Created attachment 11262 [details] poc file to reproduce the crash Two egmentation faults in nm, attackers could leverage this vulnerability to cause a denial of service (application crash) via a crafted ELF file. $uname -a Linux ubuntu 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 i686 i686 GNU/Linux $ASAN_OPTIONS=halt_on_error=false:allow_addr2line=true ./nm -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D $POC1 ASan: ==21507==ERROR: AddressSanitizer: SEGV on unknown address 0x24600000 (pc 0x08171cdb sp 0xbfbb8800 bp 0x16c400de T0) #0 0x8171cda in bfd_zalloc /home/rookie/asan/binutils-2.31.1/bfd/opncls.c:1000 #1 0x84d24ba in _bfd_dwarf1_find_nearest_line /home/rookie/asan/binutils-2.31.1/bfd/dwarf1.c:509 #2 0x8336ab1 in _bfd_elf_find_nearest_line /home/rookie/asan/binutils-2.31.1/bfd/elf.c:8757 #3 0x80e4481 in print_symbol /home/rookie/asan/binutils-2.31.1/binutils/nm.c:1009 #4 0x80df268 in print_symbols /home/rookie/asan/binutils-2.31.1/binutils/nm.c:1089 #5 0x80df268 in display_rel_file /home/rookie/asan/binutils-2.31.1/binutils/nm.c:1205 #6 0x80da0d5 in display_file /home/rookie/asan/binutils-2.31.1/binutils/nm.c:1325 #7 0x80d6521 in main /home/rookie/asan/binutils-2.31.1/binutils/nm.c:1799 #8 0xb7587af2 (/lib/i386-linux-gnu/libc.so.6+0x19af2) #9 0x80d4784 in _start (/home/rookie/asan/binutils-2.31.1/tmp/bin/nm+0x80d4784) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/rookie/asan/binutils-2.31.1/bfd/opncls.c:1000 bfd_zalloc $ASAN_OPTIONS=halt_on_error=false:allow_addr2line=true ./nm -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D $POC2 ASan: ==21562==ERROR: AddressSanitizer: SEGV on unknown address 0xb1a05f30 (pc 0xb757d0e6 sp 0xbfb05e68 bp 0xbfb05ea8 T0) #0 0xb757d0e5 (/lib/i386-linux-gnu/libc.so.6+0x940e5) #1 0x80a970f in index (/home/rookie/asan/binutils-2.31.1/tmp/bin/nm+0x80a970f) #2 0x8192273 in _bfd_stab_section_find_nearest_line /home/rookie/asan/binutils-2.31.1/bfd/syms.c:1421 #3 0x8336e02 in _bfd_elf_find_nearest_line /home/rookie/asan/binutils-2.31.1/bfd/elf.c:8768 #4 0x80e4481 in print_symbol /home/rookie/asan/binutils-2.31.1/binutils/nm.c:1009 #5 0x80df268 in print_symbols /home/rookie/asan/binutils-2.31.1/binutils/nm.c:1089 #6 0x80df268 in display_rel_file /home/rookie/asan/binutils-2.31.1/binutils/nm.c:1205 #7 0x80da0d5 in display_file /home/rookie/asan/binutils-2.31.1/binutils/nm.c:1325 #8 0x80d6521 in main /home/rookie/asan/binutils-2.31.1/binutils/nm.c:1799 #9 0xb7502af2 (/lib/i386-linux-gnu/libc.so.6+0x19af2) #10 0x80d4784 in _start (/home/rookie/asan/binutils-2.31.1/tmp/bin/nm+0x80d4784) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ??:0 ?? ==21562==ABORTING
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=30838132997e6a3cfe3ec11c58b32b22f6f6b102 commit 30838132997e6a3cfe3ec11c58b32b22f6f6b102 Author: Alan Modra <amodra@gmail.com> Date: Thu Sep 20 15:29:17 2018 +0930 Bug 23686, two segment faults in nm Fixes the bugs exposed by the testcases in the PR, plus two more bugs I noticed when looking at _bfd_stab_section_find_nearest_line. PR 23686 * dwarf2.c (read_section): Error when attempting to malloc "(bfd_size_type) -1". * syms.c (_bfd_stab_section_find_nearest_line): Bounds check function_name. Bounds check reloc address. Formatting. Ensure .stabstr zero terminated.
Fixed
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0bbd2b1ad0426aee86445cd7f0c86667624da7ca commit 0bbd2b1ad0426aee86445cd7f0c86667624da7ca Author: Alan Modra <amodra@gmail.com> Date: Sat May 20 21:00:25 2023 +0930 Re: Bug 23686, two segment faults in nm The fix for pr23686 had a hole in the reloc address sanity check, the calculation could overflow. Note that stabsize is known to be a non-zero multiple of 12 so stabsize - 4 can't underflow. PR 23686 * syms.c (_bfd_stab_section_find_nearest_line): Correct r->address sanity check.