Bug 24339 - An Invalid Memory Address Dereference problem was discovered in function elf_x86_64_check_relocs in elf64-x86-64.c in bfd
Summary: An Invalid Memory Address Dereference problem was discovered in function elf_...
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: ld (show other bugs)
Version: 2.32
: P2 normal
Target Milestone: 2.33
Assignee: Alan Modra
URL:
Keywords:
: 24340 (view as bug list)
Depends on:
Blocks:
 
Reported: 2019-03-14 12:55 UTC by wcventure
Modified: 2019-07-28 09:42 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Last reconfirmed: 2019-03-15 00:00:00


Attachments
POC (1.22 KB, application/octet-stream)
2019-03-14 12:55 UTC, wcventure
Details

Note You need to log in before you can comment on or make changes to this bug.
Description wcventure 2019-03-14 12:55:07 UTC
Created attachment 11679 [details]
POC

Hi, there.

An Invalid Memory Address Dereference problem was discovered in function elf_x86_64_check_relocs in elf64-x86-64.c in bfd of binutils 2.32 the latest code base. A crafted ELF input can cause segment faults and I have confirmed them with address sanitizer too.

Please use the "./ld -E $POC" to reproduce the bug.

> ASAN:DEADLYSIGNAL
> =================================================================
> ==703==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x000000715ef0 bp 0x7ffd5bdeb9c0 sp 0x7ffd5bdeb720 T0)
>     #0 0x715eef in elf_x86_64_check_relocs /binutils_2.32/bfd/elf64-x86-64.c:1902:19
>     #1 0x820bd6 in _bfd_elf_link_check_relocs /binutils_2.32/bfd/elflink.c:3849:9
>     #2 0x555a6c in lang_check_relocs /binutils_2.32/ld/ldlang.c:7327:7
>     #3 0x555a6c in lang_process /binutils_2.32/ld/ldlang.c:7538
>     #4 0x58fb7f in main /binutils_2.32/ld/./ldmain.c:440:3
>     #5 0x7fe8de9fc82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
>     #6 0x4195f8 in _start (/binutils_2.32/build/bin/ld+0x4195f8)
> 
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV /binutils_2.32/bfd/elf64-x86-64.c:1902:19 in elf_x86_64_check_relocs
> ==703==ABORTING
> Aborted
Comment 1 Sourceware Commits 2019-03-15 09:37:33 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=fe3fef62ad11115fc3b03c0c0dcb9c38b2f544cb

commit fe3fef62ad11115fc3b03c0c0dcb9c38b2f544cb
Author: Alan Modra <amodra@gmail.com>
Date:   Fri Mar 15 16:49:59 2019 +1030

    PR24339, segfault on NULL symbol section
    
    	PR 24339
    	* elflink.c (elf_link_add_object_symbols): Bail out on a local
    	symbol after globals if elf_bad_symtab is not set.
Comment 2 Alan Modra 2019-03-15 09:39:50 UTC
Fixed
Comment 3 Alan Modra 2019-03-15 09:41:13 UTC
*** Bug 24340 has been marked as a duplicate of this bug. ***
Comment 4 Alan Modra 2019-04-01 06:16:26 UTC
.
Comment 5 Sourceware Commits 2019-07-28 09:42:54 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=4538d1c7c46e67b472d8d5ebf163f3dfd9c67714

commit 4538d1c7c46e67b472d8d5ebf163f3dfd9c67714
Author: Alan Modra <amodra@gmail.com>
Date:   Sun Jul 28 14:56:37 2019 +0930

    PR24857, ld: error adding symbols: bad value
    
    This fixes two cases where elf_link_add_object_symbols returns an
    error, setting the catch-all bfd_error_bad_value without explaining
    the error.  The second one is an internal error that can only be
    caused by a target elf_add_symbol_hook, so make that one abort.  The
    first one is my PR24339 fix.  PR24339 is another of those fuzzing bugs
    and the fix I made catches the problem when loading symbols, rather
    than when symbols are used in relocs.  While ld is correct to reject
    the object file as not complying with the ELF standard, let's be a
    little more forgiving for dynamic objects.
    
    	PR 24857
    	PR 24339
    	* elflink.c (elf_link_add_object_symbols): Report an informative
    	error on finding local symbols with index equal or greater than
    	symbol table sh_info.  Correct comment.  Allow such symbols in
    	dynamic objects.  Abort on NULL section for symbol.