Bug 29699 - Segmentation fault caused by null pointer dereference in nm-new, _bfd_elf_get_symbol_version_string, elf.c:1969
Summary: Segmentation fault caused by null pointer dereference in nm-new, _bfd_elf_get...
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.40
: P2 normal
Target Milestone: ---
Assignee: Nick Clifton
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-10-19 12:25 UTC by Heqing HUANG
Modified: 2022-10-19 14:11 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed: 2022-10-19 00:00:00


Attachments
POC (1.50 KB, application/x-executable)
2022-10-19 12:25 UTC, Heqing HUANG
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Heqing HUANG 2022-10-19 12:25:10 UTC
Created attachment 14404 [details]
POC

Hi, there.

There is a null pointer dereference in the newest version(2.39.50.20221019, commit 9454c9ce) of nm-new, bfd_elf_get_symbol_version_string, elf.c:1969, which directly causes a segmentation fault.

My environment is:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04.5 LTS"

Compiler=gcc 9.4.0

To reproduce, run
nm-new -aD poc

Here is the trace reported by ASAN:

==2056575==ERROR: AddressSanitizer: SEGV on unknown address 0x0006c6258006 (pc 0x0000005b6eee bp 0x0c240000002a sp 0x7ffe8702e440 T0)
==2056575==The signal is caused by a READ memory access.
    #0 0x5b6eee in _bfd_elf_get_symbol_version_string  /benchmark/binutils-gdb/build-a/bfd/../../bfd/elf.c
    #1 0x4fbe13 in print_symname  /benchmark/binutils-gdb/build-a/binutils/../../binutils/nm.c:715:4
    #2 0x50055c in print_symbol  /benchmark/binutils-gdb/build-a/binutils/../../binutils/nm.c:1219:3
    #3 0x4fea41 in print_symbols  /benchmark/binutils-gdb/build-a/binutils/../../binutils/nm.c:1403:7
    #4 0x4fea41 in display_rel_file  /benchmark/binutils-gdb/build-a/binutils/../../binutils/nm.c:1530:5
    #5 0x4f9885 in display_file  /benchmark/binutils-gdb/build-a/binutils/../../binutils/nm.c:1680:7
    #6 0x4f888f in main  /benchmark/binutils-gdb/build-a/binutils/../../binutils/nm.c:2197:12
    #7 0x7f912956e082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #8 0x41d57d in _start ( /benchmark/binutils-gdb/build-a/binutils/nm-new+0x41d57d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV  /benchmark/binutils-gdb/build-a/bfd/../../bfd/elf.c in _bfd_elf_get_symbol_version_string
==2056575==ABORTING
Comment 1 Heqing HUANG 2022-10-19 12:35:49 UTC
It seems to be an incomplete fix of CVE-2020-16599.
Comment 2 Sourceware Commits 2022-10-19 14:10:13 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5c831a3c7f3ca98d6aba1200353311e1a1f84c70

commit 5c831a3c7f3ca98d6aba1200353311e1a1f84c70
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Oct 19 15:09:12 2022 +0100

    Fix an illegal memory access when parsing an ELF file containing corrupt symbol version information.
    
            PR 29699
            * elf.c (_bfd_elf_slurp_version_tables): Fail if the sh_info field
            of the section header is zero.
Comment 3 Nick Clifton 2022-10-19 14:11:42 UTC
Fixed