26005 – [size] crash with ASAN in bfd_section_from_shdr

Bug 26005 - [size] crash with ASAN in bfd_section_from_shdr

Summary: [size] crash with ASAN in bfd_section_from_shdr

Status:	RESOLVED FIXED

Alias:	None

Product:	binutils
Classification:	Unclassified
Component:	binutils (show other bugs)
Version:	2.35

Importance:	P2 normal
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Duplicates (4):	26008 26009 26147 26166 (view as bug list)
Depends on:
Blocks:

Reported:	2020-05-18 02:59 UTC by Ahcheong Lee
Modified:	2020-06-25 04:44 UTC (History)
CC List:	3 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
crash test case (2.48 KB, application/octet-stream) 2020-05-18 02:59 UTC, Ahcheong Lee	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ahcheong Lee 2020-05-18 02:59:35 UTC

Created attachment 12551 [details]
crash test case

Hello,
I'm currently developing a new fuzzing feature, and I found a crash in size.

I downloaded from git master, and I built it with Ubuntu 16.04 with gcc 5.4.0 with ASAN, and the following command to build size from the source:
CFLAGS="-O1 -fsanitize=address -U_FORTIFY_SOURCE" ./configure; make clean all;

You can reproduce the crash with the following command:
./size <attached file>

The AddressSanitizer message of the crash is:
==7401==ERROR: AddressSanitizer: heap-use-after-free on address 0x621000014124 at pc 0x000000460d42 bp 0x7ffc2483b3d0 sp 0x7ffc2483b3c0
READ of size 4 at 0x621000014124 thread T0
    #0 0x460d41 in bfd_section_from_shdr (/home/cheong/results/crashes/size_crash/size.master_asan+0x460d41)
    #1 0x4624a5 in bfd_section_from_shdr (/home/cheong/results/crashes/size_crash/size.master_asan+0x4624a5)
    #2 0x4624a5 in bfd_section_from_shdr (/home/cheong/results/crashes/size_crash/size.master_asan+0x4624a5)
    #3 0x4f8310 in bfd_elf32_object_p (/home/cheong/results/crashes/size_crash/size.master_asan+0x4f8310)
    #4 0x418a29 in bfd_check_format_matches (/home/cheong/results/crashes/size_crash/size.master_asan+0x418a29)
    #5 0x403989 in display_bfd (/home/cheong/results/crashes/size_crash/size.master_asan+0x403989)
    #6 0x403c11 in display_file (/home/cheong/results/crashes/size_crash/size.master_asan+0x403c11)
    #7 0x4040ed in main (/home/cheong/results/crashes/size_crash/size.master_asan+0x4040ed)
    #8 0x7fd86d9ff82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x402bc8 in _start (/home/cheong/results/crashes/size_crash/size.master_asan+0x402bc8)

0x621000014124 is located 36 bytes inside of 4064-byte region [0x621000014100,0x6210000150e0)
freed by thread T0 here:
    #0 0x7fd86e0452ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
    #1 0x5ae662 in objalloc_free_block (/home/cheong/results/crashes/size_crash/size.master_asan+0x5ae662)

previously allocated by thread T0 here:
    #0 0x7fd86e045602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x5ae3d8 in _objalloc_alloc (/home/cheong/results/crashes/size_crash/size.master_asan+0x5ae3d8)

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 bfd_section_from_shdr
Shadow bytes around the buggy address:
  0x0c427fffa7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffa7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffa7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffa800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffa810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c427fffa820: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fffa830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fffa840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fffa850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fffa860: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fffa870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==7401==ABORTING

Comment 1 Sourceware Commits 2020-05-18 14:52:34 UTC

The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ed02cdb5b78d17429f7e873acc49d94a5a0223d8

commit ed02cdb5b78d17429f7e873acc49d94a5a0223d8
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon May 18 15:52:03 2020 +0100

    Fix a use-after-free bug in the BFD library when scanning a corrupt ELF file.
    
            PR 26005
            * elf.c (bfd_section_from_shdr): Use bfd_malloc to allocate memory
            for the sections_being_created array.

Comment 2 Nick Clifton 2020-05-18 14:54:17 UTC

Hi Ahcheong,

  Thanks for reporting this bug.  I have checked in a small patch to fix the
  problem.

Cheers
  Nick

Comment 3 Nick Clifton 2020-05-18 15:19:55 UTC

*** Bug 26008 has been marked as a duplicate of this bug. ***

Comment 4 Nick Clifton 2020-05-18 15:21:16 UTC

*** Bug 26009 has been marked as a duplicate of this bug. ***

Comment 5 Sourceware Commits 2020-05-19 16:32:58 UTC

The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6fd1d259e98354236fafd14ec05f3d6a377ede9f

commit 6fd1d259e98354236fafd14ec05f3d6a377ede9f
Author: Gunther Nikl <gnikl@justmail.de>
Date:   Tue May 19 17:32:26 2020 +0100

    Fix thinko in recent update to bfd_section_from_shdr.
    
            PR 26005
            * elf.c (bfd_section_from_shdr): Replace bfd_malloc + memset with
            bfd_zmalloc to allocate memory for the sections_being_created array.

Comment 6 Alan Modra 2020-06-22 07:13:52 UTC

*** Bug 26147 has been marked as a duplicate of this bug. ***

Comment 7 Alan Modra 2020-06-25 04:44:18 UTC

*** Bug 26166 has been marked as a duplicate of this bug. ***