Bug 23770 - An Invalid memory address dereference was discovered in function read_reloc in raloc.c in program objdump.
Summary: An Invalid memory address dereference was discovered in function read_reloc i...
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.31
: P2 normal
Target Milestone: ---
Assignee: Alan Modra
Depends on:
Reported: 2018-10-13 08:33 UTC by wcventure
Modified: 2018-10-17 05:16 UTC (History)
1 user (show)

See Also:
Last reconfirmed: 2018-10-13 00:00:00

POC (2.92 KB, application/x-object)
2018-10-13 08:33 UTC, wcventure

Note You need to log in before you can comment on or make changes to this bug.
Description wcventure 2018-10-13 08:33:49 UTC
Created attachment 11322 [details]

Hi, there.

We are doing research on Fuzz testing. Our fuzzer caught an An Invalid memory address dereference problem in program objdump of the latest binutils(v2.31.1) code base, The POC file I gave can cause the segment faults and I have confirmed them with address sanitizer too.

Please use the "./objdump -xg -W $POC" to reproduce the bug. If you have any questions, please let me know.

The ASAN dumps the stack trace as follows:
==17439==ERROR: AddressSanitizer: SEGV on unknown address 0x612208051814 (pc 0x0000021a0ef0 bp 0x7ffcdefe0820 sp 0x7ffcdefe0800 T0)
    #0 0x21a0eef in read_reloc /binutils_gdb/bfd/reloc.c:557:14
    #1 0x21a44ff in _bfd_clear_contents /binutils_gdb/bfd/reloc.c:1516:7
    #2 0x21ac758 in bfd_generic_get_relocated_section_contents /binutils_gdb/bf
    #3 0xa373c7 in bfd_get_relocated_section_contents /binutils_gdb/bfd/bfd.c:1
    #4 0xb45b58 in bfd_simple_get_relocated_section_contents /binutils_gdb/bfd/
    #5 0x4ee41c in load_specific_debug_section /binutils_gdb/binutils/./objdump
    #6 0x520386 in dump_dwarf_section /binutils_gdb/binutils/./objdump.c:2691:6
    #7 0xb3cfb7 in bfd_map_over_sections /binutils_gdb/bfd/section.c:1374:5
    #8 0x513470 in dump_dwarf /binutils_gdb/binutils/./objdump.c:2774:3
    #9 0x50155f in dump_bfd /binutils_gdb/binutils/./objdump.c:3627:5
    #10 0x4fa7d3 in display_object_bfd /binutils_gdb/binutils/./objdump.c:3714:
    #11 0x4fa7d3 in display_any_bfd /binutils_gdb/binutils/./objdump.c:3783
    #12 0x4f6c61 in display_file /binutils_gdb/binutils/./objdump.c:3804:3
    #13 0x4f6c61 in main /binutils_gdb/binutils/./objdump.c:4106
    #14 0x7fe049d8b82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #15 0x4194d8 in _start (/binutils_gdb/build/bin/objdump+0x4194d8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /binutils_gdb/bfd/reloc.c:557:14 in read_reloc
Comment 1 cvs-commit@gcc.gnu.org 2018-10-13 13:26:11 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:


commit 0930cb3021b8078b34cf216e79eb8608d017864f
Author: Alan Modra <amodra@gmail.com>
Date:   Sat Oct 13 22:03:02 2018 +1030

    _bfd_clear_contents bounds checking
    This PR shows a fuzzed binary triggering a segfault via a bad
    relocation in .debug_line.  It turns out that unlike normal
    relocations applied to a section, the linker applies those with
    symbols from discarded sections via _bfd_clear_contents without
    checking that the relocation is within the section bounds.  The same
    thing now happens when reading debug sections since commit
    a4cd947aca23, the PR23425 fix.
    	PR 23770
    	PR 23425
    	* reloc.c (_bfd_clear_contents): Replace "location" param with
    	"buf" and "off".  Bounds check "off".  Return status.
    	* cofflink.c (_bfd_coff_generic_relocate_section): Update
    	_bfd_clear_contents call.
    	* elf-bfd.h (RELOC_AGAINST_DISCARDED_SECTION): Likewise.
    	* elf32-arc.c (elf_arc_relocate_section): Likewise.
    	* elf32-i386.c (elf_i386_relocate_section): Likewise.
    	* elf32-metag.c (metag_final_link_relocate): Likewise.
    	* elf32-nds32.c (nds32_elf_get_relocated_section_contents): Likewise.
    	* elf32-ppc.c (ppc_elf_relocate_section): Likewise.
    	* elf32-visium.c (visium_elf_relocate_section): Likewise.
    	* elf64-ppc.c (ppc64_elf_relocate_section): Likewise.
    	* elf64-x86-64.c *(elf_x86_64_relocate_section): Likewise.
    	* libbfd-in.h (_bfd_clear_contents): Update prototype.
    	* libbfd.h: Regenerate.
Comment 2 Alan Modra 2018-10-13 22:52:13 UTC
Comment 3 wcventure 2018-10-14 06:55:30 UTC
Thanks for paying attention to this problem and fixing it in time.
This issue was raised by NTU Cyber-Security-Lab, for fuzzing research work.
Comment 4 tanaya patil 2018-10-17 05:10:43 UTC
What the version in which this fix is promoted?
Comment 5 wcventure 2018-10-17 05:16:01 UTC
(In reply to tanaya patil from comment #4)
> What the version in which this fix is promoted?