Created attachment 11675 [details] POC Hi, A Heap-buffer-overflow problem was discovered in bfd_elf64_swap_reloca_in function in elfcode.h in bfd, as distributed in binutils v2.32. A crafted ELF input can cause segment faults and I have confirmed them with address sanitizer too. Here are the POC files. Please use "./ld -E $POC" to reproduce the error. ASAN dumps the backtrace as follow: > ================================================================= > ==1521==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100002cd00 at pc 0x00000076b98b bp 0x7ffd69de5650 sp 0x7ffd69de5648 > WRITE of size 8 at 0x62100002cd00 thread T0 > #0 0x76b98a in bfd_elf64_swap_reloca_in /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/bfd/./elfcode.h:422:17 > #1 0x81c49e in elf_link_read_relocs_from_section /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/bfd/elflink.c:2531:7 > #2 0x81bb4c in _bfd_elf_link_read_relocs /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/bfd/elflink.c:2639:12 > #3 0x820ba4 in _bfd_elf_link_check_relocs /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/bfd/elflink.c:3844:22 > #4 0x555a6c in lang_check_relocs /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/ld/ldlang.c:7327:7 > #5 0x555a6c in lang_process /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/ld/ldlang.c:7538 > #6 0x58fb7f in main /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/ld/./ldmain.c:440:3 > #7 0x7f946339682f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291 > #8 0x4195f8 in _start (/home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/build/bin/ld+0x4195f8) > > 0x62100002cd00 is located 0 bytes to the right of 4096-byte region [0x62100002bd00,0x62100002cd00) > allocated by thread T0 here: > #0 0x4b9728 in malloc (/home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/build/bin/ld+0x4b9728) > #1 0xc35593 in _objalloc_alloc /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/libiberty/./objalloc.c:143:22 > > SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hjwang/Fuzzing_Objects/binutils_2.32_ASAN/bfd/./elfcode.h:422:17 in bfd_elf64_swap_reloca_in > Shadow bytes around the buggy address: > 0x0c427fffd950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c427fffd960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c427fffd970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c427fffd980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c427fffd990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > =>0x0c427fffd9a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c427fffd9b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c427fffd9c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c427fffd9d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c427fffd9e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c427fffd9f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Heap right redzone: fb > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack partial redzone: f4 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb > ==1521==ABORTING > Aborted
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f55b1e3248e4950464ea120027cc6881003e0ead commit f55b1e3248e4950464ea120027cc6881003e0ead Author: Alan Modra <amodra@gmail.com> Date: Fri Mar 15 15:49:27 2019 +1030 PR24336, buffer overflow in swap_reloca_in PR 24336 * elflink.c (elf_link_read_relocs_from_section): Handle fuzzed object files with sh_size not a multiple of sh_entsize.
Fixed