23054 – Multiple memory corruption in as-new (binuitils-2.30-15ubuntu1)

Bug 23054 - Multiple memory corruption in as-new (binuitils-2.30-15ubuntu1)

Summary: Multiple memory corruption in as-new (binuitils-2.30-15ubuntu1)

Status:	RESOLVED FIXED

Alias:	None

Product:	binutils
Classification:	Unclassified
Component:	gas (show other bugs)
Version:	2.30

Importance:	P2 normal
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-04-13 13:15 UTC by Sergej Schumilo
Modified:	2018-04-16 15:44 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
as-new executable, ASAN reports and crashing inputs (4.21 MB, application/zip) 2018-04-13 13:15 UTC, Sergej Schumilo	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sergej Schumilo 2018-04-13 13:15:27 UTC

Created attachment 10942 [details]
as-new executable, ASAN reports and crashing inputs

Dear all,
after reporting the following bugs to the Ubuntu security team (https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763096), we were ask to report them directly to the binutils developers: 

----------------------------------------------------

Dear all,
The following binutils as-new memory corruptions were found by a modified version of the kAFL fuzzer (https://github.com/RUB-SysSec/kAFL). I have attached the crashing inputs and each ASAN report.

Steps to reproduce:

Build current verison of binutils:
```
pull-lp-source binutils
cd binutils-2.30
CC=clang CXX=clang++ CFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" CXXFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" LDFLAGS="-fsanitize=address" ./configure
CC=clang CXX=clang++ CFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" CXXFLAGS="-fsanitize=address
-fsanitize-recover=address -ggdb" LDFLAGS="-fsanitize=address" make
```

run inputs under ASAN:

```
ASAN_OPTIONS=halt_on_error=false:allow_addr2line=true ./as-new $file
```

We can verify those issues for as-new binuitils-2.30-15ubuntu1 (Ubuntu 16.04.4 LTS / sources from "pull-lp-source bintuils").

Credits: Sergej Schumilo, Cornelius Aschermann (both of Ruhr-Universität Bochum)

Best regards,
Sergej Schumilo

Comment 1 Sourceware Commits 2018-04-16 15:40:32 UTC

The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c77852c8916415b089e56271b6ab9f793fdb413c

commit c77852c8916415b089e56271b6ab9f793fdb413c
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Apr 16 16:39:15 2018 +0100

    Fix illegal memory accesses in the assembler when attempting to parse corrup tinput files.
    
    	PR 23054
    	* cond.c (s_ifsef): Replace use of obstack_copy with obstack_alloc
    	followed by memcpy.
    	(s_if, s_ifb, s_ifc, s_ifeqs): Likewise.
    	* obj-elf.c (elf_adjust_symtab): Check for local symbols before
    	attempting to dereference the sy_next field of a symbol.
    	* stabs.c (get_stab_string_offset): Fail if there is no string
    	following the stab directive.

Comment 2 Nick Clifton 2018-04-16 15:44:54 UTC

Hi Sergej,

  Thanks for reporting these problems.  I have checked in a patch which
  I believe will address all of the bugs you found, but please let me
  know if you find that the fix does not work for you.

Cheers
  Nick