Bug 24689 - string table corruption
Summary: string table corruption
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: ld (show other bugs)
Version: 2.32
: P2 normal
Target Milestone: 2.33
Assignee: Alan Modra
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-06-17 03:23 UTC by 15664243668
Modified: 2019-09-09 11:30 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
POC (170 bytes, application/octet-stream)
2019-06-17 03:23 UTC, 15664243668
Details
attachment-74707-0.html (745 bytes, text/html)
2019-06-19 07:25 UTC, 15664243668
Details

Note You need to log in before you can comment on or make changes to this bug.
Description 15664243668 2019-06-17 03:23:41 UTC
Created attachment 11840 [details]
POC

Hi, 

A Heap-buffer-overflow problem was discovered in _bfd_doprnt in bfd.c in bfd, as distributed in binutils v2.32. A crafted ELF input can cause crash with being executed by size in binutils v2.32 and I have confirmed them with address sanitizer too.

Here are the POC files. Please use "size $POC" to reproduce the error.


ASAN dumps the backtrace as follow:


=================================================================
==20018==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4a038e0 at pc 0xf7ac14fb bp 0xffffceb8 sp 0xffffca6c
READ of size 554 at 0xf4a038e0 thread T0
    #0 0xf7ac14fa  (/usr/lib32/libasan.so.2+0x5a4fa)
    #1 0xf7b055c4 in __asan_report_error (/usr/lib32/libasan.so.2+0x9e5c4)
    #2 0xf7ac13d9  (/usr/lib32/libasan.so.2+0x5a3d9)
    #3 0xf7ac1b88 in __interceptor_vfprintf (/usr/lib32/libasan.so.2+0x5ab88)
    #4 0xf7ac1c0c in fprintf (/usr/lib32/libasan.so.2+0x5ac0c)
    #5 0x807d3ff in _bfd_doprnt /home/zeroyu/experiment_without_cov/binutils-2.32/bfd/bfd.c:871
    #6 0x807d3ff in error_handler_internal /home/zeroyu/experiment_without_cov/binutils-2.32/bfd/bfd.c:1136
    #7 0x8079004 in _bfd_error_handler /home/zeroyu/experiment_without_cov/binutils-2.32/bfd/bfd.c:1178
    #8 0x818eb08 in _bfd_elf_setup_sections /home/zeroyu/experiment_without_cov/binutils-2.32/bfd/elf.c:866
    #9 0x838f661 in bfd_elf32_object_p /home/zeroyu/experiment_without_cov/binutils-2.32/bfd/elfcode.h:822
    #10 0x8094407 in bfd_check_format_matches /home/zeroyu/experiment_without_cov/binutils-2.32/bfd/format.c:315
    #11 0x8053d8e in display_bfd /home/zeroyu/experiment_without_cov/binutils-2.32/binutils/size.c:304
    #12 0x8053d8e in display_file /home/zeroyu/experiment_without_cov/binutils-2.32/binutils/size.c:407
    #13 0x804f2ed in main /home/zeroyu/experiment_without_cov/binutils-2.32/binutils/size.c:241
    #14 0xf78c6636 in __libc_start_main (/lib32/libc.so.6+0x18636)
    #15 0x805136b  (/home/zeroyu/experiment_without_cov/binutilstest_with_asan_but_no_cov/bin/size+0x805136b)

0xf4a038e0 is located 0 bytes to the right of 4064-byte region [0xf4a02900,0xf4a038e0)
allocated by thread T0 here:
    #0 0xf7afddee in malloc (/usr/lib32/libasan.so.2+0x96dee)
    #1 0x862ac99 in objalloc_create objalloc.c:95

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x3e9406c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e9406d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e9406e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e9406f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e940700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x3e940710: 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa
  0x3e940720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e940730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e940740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e940750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e940760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==20018==ABORTING
[Inferior 1 (process 20018) exited with code 01]
Comment 1 Alan Modra 2019-06-19 04:15:34 UTC
I don't see this with my standard -fsanitize=address binutils.  How did you configure and compiler binutils?
Comment 2 15664243668 2019-06-19 07:25:56 UTC
Created attachment 11845 [details]
attachment-74707-0.html

Hello, I compiler binutils 2.32 to the 32-bit LSB version with afl-gcc in the asan model. The binutils runs in the x86-64 Ubuntu 16.04 services.

> 在 2019年6月19日,下午12:15,amodra at gmail dot com <sourceware-bugzilla@sourceware.org> 写道:
> 
> https://sourceware.org/bugzilla/show_bug.cgi?id=24689
> 
> Alan Modra <amodra at gmail dot com> changed:
> 
>           What    |Removed                     |Added
> ----------------------------------------------------------------------------
>                 CC|                            |amodra at gmail dot com
> 
> --- Comment #1 from Alan Modra <amodra at gmail dot com> ---
> I don't see this with my standard -fsanitize=address binutils.  How did you
> configure and compiler binutils?
> 
> -- 
> You are receiving this mail because:
> You reported the bug.
Comment 3 cvs-commit@gcc.gnu.org 2019-06-21 07:16:09 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=890f750a3b053532a4b839a2dd6243076de12031

commit 890f750a3b053532a4b839a2dd6243076de12031
Author: Alan Modra <amodra@gmail.com>
Date:   Fri Jun 21 11:51:38 2019 +0930

    PR24689, string table corruption
    
    The testcase in the PR had a e_shstrndx section of type SHT_GROUP.
    hdr->contents were initialized by setup_group rather than being read
    from the file, thus last byte was not zero and string dereference ran
    off the end of the buffer.
    
    	PR 24689
    	* elfcode.h (elf_object_p): Check type of e_shstrndx section.
Comment 4 Alan Modra 2019-06-21 10:04:18 UTC
Fixed on master
Comment 5 cvs-commit@gcc.gnu.org 2019-06-23 13:45:24 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=14b2a8e4244a29208ad430167860a0f01b20f215

commit 14b2a8e4244a29208ad430167860a0f01b20f215
Author: Alan Modra <amodra@gmail.com>
Date:   Sun Jun 23 12:10:02 2019 +0930

    PR24689 again, string table corruption
    
    Depending on optimisation level and gcc version, git commit 890f750a3b
    introduces a false positive warning that i_shdrp may be used
    uninitialized.
    
    	PR 24689
    	* elfcode.h (elf_object_p): Warning fix.
Comment 6 15664243668 2019-06-27 09:01:06 UTC
CVE-2019-12972

> 在 2019年6月23日,下午9:45,cvs-commit at gcc dot gnu.org <sourceware-bugzilla@sourceware.org> 写道:
> 
> https://sourceware.org/bugzilla/show_bug.cgi?id=24689
> 
> --- Comment #5 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
> The master branch has been updated by Alan Modra <amodra@sourceware.org>:
> 
> https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=14b2a8e4244a29208ad430167860a0f01b20f215
> 
> commit 14b2a8e4244a29208ad430167860a0f01b20f215
> Author: Alan Modra <amodra@gmail.com>
> Date:   Sun Jun 23 12:10:02 2019 +0930
> 
>    PR24689 again, string table corruption
> 
>    Depending on optimisation level and gcc version, git commit 890f750a3b
>    introduces a false positive warning that i_shdrp may be used
>    uninitialized.
> 
>        PR 24689
>        * elfcode.h (elf_object_p): Warning fix.
> 
> -- 
> You are receiving this mail because:
> You reported the bug.
Comment 7 Trupti Pardeshi 2019-09-09 08:26:44 UTC
Hello,

May I know if Binutils-2.31 is also affected and requires this fix? Any heads up will be appreciated.

Thank you in advance.

Best Regards,
Comment 8 Nick Clifton 2019-09-09 11:04:10 UTC
(In reply to Trupti Pardeshi from comment #7)
Hi Trupti,

> May I know if Binutils-2.31 is also affected and requires this fix? Any
> heads up will be appreciated.

Yes it is affected.  Yes a fix is needed if you plan on using it to
examine corrupt, or potentially corrupt, input files.

Cheers
  Nick
Comment 9 Trupti Pardeshi 2019-09-09 11:30:53 UTC
(In reply to Nick Clifton from comment #8)
> (In reply to Trupti Pardeshi from comment #7)
> Hi Trupti,
> 
> > May I know if Binutils-2.31 is also affected and requires this fix? Any
> > heads up will be appreciated.
> 
> Yes it is affected.  Yes a fix is needed if you plan on using it to
> examine corrupt, or potentially corrupt, input files.
> 
> Cheers
>   Nick

Thanks you so much Nick for early reply and clarification.