Bug 29699 - Segmentation fault caused by null pointer dereference in nm-new, _bfd_elf_get_symbol_version_string, elf.c:1969
Summary: Segmentation fault caused by null pointer dereference in nm-new, _bfd_elf_get...
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.40
: P2 normal
Target Milestone: ---
Assignee: Nick Clifton
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-10-19 12:25 UTC by Heqing HUANG
Modified: 2022-10-19 14:11 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed: 2022-10-19 00:00:00

Attachments
POC (1.50 KB, application/x-executable)
2022-10-19 12:25 UTC, Heqing HUANG 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Heqing HUANG 2022-10-19 12:25:10 UTC 
Created attachment 14404 [details]
POC

Hi, there.

There is a null pointer dereference in the newest version(2.39.50.20221019, commit 9454c9ce) of nm-new, bfd_elf_get_symbol_version_string, elf.c:1969, which directly causes a segmentation fault.

My environment is:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04.5 LTS"

Compiler=gcc 9.4.0

To reproduce, run
nm-new -aD poc

Here is the trace reported by ASAN:

==2056575==ERROR: AddressSanitizer: SEGV on unknown address 0x0006c6258006 (pc 0x0000005b6eee bp 0x0c240000002a sp 0x7ffe8702e440 T0)
==2056575==The signal is caused by a READ memory access.
    #0 0x5b6eee in _bfd_elf_get_symbol_version_string  /benchmark/binutils-gdb/build-a/bfd/../../bfd/elf.c
    #1 0x4fbe13 in print_symname  /benchmark/binutils-gdb/build-a/binutils/../../binutils/nm.c:715:4
    #2 0x50055c in print_symbol  /benchmark/binutils-gdb/build-a/binutils/../../binutils/nm.c:1219:3
    #3 0x4fea41 in print_symbols  /benchmark/binutils-gdb/build-a/binutils/../../binutils/nm.c:1403:7
    #4 0x4fea41 in display_rel_file  /benchmark/binutils-gdb/build-a/binutils/../../binutils/nm.c:1530:5
    #5 0x4f9885 in display_file  /benchmark/binutils-gdb/build-a/binutils/../../binutils/nm.c:1680:7
    #6 0x4f888f in main  /benchmark/binutils-gdb/build-a/binutils/../../binutils/nm.c:2197:12
    #7 0x7f912956e082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #8 0x41d57d in _start ( /benchmark/binutils-gdb/build-a/binutils/nm-new+0x41d57d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV  /benchmark/binutils-gdb/build-a/bfd/../../bfd/elf.c in _bfd_elf_get_symbol_version_string
==2056575==ABORTING
Comment 1 Heqing HUANG 2022-10-19 12:35:49 UTC 
It seems to be an incomplete fix of CVE-2020-16599.
Comment 2 Sourceware Commits 2022-10-19 14:10:13 UTC 
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5c831a3c7f3ca98d6aba1200353311e1a1f84c70

commit 5c831a3c7f3ca98d6aba1200353311e1a1f84c70
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Oct 19 15:09:12 2022 +0100

    Fix an illegal memory access when parsing an ELF file containing corrupt symbol version information.
    
            PR 29699
            * elf.c (_bfd_elf_slurp_version_tables): Fail if the sh_info field
            of the section header is zero.
Comment 3 Nick Clifton 2022-10-19 14:11:42 UTC 
Fixed