Created attachment 11497 [details] POC1 Hi, there. A Global-buffer-overflow problem was discovered in function output_rel_find in eelf_x86_64.c of binutils 2.31. This problem can be reproduced in the latest code base, too. A crafted ELF input can cause segment faults and I have confirmed them with address sanitizer too. Please use the "./ld -E $POC" to reproduce the bug. The ASAN dumps the stack trace as follows: > ================================================================= > ==24959==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000b0f044 at pc 0x0000004a3889 bp 0x7ffd29777410 sp 0x7ffd29777400 > READ of size 1 at 0x000000b0f044 thread T0 > #0 0x4a3888 in output_rel_find /binutils-2.31_ASAN/ld/eelf_x86_64.c:1802 > #1 0x4a5cb8 in gldelf_x86_64_place_orphan /binutils-2.31_ASAN/ld/eelf_x86_64.c:2138 > #2 0x47fd79 in ldemul_place_orphan /binutils-2.31_ASAN/ld/ldemul.c:130 > #3 0x45580d in ldlang_place_orphan /binutils-2.31_ASAN/ld/ldlang.c:6497 > #4 0x455f08 in lang_place_orphans /binutils-2.31_ASAN/ld/ldlang.c:6554 > #5 0x45a679 in lang_process /binutils-2.31_ASAN/ld/ldlang.c:7349 > #6 0x469dbd in main ldmain.c:438 > #7 0x7fa2ca96182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) > #8 0x4036d8 in _start (/binutils-2.31_ASAN/build/bin/ld+0x4036d8) > > 0x000000b0f044 is located 3 bytes to the right of global variable '*.LC0' defined in 'elf.c' (0xb0f040) of size 1 > '*.LC0' is ascii string '' > 0x000000b0f044 is located 60 bytes to the left of global variable '*.LC10' defined in 'elf.c' (0xb0f080) of size 67 > '*.LC10' is ascii string '%pB: attempt to load strings from a non-string section (number %d)' > SUMMARY: AddressSanitizer: global-buffer-overflow /binutils-2.31_ASAN/ld/eelf_x86_64.c:1802 output_rel_find > Shadow bytes around the buggy address: > 0x000080159db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x000080159dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x000080159dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x000080159de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x000080159df0: 06 f9 f9 f9 f9 f9 f9 f9 00 00 01 f9 f9 f9 f9 f9 > =>0x000080159e00: 06 f9 f9 f9 f9 f9 f9 f9[01]f9 f9 f9 f9 f9 f9 f9 > 0x000080159e10: 00 00 00 00 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9 > 0x000080159e20: 04 f9 f9 f9 f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9 > 0x000080159e30: 00 00 00 00 00 00 06 f9 f9 f9 f9 f9 00 00 00 00 > 0x000080159e40: 00 00 00 00 06 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 > 0x000080159e50: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Heap right redzone: fb > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack partial redzone: f4 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > ==24959==ABORTING
Created attachment 11498 [details] POC2
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8fd04a4255376036e85c4e80d430b44ec4b06c64 commit 8fd04a4255376036e85c4e80d430b44ec4b06c64 Author: Alan Modra <amodra@gmail.com> Date: Mon Dec 31 17:06:25 2018 +1030 PR24042, Global-buffer-overflow problem in output_rel_find place_orphan handled ELF SHT_REL/SHT_RELA specially, output_rel_find didn't. This mismatch was a bug and also meant it was possible to craft an object where ld accessed section->name out of bounds. PR 24042 * emultempl/elf32.em (output_rel_find): Drop "sec" param. Add "rela". (gld${EMULATION_NAME}_place_orphan): Use sh_type to calculate "rela" param of output_rel_find when ELF. Tidy uses of elfinput.
Fixed