Created attachment 11679 [details] POC Hi, there. An Invalid Memory Address Dereference problem was discovered in function elf_x86_64_check_relocs in elf64-x86-64.c in bfd of binutils 2.32 the latest code base. A crafted ELF input can cause segment faults and I have confirmed them with address sanitizer too. Please use the "./ld -E $POC" to reproduce the bug. > ASAN:DEADLYSIGNAL > ================================================================= > ==703==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x000000715ef0 bp 0x7ffd5bdeb9c0 sp 0x7ffd5bdeb720 T0) > #0 0x715eef in elf_x86_64_check_relocs /binutils_2.32/bfd/elf64-x86-64.c:1902:19 > #1 0x820bd6 in _bfd_elf_link_check_relocs /binutils_2.32/bfd/elflink.c:3849:9 > #2 0x555a6c in lang_check_relocs /binutils_2.32/ld/ldlang.c:7327:7 > #3 0x555a6c in lang_process /binutils_2.32/ld/ldlang.c:7538 > #4 0x58fb7f in main /binutils_2.32/ld/./ldmain.c:440:3 > #5 0x7fe8de9fc82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291 > #6 0x4195f8 in _start (/binutils_2.32/build/bin/ld+0x4195f8) > > AddressSanitizer can not provide additional info. > SUMMARY: AddressSanitizer: SEGV /binutils_2.32/bfd/elf64-x86-64.c:1902:19 in elf_x86_64_check_relocs > ==703==ABORTING > Aborted
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=fe3fef62ad11115fc3b03c0c0dcb9c38b2f544cb commit fe3fef62ad11115fc3b03c0c0dcb9c38b2f544cb Author: Alan Modra <amodra@gmail.com> Date: Fri Mar 15 16:49:59 2019 +1030 PR24339, segfault on NULL symbol section PR 24339 * elflink.c (elf_link_add_object_symbols): Bail out on a local symbol after globals if elf_bad_symtab is not set.
Fixed
*** Bug 24340 has been marked as a duplicate of this bug. ***
.
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=4538d1c7c46e67b472d8d5ebf163f3dfd9c67714 commit 4538d1c7c46e67b472d8d5ebf163f3dfd9c67714 Author: Alan Modra <amodra@gmail.com> Date: Sun Jul 28 14:56:37 2019 +0930 PR24857, ld: error adding symbols: bad value This fixes two cases where elf_link_add_object_symbols returns an error, setting the catch-all bfd_error_bad_value without explaining the error. The second one is an internal error that can only be caused by a target elf_add_symbol_hook, so make that one abort. The first one is my PR24339 fix. PR24339 is another of those fuzzing bugs and the fix I made catches the problem when loading symbols, rather than when symbols are used in relocs. While ld is correct to reject the object file as not complying with the ELF standard, let's be a little more forgiving for dynamic objects. PR 24857 PR 24339 * elflink.c (elf_link_add_object_symbols): Report an informative error on finding local symbols with index equal or greater than symbol table sh_info. Correct comment. Allow such symbols in dynamic objects. Abort on NULL section for symbol.