Bug 23806 - NULL Pointer Dereference problem was discovered in function merge_strings() in merge.c in bfd
Summary: NULL Pointer Dereference problem was discovered in function merge_strings() i...
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: ld (show other bugs)
Version: 2.31
: P2 normal
Target Milestone: 2.32
Assignee: Alan Modra
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-10-21 10:59 UTC by wcventure
Modified: 2018-10-23 11:17 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Last reconfirmed: 2018-10-23 00:00:00


Attachments
POC (9.87 KB, application/octet-stream)
2018-10-21 10:59 UTC, wcventure
Details

Note You need to log in before you can comment on or make changes to this bug.
Description wcventure 2018-10-21 10:59:19 UTC
Created attachment 11358 [details]
POC

Hi, there.
An Invalid Memory Address Dereference problem was discovered in function merge_strings() in merge.c in bfd of binutils 2.31 the latest code base. A crafted ELF input can cause segment faults and I have confirmed them with address sanitizer too.

Please use the "./ld -E $POC" to reproduce the bug.


The ASAN dumps the stack trace as follows:

> ASAN:DEADLYSIGNAL
> =================================================================
> ==7821==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x00000109f0a5 bp 0x7ffd27ebac70 sp 0x7ffd27eba4e0 T0)
>     #0 0x109f0a4 in merge_strings bintuils_gdb/bfd/merge.c:712:32
>     #1 0x10979ce in _bfd_merge_sections bintuils_gdb/bfd/merge.c:762:9
>     #2 0xba24d3 in _bfd_elf_merge_sections bintuils_gdb/bfd/elflink.c:7398:5
>     #3 0x589ea4 in lang_process bintuils_gdb/ld/ldlang.c:7543:7
>     #4 0x5fd19c in main bintuils_gdb/ld/./ldmain.c:438:3
>     #5 0x7f6f3917682f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
>     #6 0x419638 in _start (/media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_latest_ASAN_O0/build/bin/ld+0x419638)
> 
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV bintuils_gdb/bfd/merge.c:712:32 in merge_strings
> ==7821==ABORTING
> Aborted
Comment 1 Sourceware Commits 2018-10-23 10:40:30 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=45a0eaf77022963d639d6d19871dbab7b79703fc

commit 45a0eaf77022963d639d6d19871dbab7b79703fc
Author: Alan Modra <amodra@gmail.com>
Date:   Tue Oct 23 19:02:06 2018 +1030

    PR23806, NULL pointer dereference in merge_strings
    
    	PR 23806
    	* merge.c (_bfd_add_merge_section): Don't attempt to merge
    	sections with ridiculously large alignments.
Comment 2 Alan Modra 2018-10-23 11:17:40 UTC
Fixed