Created attachment 10016 [details] Crashing input Dear All, This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks also to Marcel Böhme and Van-Thuan Pham. This bug was found on Ubuntu 14.04 64-bit & binutils was checked out from main repository at git://sourceware.org/git/binutils-gdb.git. Its commit is a49abe0bb18e04d3a4b692995fcfae70cd470775 (Tue Apr 25 00:00:36 2017). binutils was built with ASAN using gcc-6.2 and clang-3.4. The configure command was: CC=clang CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=undefined,address -fno-omit-frame-pointer -g -Wno-error" ../configure --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim To reproduce: Download the attached file - bug_2 objcopy --compress-debug-section bug_2 ASAN says: ==51590==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f7ff19be7db bp 0x000000000bba sp 0x7ffec363a3d8 T0) #0 0x7f7ff19be7da /build/eglibc-MjiXCM/eglibc-2.19/string/../sysdeps/x86_64/multiarch/../memcpy.S:270 #1 0x7f7ff19a6322 in __GI__IO_file_xsgetn /build/eglibc-MjiXCM/eglibc-2.19/libio/fileops.c:1387 #2 0x7f7ff199b86e in fread /build/eglibc-MjiXCM/eglibc-2.19/libio/iofread.c:42 #3 0x100e98d in cache_bread_1 /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/cache.c:337:11 #4 0x100d2ed in cache_bread /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/cache.c:371:21 #5 0x6b92df in bfd_bread /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/bfdio.c:196:13 #6 0x6e0c2b in _bfd_generic_get_section_contents /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/libbfd.c:813:10 #7 0x6f998a in bfd_get_section_contents /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/section.c:1619:10 #8 0x6c7a3c in bfd_init_section_compress_status /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/compress.c:561:8 #9 0x868dba in _bfd_elf_make_section_from_shdr /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/elf.c:1164:9 #10 0x88f6cb in bfd_section_from_shdr /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/elf.c:2013:13 #11 0x827b18 in bfd_elf64_object_p /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/elfcode.h:805:7 #12 0x6ca22f in bfd_check_format_matches /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/format.c:253:20 #13 0x6c9148 in bfd_check_format /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/format.c:94:10 #14 0x6799c4 in bfd_generic_archive_p /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/archive.c:887:8 #15 0x6caccc in bfd_check_format_matches /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/format.c:311:14 #16 0x6c9148 in bfd_check_format /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/format.c:94:10 #17 0x4fdba1 in copy_file /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objcopy.c:3286:7 #18 0x4fb9e9 in copy_main /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objcopy.c:5266:3 #19 0x4f4064 in main /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objcopy.c:5367:5 #20 0x7f7ff194ef44 in __libc_start_main /build/eglibc-MjiXCM/eglibc-2.19/csu/libc-start.c:287 #21 0x41b635 in _start (/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/objcopy+0x41b635) SUMMARY: AddressSanitizer: SEGV /build/eglibc-MjiXCM/eglibc-2.19/string/../sysdeps/x86_64/multiarch/../memcpy.S:270 VALGRIND says: ==151260== Invalid write of size 8 ==151260== at 0x4C2FD73: __GI_memcpy (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==151260== by 0x50B4322: _IO_file_xsgetn (fileops.c:1387) ==151260== by 0x50A986E: fread (iofread.c:42) ==151260== by 0x4AF987: fread (stdio2.h:295) ==151260== by 0x4AF987: cache_bread_1 (cache.c:337) ==151260== by 0x4AF987: cache_bread (cache.c:371) ==151260== by 0x42C001: bfd_bread (bfdio.c:196) ==151260== by 0x42EC8B: _bfd_generic_get_section_contents (libbfd.c:813) ==151260== by 0x42CF1B: bfd_init_section_compress_status (compress.c:561) ==151260== by 0x448E2D: _bfd_elf_make_section_from_shdr (elf.c:1164) ==151260== by 0x4475B7: bfd_section_from_shdr (elf.c:2509) ==151260== by 0x443443: bfd_elf64_object_p (elfcode.h:805) ==151260== by 0x42D77C: bfd_check_format_matches (format.c:253) ==151260== by 0x4274FA: bfd_generic_archive_p (archive.c:887) ==151260== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==151260== ==151260== ==151260== Process terminating with default action of signal 11 (SIGSEGV) ==151260== Access not within mapped region at address 0x0 ==151260== at 0x4C2FD73: __GI_memcpy (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==151260== by 0x50B4322: _IO_file_xsgetn (fileops.c:1387) ==151260== by 0x50A986E: fread (iofread.c:42) ==151260== by 0x4AF987: fread (stdio2.h:295) ==151260== by 0x4AF987: cache_bread_1 (cache.c:337) ==151260== by 0x4AF987: cache_bread (cache.c:371) ==151260== by 0x42C001: bfd_bread (bfdio.c:196) ==151260== by 0x42EC8B: _bfd_generic_get_section_contents (libbfd.c:813) ==151260== by 0x42CF1B: bfd_init_section_compress_status (compress.c:561) ==151260== by 0x448E2D: _bfd_elf_make_section_from_shdr (elf.c:1164) ==151260== by 0x4475B7: bfd_section_from_shdr (elf.c:2509) ==151260== by 0x443443: bfd_elf64_object_p (elfcode.h:805) ==151260== by 0x42D77C: bfd_check_format_matches (format.c:253) ==151260== by 0x4274FA: bfd_generic_archive_p (archive.c:887)
Created attachment 10017 [details] Another crashing input
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e63d123268f23a4cbc45ee55fb6dbc7d84729da3 commit e63d123268f23a4cbc45ee55fb6dbc7d84729da3 Author: Nick Clifton <nickc@redhat.com> Date: Wed Apr 26 13:07:49 2017 +0100 Fix seg-fault attempting to compress a debug section in a corrupt binary. PR binutils/21431 * compress.c (bfd_init_section_compress_status): Check the return value from bfd_malloc.
Hi Manh-Dung, Thanks for reporting this problem. I have checked in a small patch to fix the bug. It was a simple matter of not checking the return from a call to malloc() to see if memory had actually been allocated. Cheers Nick
Thanks Nick. This is CVE-2017-8395.