Bug 23686 - two segment fault in nm in binutils-2.31.1
Summary: two segment fault in nm in binutils-2.31.1
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.31
: P2 normal
Target Milestone: 2.32
Assignee: Alan Modra
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-09-19 14:20 UTC by rookie
Modified: 2018-09-20 08:24 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Last reconfirmed: 2018-09-20 00:00:00


Attachments
poc file to reproduce the crash (54.00 KB, application/x-rar)
2018-09-19 14:20 UTC, rookie
Details

Note You need to log in before you can comment on or make changes to this bug.
Description rookie 2018-09-19 14:20:24 UTC
Created attachment 11262 [details]
poc file to reproduce the crash

Two egmentation faults in nm, attackers could leverage this vulnerability to cause a denial of service (application crash) via a crafted ELF file.

$uname -a
Linux ubuntu 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 i686 i686 GNU/Linux

$ASAN_OPTIONS=halt_on_error=false:allow_addr2line=true ./nm -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D $POC1

ASan:
==21507==ERROR: AddressSanitizer: SEGV on unknown address 0x24600000 (pc 0x08171cdb sp 0xbfbb8800 bp 0x16c400de T0)
    #0 0x8171cda in bfd_zalloc /home/rookie/asan/binutils-2.31.1/bfd/opncls.c:1000
    #1 0x84d24ba in _bfd_dwarf1_find_nearest_line /home/rookie/asan/binutils-2.31.1/bfd/dwarf1.c:509
    #2 0x8336ab1 in _bfd_elf_find_nearest_line /home/rookie/asan/binutils-2.31.1/bfd/elf.c:8757
    #3 0x80e4481 in print_symbol /home/rookie/asan/binutils-2.31.1/binutils/nm.c:1009
    #4 0x80df268 in print_symbols /home/rookie/asan/binutils-2.31.1/binutils/nm.c:1089
    #5 0x80df268 in display_rel_file /home/rookie/asan/binutils-2.31.1/binutils/nm.c:1205
    #6 0x80da0d5 in display_file /home/rookie/asan/binutils-2.31.1/binutils/nm.c:1325
    #7 0x80d6521 in main /home/rookie/asan/binutils-2.31.1/binutils/nm.c:1799
    #8 0xb7587af2 (/lib/i386-linux-gnu/libc.so.6+0x19af2)
    #9 0x80d4784 in _start (/home/rookie/asan/binutils-2.31.1/tmp/bin/nm+0x80d4784)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/rookie/asan/binutils-2.31.1/bfd/opncls.c:1000 bfd_zalloc


$ASAN_OPTIONS=halt_on_error=false:allow_addr2line=true ./nm -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D $POC2

ASan:
==21562==ERROR: AddressSanitizer: SEGV on unknown address 0xb1a05f30 (pc 0xb757d0e6 sp 0xbfb05e68 bp 0xbfb05ea8 T0)
    #0 0xb757d0e5 (/lib/i386-linux-gnu/libc.so.6+0x940e5)
    #1 0x80a970f in index (/home/rookie/asan/binutils-2.31.1/tmp/bin/nm+0x80a970f)
    #2 0x8192273 in _bfd_stab_section_find_nearest_line /home/rookie/asan/binutils-2.31.1/bfd/syms.c:1421
    #3 0x8336e02 in _bfd_elf_find_nearest_line /home/rookie/asan/binutils-2.31.1/bfd/elf.c:8768
    #4 0x80e4481 in print_symbol /home/rookie/asan/binutils-2.31.1/binutils/nm.c:1009
    #5 0x80df268 in print_symbols /home/rookie/asan/binutils-2.31.1/binutils/nm.c:1089
    #6 0x80df268 in display_rel_file /home/rookie/asan/binutils-2.31.1/binutils/nm.c:1205
    #7 0x80da0d5 in display_file /home/rookie/asan/binutils-2.31.1/binutils/nm.c:1325
    #8 0x80d6521 in main /home/rookie/asan/binutils-2.31.1/binutils/nm.c:1799
    #9 0xb7502af2 (/lib/i386-linux-gnu/libc.so.6+0x19af2)
    #10 0x80d4784 in _start (/home/rookie/asan/binutils-2.31.1/tmp/bin/nm+0x80d4784)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==21562==ABORTING
Comment 1 cvs-commit@gcc.gnu.org 2018-09-20 08:00:54 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=30838132997e6a3cfe3ec11c58b32b22f6f6b102

commit 30838132997e6a3cfe3ec11c58b32b22f6f6b102
Author: Alan Modra <amodra@gmail.com>
Date:   Thu Sep 20 15:29:17 2018 +0930

    Bug 23686, two segment faults in nm
    
    Fixes the bugs exposed by the testcases in the PR, plus two more bugs
    I noticed when looking at _bfd_stab_section_find_nearest_line.
    
    	PR 23686
    	* dwarf2.c (read_section): Error when attempting to malloc
    	"(bfd_size_type) -1".
    	* syms.c (_bfd_stab_section_find_nearest_line): Bounds check
    	function_name.  Bounds check reloc address.  Formatting.  Ensure
    	.stabstr zero terminated.
Comment 2 Alan Modra 2018-09-20 08:24:43 UTC
Fixed