Bug 29855 - Local variable `ch_type` in function `bfd_init_section_decompress_status` can be uninitialized.
Summary: Local variable `ch_type` in function `bfd_init_section_decompress_status` can...
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.40
: P2 normal
Target Milestone: ---
Assignee: Alan Modra
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-12-05 20:55 UTC by 2019
Modified: 2022-12-06 00:03 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
PoC (2.42 KB, application/x-object)
2022-12-05 20:55 UTC, 2019
Details

Note You need to log in before you can comment on or make changes to this bug.
Description 2019 2022-12-05 20:55:16 UTC
Created attachment 14483 [details]
PoC

# Reproduce

cd binutils-gdb
git reset --hard 09a5d200e6166522e0d0a9276bd6b2227ac5ace1
mkdir msan && cd msan
export CC=clang
export CXX=clang++
../configure --disable-gdb --disable-gdbserver --disable-gdbsupport --disable-libdecnumber --disable-readline --disable-sim --disable-libbacktrace --disable-gas --disable-ld --disable-werror --enable-targets=all CPPFLAGS=-DDEBUG CFLAGS="-g -O0 -fsanitize=memory"
make all-binutils MAKEINFO=true && true
echo "" | binutils/addr2line -e ../ch_type_uninit.bin

# Output

binutils/addr2line: ../ch_type_uninit.bin: no group info for section '.init_array.2'
==158888==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x563380931b2f in _bfd_elf_make_section_from_shdr /binutils-gdb/msan/bfd/../../bfd/elf.c:1238:8
    #1 0x56338094e31d in bfd_section_from_shdr /binutils-gdb/msan/bfd/../../bfd/elf.c:2102:13
    #2 0x563380902617 in bfd_elf64_object_p /binutils-gdb/msan/bfd/../../bfd/elfcode.h:842:7
    #3 0x5633807c61f0 in bfd_check_format_matches /binutils-gdb/msan/bfd/../../bfd/format.c:353:17
    #4 0x56338078b06f in process_file /binutils-gdb/msan/binutils/../../binutils/addr2line.c:451:9
    #5 0x56338078a7e5 in main /binutils-gdb/msan/binutils/../../binutils/addr2line.c:579:10
    #6 0x7f7d2ee55d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #7 0x7f7d2ee55e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #8 0x5633806f95c4 in _start (/binutils-gdb/msan/binutils/addr2line+0x18e5c4)

SUMMARY: MemorySanitizer: use-of-uninitialized-value /binutils-gdb/msan/bfd/../../bfd/elf.c:1238:8 in _bfd_elf_make_section_from_shdr
Exiting
Aborted (core dumped)

# Analysis

At function `bfd_init_section_decompress_status`[1], local variable is supposed to be initialized by function `bfd_check_compression_header`[2]. However, since this function call is inside an `else if` branch, if the previous `if` branch is taken, the `ch_type` can be uninitialized and thus directly used to assign `sec->compress_status`. Therefore, when the `compress_status` field is used in a branch condition, the memory sanitizer aborts.

[1] https://github.com/bminor/binutils-gdb/blob/125b7ff73a691353de114149a3a3951828cfb2be/bfd/compress.c#L532
[2] https://github.com/bminor/binutils-gdb/blob/125b7ff73a691353de114149a3a3951828cfb2be/bfd/compress.c#L568
[3] https://github.com/bminor/binutils-gdb/blob/125b7ff73a691353de114149a3a3951828cfb2be/bfd/compress.c#L589
[4] https://github.com/bminor/binutils-gdb/blob/125b7ff73a691353de114149a3a3951828cfb2be/bfd/elf.c#L1238
Comment 1 Sourceware Commits 2022-12-06 00:02:33 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5830876a0cca17bef3b2d54908928e72cca53502

commit 5830876a0cca17bef3b2d54908928e72cca53502
Author: Alan Modra <amodra@gmail.com>
Date:   Tue Dec 6 08:37:52 2022 +1030

    PR29855, ch_type in bfd_init_section_decompress_status can be uninitialized
    
            PR 29855
            * compress.c (bfd_init_section_decompress_status): Set ch_type
            to zero for zlib-gnu case.
Comment 2 Alan Modra 2022-12-06 00:03:52 UTC
Thanks for the report.