Bug 24334 - Heap-buffer-overflow in section_vma_same function in dwarf2.c in bfd
Summary: Heap-buffer-overflow in section_vma_same function in dwarf2.c in bfd
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: ld (show other bugs)
Version: 2.32
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-03-14 12:33 UTC by wcventure
Modified: 2019-03-14 17:23 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
Project(s) to access:
ssh public key:

Attachments
POC (8.46 KB, application/octet-stream)
2019-03-14 12:33 UTC, wcventure 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description wcventure 2019-03-14 12:33:18 UTC 
Created attachment 11674 [details]
POC

Hi, 

A Heap-buffer-overflow problem was discovered in section_vma_same function in dwarf2.c in bfd, as distributed in binutils v2.32. A crafted ELF input can cause segment faults and I have confirmed them with address sanitizer too.

Here are the POC files. Please use "./ld -E $POC" to reproduce the error.


for function bfd_getl16, ASAN dumps the backtrace as follow:

> ==19552==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d00000d000 at pc 0x000000901f1c bp 0x7fff47250bb0 sp 0x7fff47250ba8
> READ of size 8 at 0x60d00000d000 thread T0
>     #0 0x901f1b in section_vma_same /binutils_2.32/bfd/./dwarf2.c:4303:18
>     #1 0x901f1b in _bfd_dwarf2_slurp_debug_info /binutils_2.32/bfd/./dwarf2.c:4329
>     #2 0x9123fc in _bfd_dwarf2_find_nearest_line /binutils_2.32/bfd/./dwarf2.c:4562:9
>     #3 0x7f892e in _bfd_elf_find_nearest_line /binutils_2.32/bfd/elf.c:8869:7
>     #4 0x5ba463 in vfinfo /binutils_2.32/ld/ldmisc.c:350:10
>     #5 0x5be6f9 in einfo /binutils_2.32/ld/ldmisc.c:624:3
>     #6 0x59489c in multiple_definition /binutils_2.32/ld/./ldmain.c:1001:3
>     #7 0x8b2afd in _bfd_elf_merge_symbol /binutils_2.32/bfd/elflink.c:1595:7
>     #8 0x829acb in elf_link_add_object_symbols /binutils_2.32/bfd/elflink.c:4675:9
>     #9 0x82165a in bfd_elf_link_add_symbols /binutils_2.32/bfd/elflink.c:5740:14
>     #10 0x534ff0 in load_symbols /binutils_2.32/ld/ldlang.c:3080:7
>     #11 0x563440 in open_input_bfds /binutils_2.32/ld/ldlang.c:3529:13
>     #12 0x55124f in lang_process /binutils_2.32/ld/ldlang.c:7383:3
>     #13 0x58fb7f in main /binutils_2.32/ld/./ldmain.c:440:3
>     #14 0x7fd90ef1d82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
>     #15 0x4195f8 in _start (/binutils_2.32/build/bin/ld+0x4195f8)
> 
> 0x60d00000d000 is located 0 bytes to the right of 144-byte region [0x60d00000cf70,0x60d00000d000)
> allocated by thread T0 here:
>     #0 0x4b9728 in malloc (/binutils_2.32/build/bin/ld+0x4b9728)
>     #1 0x69b928 in bfd_malloc /binutils_2.32/bfd/libbfd.c:275:9
>     #2 0x9123fc in _bfd_dwarf2_find_nearest_line /binutils_2.32/bfd/./dwarf2.c:4562:9
>     #3 0x7f892e in _bfd_elf_find_nearest_line /binutils_2.32/bfd/elf.c:8869:7
>     #4 0x5ba463 in vfinfo /binutils_2.32/ld/ldmisc.c:350:10
>     #5 0x5be6f9 in einfo /binutils_2.32/ld/ldmisc.c:624:3
>     #6 0x59489c in multiple_definition /binutils_2.32/ld/./ldmain.c:1001:3
> 
> SUMMARY: AddressSanitizer: heap-buffer-overflow /binutils_2.32/bfd/./dwarf2.c:4303:18 in section_vma_same
> Shadow bytes around the buggy address:
>   0x0c1a7fff99b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c1a7fff99c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c1a7fff99d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c1a7fff99e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 00
>   0x0c1a7fff99f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0c1a7fff9a00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c1a7fff9a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c1a7fff9a20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c1a7fff9a30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c1a7fff9a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c1a7fff9a50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Heap right redzone:      fb
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack partial redzone:   f4
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
>   Left alloca redzone:     ca
>   Right alloca redzone:    cb
> ==19552==ABORTING
> Aborted
Comment 1 Sourceware Commits 2019-03-14 17:22:51 UTC 
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d7f848c3b51f01635557ab765f2ba176618e0bf8

commit d7f848c3b51f01635557ab765f2ba176618e0bf8
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Mar 14 17:21:41 2019 +0000

    Fix a buffer overrun error when attempting to parse corrupt DWARF information.
    
    	PR 24334
    	* dwarf2.c (struct dwarf2_debug): Add sec_vma_count field.
    	(save_section_vma): Initialise field to the number of entries in
    	the sec_vma table.
    	(section_vma_same): Check that the number of entries in the
    	sec_vma table matches the number of sections in the bfd.
Comment 2 Nick Clifton 2019-03-14 17:23:38 UTC 
    Hi wcventure,

      Thanks for reporting this bug.  I have checked in a patch to add some
      extra checks to the DWARF parsing code, which should fix this problem.

    Cheers
      Nick