Created attachment 10944 [details] gprof ASAN executable, ASAN reports and crashing inputs Dear all, after reporting the following bugs to the Ubuntu security team (https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763098), we were ask to report them directly to the binutils developers: ---------------------------------------------------- Dear all, The following binutils gprof memory corruptions were found by a modified version of the kAFL fuzzer (https://github.com/RUB-SysSec/kAFL). I have attached the crashing inputs and each ASAN report. Steps to reproduce: Build current verison of binutils: ``` pull-lp-source binutils cd binutils-2.30 CC=clang CXX=clang++ CFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" CXXFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" LDFLAGS="-fsanitize=address" ./configure CC=clang CXX=clang++ CFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" CXXFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" LDFLAGS="-fsanitize=address" make ``` Run inputs under ASAN: ``` ASAN_OPTIONS=halt_on_error=false:allow_addr2line=true ./gprof $file ``` We can verify those issues for gprof binuitils-2.30-15ubuntu1 (Ubuntu 16.04.4 LTS / sources from "pull-lp-source bintuils"). Credits: Sergej Schumilo, Cornelius Aschermann (both of Ruhr-Universität Bochum) Best regards, Sergej Schumilo
Hi Sergej, Thanks for reporting these bugs. Unfortunately I cannot reproduce them. Are you sure that the command line is correct ? When I run "gprof $file" I just get an error message: "not in executable format". I suspect that this is because I am running the tests on a 64-bit x86_64 host... Are you able to reproduce the failures in a 64-bit environment ? Also gprof normally needs a gmon.out file to go along with the executable, and this file is missing from the zip file you uploaded. I suspect that the "global-buffer-overflow" failure has already been addressed by the fix for PR 23055. However the "heap-buffer-overflow" bug is in the gprof sources, and presumably still exists. Cheers Nick
Hi Nick, yes we can reproduce both ASAN reports on a 64-bit Linux environment (Ubuntu 16.04.2 LTS) using the attached 64-bit ASAN executable with only one command line argument (global-buffer-overflow or heap-overflow-0x0000004fae16). To reproduce our findings, you don't need an additional file or to pass an additional command line argument to gprof. The ASAN executable of gprof is based on the source files of binuitils-2.30-15ubuntu1. Cheers, Sergej
Created attachment 10967 [details] Proposed patch Hi Sergej, Well unfortunately I am still unable to reproduce the failures. So we will have to resort to the slow method... Please could you try out the uploaded patch which *might* fix the heap overflow bug. Thanks. Cheers Nick
Hi Nick, it seems like that your patch has fixed the heap overflow bug (or at least the POC file does not reproduce the ASAN report anymore). I can also confirm that the patch for PR 23055 fixed the global buffer overflow. Cheers, Sergej
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=bf82069dce1b1a88560e5d7320342c78372b627e commit bf82069dce1b1a88560e5d7320342c78372b627e Author: Nick Clifton <nickc@redhat.com> Date: Mon Apr 23 12:52:42 2018 +0100 Prevent an illegal memory access in gprof by ensuring that string tables for aout format files are always zero-terminated. PR 23056 * aoutx.h (aout_get_external_symbols): Allocate an extra byte at the end of the string table, and zero it.
Patch applied.
The master branch has been updated by Stephen Casner <slcasner@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=31af1e68af26f5cae209de3530d0455b8a944b2d commit 31af1e68af26f5cae209de3530d0455b8a944b2d Author: Stephen Casner <casner@acm.org> Date: Wed Jun 3 17:43:45 2020 -0700 Copy several years of fixes from bfd/aoutx.h to bfd/pdp11.c. * pdp11.c (some_aout_object_p): 4c1534c7a2a - Don't set EXEC_P for files with relocs. (aout_get_external_symbols): 6b8f0fd579d - Return if count is zero. 0301ce1486b PR 22306 - Handle stringsize of zero, and error for any other size that doesn't qcover the header word. bf82069dce1 PR 23056 - Allocate an extra byte at the end of the string table, and zero it. (translate_symbol_table): 0d329c0a83a PR 22887 - Print an error message and set bfd_error on finding an invalid name string offset. (add_to_stringtab): INLINE -> inline (pdp11_aout_swap_reloc_in): 116acb2c268 PR 22887 - Correct r_index bound check. (squirt_out_relocs): e2996cc315d PR 20921 - Check for and report any relocs that could not be recognised. 92744f05809 PR 20929 - Check for relocs without an associated symbol. (find_nearest_line): 808346fcfcf PR 23055 - Check that the symbol name exists and is long enough, before attempting to see if it is for a .o file. c3864421222 - Correct case for N_SO being the last symbol. 50455f1ab29 PR 20891 - Handle the case where the main file name and the directory name are both empty. e82ab856bb4 PR 20892 - Handle the case where function name is empty. (aout_link_add_symbols): e517df3dbf7 PR 19629 - Check for out of range string table offsets. 531336e3a0b PR 20909 - Fix off-by-one error in check for an illegal string offset. (aout_link_includes_newfunc): Add comment. (pdp11_aout_link_input_section): ad756e3f9e6 - Return with an error on unexpected relocation type rather than ASSERT.