(this issue is discovered when UBSAN is enabled)
On version 22.214.171.12480206 and master branch of binutils:
there is an unchecked strnlen operation, which could be triggered by the POC below.
As shown in line 1201, the first parameter ("name") of strnlen could be manipulated by the input file. When "name" is NULL and the second parameter is larger than NULL, the program would fail with segmentation fault.
1174 static char *
1175 bfd_get_debug_link_info_1 (bfd *abfd, void *crc32_out)
1199 name = (char *) contents;
1200 /* PR 17597: avoid reading off the end of the buffer. */
1201 crc_offset = strnlen (name, bfd_get_section_size (sect)) + 1;
1202 crc_offset = (crc_offset + 3) & ~3;
./src/bfd/opncls.c:1201:16: runtime error: null pointer passed as argument 1, which is declared to never be null
To reproduce the issue, run: ./bin/nm -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D $POC
The master branch has been updated by Nick Clifton <firstname.lastname@example.org>:
Author: Nick Clifton <email@example.com>
Date: Tue Feb 6 15:48:29 2018 +0000
Prevent attempts to call strncpy with a zero-length field by chacking the size of debuglink sections.
* opncls.c (bfd_get_debug_link_info_1): Check the size of the
section before attempting to read it in.
Thanks for reporting this bug.
I have applied a small patch to check the size of the debuglink sections before attempting to load their contents.