Bug 22788 - AddressSanitizer: SEGV /home/ubuntu/binutils/binutils_git/binutils-gdb/bfd/libbfd.c:558 bfd_getl32
Summary: AddressSanitizer: SEGV /home/ubuntu/binutils/binutils_git/binutils-gdb/bfd/li...
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.30
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
Depends on:
Reported: 2018-02-05 11:26 UTC by JayZhang
Modified: 2018-03-31 12:37 UTC (History)
2 users (show)

See Also:
Last reconfirmed:

the crafted file generated by afl (2.32 KB, application/x-executable)
2018-02-05 11:26 UTC, JayZhang
Proposed patch (253 bytes, patch)
2018-02-06 17:14 UTC, Nick Clifton
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description JayZhang 2018-02-05 11:26:20 UTC
Created attachment 10784 [details]
the crafted file generated by afl

A crafted elf file can lead SEGV in function:/binutils/binutils_git/binutils-gdb/bfd/libbfd.c:558 bfd_getl32;
The crafted elf file was found by fuzzing tool:afl;
Tests in version 2.30 and commit 0eb876f52f348ff08be24bca6cbca00e302839b2 both worked;

root@ubuntu:/home/ubuntu/binutils/binutils_git/binutils-gdb# binutils/objdump -x crashes/id:000025,sig:06,src:000072,op:int32,pos:6216,val:be:+16
==869==ERROR: AddressSanitizer: SEGV on unknown address 0x14500b88 (pc 0x08275e3b bp 0x14500b8b sp 0xffe1f7a0 T0)
    #0 0x8275e3a in bfd_getl32 /home/ubuntu/binutils/binutils_git/binutils-gdb/bfd/libbfd.c:558
    #1 0x83499b5 in elf_parse_notes /home/ubuntu/binutils/binutils_git/binutils-gdb/bfd/elf.c:11024
    #2 0x836d9a1 in _bfd_elf_make_section_from_shdr /home/ubuntu/binutils/binutils_git/binutils-gdb/bfd/elf.c:1098
    #3 0x8361481 in _bfd_elf_make_section_from_shdr /home/ubuntu/binutils/binutils_git/binutils-gdb/bfd/elf.c:988
    #4 0x8361481 in bfd_section_from_shdr /home/ubuntu/binutils/binutils_git/binutils-gdb/bfd/elf.c:2443
    #5 0x85575dd in bfd_elf32_object_p /home/ubuntu/binutils/binutils_git/binutils-gdb/bfd/elfcode.h:805
    #6 0x826abfb in bfd_check_format_matches /home/ubuntu/binutils/binutils_git/binutils-gdb/bfd/format.c:311
    #7 0x806af3e in display_object_bfd objdump.c:3663
    #8 0x806af3e in display_any_bfd objdump.c:3754
    #9 0x8056dab in display_file objdump.c:3775
    #10 0x8056dab in main objdump.c:4077
    #11 0xf70a7636 in __libc_start_main (/lib32/libc.so.6+0x18636)
    #12 0x8059cfb  (/home/ubuntu/binutils/binutils_git/binutils-gdb/binutils/objdump+0x8059cfb)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ubuntu/binutils/binutils_git/binutils-gdb/bfd/libbfd.c:558 bfd_getl32
root@ubuntu:/home/ubuntu/binutils/binutils_git/binutils-gdb# git show
commit 0eb876f52f348ff08be24bca6cbca00e302839b2

The crafted file please check the attachement;
Please forgive me for my bad english,^_^
Comment 1 Nick Clifton 2018-02-06 17:14:56 UTC
Created attachment 10792 [details]
Proposed patch

Hi JayZhang,

  Thanks for reporting this bug.  I am unable to reproduce the actual failure,
  but I think that this is because I cannot build a 32-bit toolchain with 
  address sanitization enabled.  (This is a failure with my build environment
  not the binutils).

  In the meantime though, please could you try out the uploaded patch and let
  me know if it fixes the problem.  Thanks.

Comment 2 JayZhang 2018-02-08 03:51:18 UTC
Hi Nick,
   The patch you provided fixed the problem. Good job!
   I tried to read the code of elf_parse_notes(),and analyze the crafted file's structure,and found that the value of sh_addralign is 2^28;So,Is that the invalid sh_addralign value leads to a out of bounds reading?
   Best Regards
Comment 3 cvs-commit@gcc.gnu.org 2018-02-08 10:30:03 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:


commit ef135d4314fd4c2d7da66b9d7b59af4a85b0f7e6
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Feb 8 10:28:25 2018 +0000

    Fix a seg-fault in the ELF note parser when a note with an excessively large alignment is encountered.
    	PR 22788
    	* elf.c (elf_parse_notes): Reject notes with excessuively large
Comment 4 Nick Clifton 2018-02-08 10:31:40 UTC
Hi JayZhang,

  Exactly right.  The ELF note parsing code was not expecting such a large
  alignment, and that caused it to attempt to read beyond the end of the
  buffer containing the note.

  I have checked in the patch, so the problem should now be fixed.

Comment 5 JayZhang 2018-02-09 03:41:52 UTC
Hi Nick,
   I have checked commit ef135d4314fd4c2d7da66b9d7b59af4a85b0f7e6,and found the patch worked.
   Can we close the issue now and make it public?
      Best Regards
Comment 6 cvs-commit@gcc.gnu.org 2018-02-09 09:30:13 UTC
The binutils-2_30-branch branch has been updated by Nick Clifton <nickc@sourceware.org>:


commit d895ef77ffc94e02e748856c2ab54f5bb8cc867e
Author: Nick Clifton <nickc@redhat.com>
Date:   Fri Feb 9 09:28:45 2018 +0000

    Import patch from mainline to fix possible seg-fault whilst parsing corrupt ELF notes with extravagent alignments.
    	PR 22788
    	* elf.c (elf_parse_notes): Reject notes with excessuively large
Comment 7 Nick Clifton 2018-02-09 09:33:20 UTC
    Hi JayZhang,

    >    Can we close the issue now and make it public?

    Already done. :-)

    The fix is available in the binutils development sources and on the 2.30 branch.
    It will be in the next official release (either 2.30.1 or 2.31) whenever that happens.