Bug 24041 - Invalid Memory Address Dereference exists in the function elf_link_add_object_symbols in elflink.c in bfd
Summary: Invalid Memory Address Dereference exists in the function elf_link_add_object...
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: ld (show other bugs)
Version: 2.31
: P2 normal
Target Milestone: 2.32
Assignee: Alan Modra
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-12-28 09:05 UTC by wcventure
Modified: 2019-02-01 07:21 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Last reconfirmed: 2018-12-31 00:00:00


Attachments
POC (91 bytes, application/x-sharedlib)
2018-12-28 09:05 UTC, wcventure
Details

Note You need to log in before you can comment on or make changes to this bug.
Description wcventure 2018-12-28 09:05:21 UTC
Created attachment 11496 [details]
POC

Hi, there.

An Invalid Memory Address Dereference problem was discovered in function elf_link_add_object_symbols in elflink.c in bfd of binutils 2.31 the latest code base. A crafted ELF input can cause segment faults and I have confirmed them with address sanitizer too.

Please use the "./ld -E $POC" to reproduce the bug.


The ASAN dumps the stack trace as follows:

> ASAN:SIGSEGV
> =================================================================
> ==25025==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000067b8c3 bp 0x7ffe8f394b60 sp 0x7ffe8f3943b0 T0)
>     #0 0x67b8c2 in elf_link_add_object_symbols binutils-2.31_ASAN/bfd/elflink.c:4175
>     #1 0x688ac7 in bfd_elf_link_add_symbols binutils-2.31_ASAN/bfd/elflink.c:5725
>     #2 0x438c64 in load_symbols binutils-2.31_ASAN/ld/ldlang.c:2880
>     #3 0x43c2d7 in open_input_bfds binutils-2.31_ASAN/ld/ldlang.c:3329
>     #4 0x459c70 in lang_process binutils-2.31_ASAN/ld/ldlang.c:7180
>     #5 0x469dbd in main ldmain.c:438
>     #6 0x7fb4d60a682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
>     #7 0x4036d8 in _start (binutils-2.31_ASAN/build/bin/ld+0x4036d8)
> 
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV binutils-2.31_ASAN/bfd/elflink.c:4175 elf_link_add_object_symbols
> ==25025==ABORTING
Comment 1 Sourceware Commits 2018-12-31 05:28:40 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=54025d5812ff100f5f0654eb7e1ffd50f2e37f5f

commit 54025d5812ff100f5f0654eb7e1ffd50f2e37f5f
Author: Alan Modra <amodra@gmail.com>
Date:   Mon Dec 31 15:40:08 2018 +1030

    PR24041, Invalid Memory Address Dereference in elf_link_add_object_symbols
    
    	PR 24041
    	* elflink.c (elf_link_add_object_symbols): Don't segfault on
    	crafted ET_DYN with no program headers.
Comment 2 Alan Modra 2018-12-31 05:41:25 UTC
Fixed
Comment 3 wcventure 2019-02-01 07:21:47 UTC
CVE-2018-20651