23686 – two segment fault in nm in binutils-2.31.1

Bug 23686 - two segment fault in nm in binutils-2.31.1

Summary: two segment fault in nm in binutils-2.31.1

Status:	RESOLVED FIXED

Alias:	None

Product:	binutils
Classification:	Unclassified
Component:	binutils (show other bugs)
Version:	2.31

Importance:	P2 normal
Target Milestone:	2.32
Assignee:	Alan Modra

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-09-19 14:20 UTC by rookie
Modified:	2023-05-20 11:46 UTC (History)
CC List:	0 users

See Also:
Host:
Target:
Build:
Last reconfirmed:	2018-09-20 00:00:00

Attachments
poc file to reproduce the crash (54.00 KB, application/x-rar) 2018-09-19 14:20 UTC, rookie	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description rookie 2018-09-19 14:20:24 UTC

Created attachment 11262 [details]
poc file to reproduce the crash

Two egmentation faults in nm, attackers could leverage this vulnerability to cause a denial of service (application crash) via a crafted ELF file.

$uname -a
Linux ubuntu 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 i686 i686 GNU/Linux

$ASAN_OPTIONS=halt_on_error=false:allow_addr2line=true ./nm -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D $POC1

ASan:
==21507==ERROR: AddressSanitizer: SEGV on unknown address 0x24600000 (pc 0x08171cdb sp 0xbfbb8800 bp 0x16c400de T0)
    #0 0x8171cda in bfd_zalloc /home/rookie/asan/binutils-2.31.1/bfd/opncls.c:1000
    #1 0x84d24ba in _bfd_dwarf1_find_nearest_line /home/rookie/asan/binutils-2.31.1/bfd/dwarf1.c:509
    #2 0x8336ab1 in _bfd_elf_find_nearest_line /home/rookie/asan/binutils-2.31.1/bfd/elf.c:8757
    #3 0x80e4481 in print_symbol /home/rookie/asan/binutils-2.31.1/binutils/nm.c:1009
    #4 0x80df268 in print_symbols /home/rookie/asan/binutils-2.31.1/binutils/nm.c:1089
    #5 0x80df268 in display_rel_file /home/rookie/asan/binutils-2.31.1/binutils/nm.c:1205
    #6 0x80da0d5 in display_file /home/rookie/asan/binutils-2.31.1/binutils/nm.c:1325
    #7 0x80d6521 in main /home/rookie/asan/binutils-2.31.1/binutils/nm.c:1799
    #8 0xb7587af2 (/lib/i386-linux-gnu/libc.so.6+0x19af2)
    #9 0x80d4784 in _start (/home/rookie/asan/binutils-2.31.1/tmp/bin/nm+0x80d4784)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/rookie/asan/binutils-2.31.1/bfd/opncls.c:1000 bfd_zalloc


$ASAN_OPTIONS=halt_on_error=false:allow_addr2line=true ./nm -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D $POC2

ASan:
==21562==ERROR: AddressSanitizer: SEGV on unknown address 0xb1a05f30 (pc 0xb757d0e6 sp 0xbfb05e68 bp 0xbfb05ea8 T0)
    #0 0xb757d0e5 (/lib/i386-linux-gnu/libc.so.6+0x940e5)
    #1 0x80a970f in index (/home/rookie/asan/binutils-2.31.1/tmp/bin/nm+0x80a970f)
    #2 0x8192273 in _bfd_stab_section_find_nearest_line /home/rookie/asan/binutils-2.31.1/bfd/syms.c:1421
    #3 0x8336e02 in _bfd_elf_find_nearest_line /home/rookie/asan/binutils-2.31.1/bfd/elf.c:8768
    #4 0x80e4481 in print_symbol /home/rookie/asan/binutils-2.31.1/binutils/nm.c:1009
    #5 0x80df268 in print_symbols /home/rookie/asan/binutils-2.31.1/binutils/nm.c:1089
    #6 0x80df268 in display_rel_file /home/rookie/asan/binutils-2.31.1/binutils/nm.c:1205
    #7 0x80da0d5 in display_file /home/rookie/asan/binutils-2.31.1/binutils/nm.c:1325
    #8 0x80d6521 in main /home/rookie/asan/binutils-2.31.1/binutils/nm.c:1799
    #9 0xb7502af2 (/lib/i386-linux-gnu/libc.so.6+0x19af2)
    #10 0x80d4784 in _start (/home/rookie/asan/binutils-2.31.1/tmp/bin/nm+0x80d4784)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==21562==ABORTING

Comment 1 Sourceware Commits 2018-09-20 08:00:54 UTC

The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=30838132997e6a3cfe3ec11c58b32b22f6f6b102

commit 30838132997e6a3cfe3ec11c58b32b22f6f6b102
Author: Alan Modra <amodra@gmail.com>
Date:   Thu Sep 20 15:29:17 2018 +0930

    Bug 23686, two segment faults in nm
    
    Fixes the bugs exposed by the testcases in the PR, plus two more bugs
    I noticed when looking at _bfd_stab_section_find_nearest_line.
    
    	PR 23686
    	* dwarf2.c (read_section): Error when attempting to malloc
    	"(bfd_size_type) -1".
    	* syms.c (_bfd_stab_section_find_nearest_line): Bounds check
    	function_name.  Bounds check reloc address.  Formatting.  Ensure
    	.stabstr zero terminated.

Comment 2 Alan Modra 2018-09-20 08:24:43 UTC

Fixed

Comment 3 Sourceware Commits 2023-05-20 11:46:45 UTC

The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0bbd2b1ad0426aee86445cd7f0c86667624da7ca

commit 0bbd2b1ad0426aee86445cd7f0c86667624da7ca
Author: Alan Modra <amodra@gmail.com>
Date:   Sat May 20 21:00:25 2023 +0930

    Re: Bug 23686, two segment faults in nm
    
    The fix for pr23686 had a hole in the reloc address sanity check,
    the calculation could overflow.  Note that stabsize is known to be a
    non-zero multiple of 12 so stabsize - 4 can't underflow.
    
            PR 23686
            * syms.c (_bfd_stab_section_find_nearest_line): Correct
            r->address sanity check.