Created attachment 10944 [details]
gprof ASAN executable, ASAN reports and crashing inputs
after reporting the following bugs to the Ubuntu security team (https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763098), we were ask to report them directly to the binutils developers:
The following binutils gprof memory corruptions were found by a modified version of the kAFL fuzzer (https://github.com/RUB-SysSec/kAFL). I have attached the crashing inputs and each ASAN report.
Steps to reproduce:
Build current verison of binutils:
CC=clang CXX=clang++ CFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" CXXFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" LDFLAGS="-fsanitize=address" ./configure
CC=clang CXX=clang++ CFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" CXXFLAGS="-fsanitize=address
-fsanitize-recover=address -ggdb" LDFLAGS="-fsanitize=address" make
Run inputs under ASAN:
ASAN_OPTIONS=halt_on_error=false:allow_addr2line=true ./gprof $file
We can verify those issues for gprof binuitils-2.30-15ubuntu1 (Ubuntu 16.04.4 LTS / sources from "pull-lp-source bintuils").
Credits: Sergej Schumilo, Cornelius Aschermann (both of Ruhr-Universität Bochum)
Thanks for reporting these bugs. Unfortunately I cannot reproduce them.
Are you sure that the command line is correct ? When I run "gprof $file"
I just get an error message: "not in executable format". I suspect that
this is because I am running the tests on a 64-bit x86_64 host... Are you
able to reproduce the failures in a 64-bit environment ?
Also gprof normally needs a gmon.out file to go along with the executable,
and this file is missing from the zip file you uploaded.
I suspect that the "global-buffer-overflow" failure has already been
addressed by the fix for PR 23055. However the "heap-buffer-overflow"
bug is in the gprof sources, and presumably still exists.
yes we can reproduce both ASAN reports on a 64-bit Linux environment (Ubuntu 16.04.2 LTS) using the attached 64-bit ASAN executable with only one command line argument (global-buffer-overflow or heap-overflow-0x0000004fae16). To reproduce our findings, you don't need an additional file or to pass an additional command line argument to gprof. The ASAN executable of gprof is based on the source files of binuitils-2.30-15ubuntu1.
Created attachment 10967 [details]
Well unfortunately I am still unable to reproduce the failures. So we will
have to resort to the slow method...
Please could you try out the uploaded patch which *might* fix the heap
overflow bug. Thanks.
it seems like that your patch has fixed the heap overflow bug (or at least the POC file does not reproduce the ASAN report anymore).
I can also confirm that the patch for PR 23055 fixed the global buffer overflow.
The master branch has been updated by Nick Clifton <email@example.com>:
Author: Nick Clifton <firstname.lastname@example.org>
Date: Mon Apr 23 12:52:42 2018 +0100
Prevent an illegal memory access in gprof by ensuring that string tables for aout format files are always zero-terminated.
* aoutx.h (aout_get_external_symbols): Allocate an extra byte at
the end of the string table, and zero it.
The master branch has been updated by Stephen Casner <email@example.com>:
Author: Stephen Casner <firstname.lastname@example.org>
Date: Wed Jun 3 17:43:45 2020 -0700
Copy several years of fixes from bfd/aoutx.h to bfd/pdp11.c.
* pdp11.c (some_aout_object_p): 4c1534c7a2a - Don't set EXEC_P for
files with relocs.
(aout_get_external_symbols): 6b8f0fd579d - Return if count is zero.
0301ce1486b PR 22306 - Handle stringsize of zero, and error for any
other size that doesn't qcover the header word.
bf82069dce1 PR 23056 - Allocate an extra byte at the end of the
string table, and zero it.
(translate_symbol_table): 0d329c0a83a PR 22887 - Print an error
message and set bfd_error on finding an invalid name string offset.
(add_to_stringtab): INLINE -> inline
(pdp11_aout_swap_reloc_in): 116acb2c268 PR 22887 - Correct r_index
(squirt_out_relocs): e2996cc315d PR 20921 - Check for and report
any relocs that could not be recognised.
92744f05809 PR 20929 - Check for relocs without an associated symbol.
(find_nearest_line): 808346fcfcf PR 23055 - Check that the symbol
name exists and is long enough, before attempting to see if it is
for a .o file.
c3864421222 - Correct case for N_SO being the last symbol.
50455f1ab29 PR 20891 - Handle the case where the main file name
and the directory name are both empty.
e82ab856bb4 PR 20892 - Handle the case where function name is empty.
(aout_link_add_symbols): e517df3dbf7 PR 19629 - Check for out of
range string table offsets.
531336e3a0b PR 20909 - Fix off-by-one error in check for an
illegal string offset.
(aout_link_includes_newfunc): Add comment.
(pdp11_aout_link_input_section): ad756e3f9e6 - Return with an error
on unexpected relocation type rather than ASSERT.