbol value. If reloc pointer is NULL, discard all saved state.
(apply_relocations): Pass num_syms to target_specific_reloc_handling.
Call target_specific_reloc_handling with a NULL reloc pointer
after processing all of the relocs.
Thanks for reporting this bug. I have checked in a patch to fix it.
There were two problems here. The first was that the target specific
relocation processing code in readelf was not checking for an invalid
symbol index in the relocation. The second was that the code was
maintaining state across multiple invocations, resulting in the use of
a stale pointer.
*** Bug 21142 has been marked as a duplicate of this bug. ***
*** Bug 21143 has been marked as a duplicate of this bug. ***
*** Bug 21144 has been marked as a duplicate of this bug. ***
*** Bug 21145 has been marked as a duplicate of this bug. ***
*** Bug 21136 has been marked as a duplicate of this bug. ***
This is CVE-2017-6966