Bug 22794 - Unchecked strnlen operation in bfd_get_debug_link_info_1 (./src/bfd/opncls.c)
Summary: Unchecked strnlen operation in bfd_get_debug_link_info_1 (./src/bfd/opncls.c)
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.30
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-02-06 08:43 UTC by probefuzzer
Modified: 2018-03-31 12:39 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description probefuzzer 2018-02-06 08:43:44 UTC
(this issue is discovered when UBSAN is enabled)

On version 2.30.51.20180206 and master branch of binutils:
there is an unchecked strnlen operation, which could be triggered by the POC below. 

As shown in line 1201, the first parameter ("name") of strnlen could be manipulated by the input file. When "name" is NULL and the second parameter is larger than NULL, the program would fail with segmentation fault.

 1174 static char *
   1175 bfd_get_debug_link_info_1 (bfd *abfd, void *crc32_out)
   1176 {
   1199   name = (char *) contents;
   1200   /* PR 17597: avoid reading off the end of the buffer.  */
   1201   crc_offset = strnlen (name, bfd_get_section_size (sect)) + 1;
   1202   crc_offset = (crc_offset + 3) & ~3;
   1208 }

./src/bfd/opncls.c:1201:16: runtime error: null pointer passed as argument 1, which is declared to never be null

To reproduce the issue, run: ./bin/nm -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D $POC

POC: https://github.com/ProbeFuzzer/poc/blob/master/binutils/binutils_2-30-51_nm_unchecked_strlen_bfd_get_debug_link_info_1
Comment 1 cvs-commit@gcc.gnu.org 2018-02-06 15:49:49 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=64e234d417d5685a4aec0edc618114d9991c031b

commit 64e234d417d5685a4aec0edc618114d9991c031b
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Feb 6 15:48:29 2018 +0000

    Prevent attempts to call strncpy with a zero-length field by chacking the size of debuglink sections.
    
    	PR 22794
    	* opncls.c (bfd_get_debug_link_info_1): Check the size of the
    	section before attempting to read it in.
    	(bfd_get_alt_debug_link_info): Likewise.
Comment 2 Nick Clifton 2018-02-06 15:51:37 UTC
Thanks for reporting this bug.

I have applied a small patch to check the size of the debuglink sections before attempting to load their contents.

Cheers
  Nick