https://sourceware.org/bugzilla/show_bug.cgi?id=24792
Bug ID: 24792
Summary: A bug in bfd_alloc in bfd/opncls.c in Binutils 2.32
Product: binutils
Version: 2.32
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: ld
Assignee: unassigned at sourceware dot org
Reporter: 15664243668 at 163 dot com
Target Milestone: ---
Hi,
A bug was discovered in bfd_alloc in opncls.c in bfd, as distributed in
binutils v2.32. A crafted ELF input can cause crash with being executed by size
in binutils v2.32 and I have confirmed them with address sanitizer too.
Unfortunately, address sanitizer was not able to recognize this bug.
Considering that it may cause some problems, I report this bug.
Here are the POC files. Please use "size $POC" to reproduce the error.
ASAN dumps the backtrace as follow:
/home/zeroyu/experiment_without_cov/binutilstest_with_asan_but_no_cov/bin/size:
warning:
/home/zeroyu/CVE/output/size_s19_1/crashes/id:000015,sig:06,src:001140,op:havoc,rep:4
has a corrupt section with a size (64000080) larger than the file size
/home/zeroyu/experiment_without_cov/binutilstest_with_asan_but_no_cov/bin/size:
warning:
/home/zeroyu/CVE/output/size_s19_1/crashes/id:000015,sig:06,src:001140,op:havoc,rep:4
has a corrupt section with a size (c5e1ff08) larger than the file size
/home/zeroyu/experiment_without_cov/binutilstest_with_asan_but_no_cov/bin/size:
/home/zeroyu/CVE/output/size_s19_1/crashes/id:000015,sig:06,src:001140,op:havoc,rep:4:
invalid size field in group section header: 0x64000080
/home/zeroyu/experiment_without_cov/binutilstest_with_asan_but_no_cov/bin/size:
/home/zeroyu/CVE/output/size_s19_1/crashes/id:000015,sig:06,src:001140,op:havoc,rep:4:
no valid group sections found
/home/zeroyu/experiment_without_cov/binutilstest_with_asan_but_no_cov/bin/size:
/home/zeroyu/CVE/output/size_s19_1/crashes/id:000015,sig:06,src:001140,op:havoc,rep:4:
no group info for section '?'
/home/zeroyu/experiment_without_cov/binutilstest_with_asan_but_no_cov/bin/size:
/home/zeroyu/CVE/output/size_s19_1/crashes/id:000015,sig:06,src:001140,op:havoc,rep:4:
SHT_GROUP section [index 0] has no SHF_GROUP sections
/home/zeroyu/experiment_without_cov/binutilstest_with_asan_but_no_cov/bin/size:
warning:
/home/zeroyu/CVE/output/size_s19_1/crashes/id:000015,sig:06,src:001140,op:havoc,rep:4
has a corrupt section with a size (64000080) larger than the file size
/home/zeroyu/experiment_without_cov/binutilstest_with_asan_but_no_cov/bin/size:
warning:
/home/zeroyu/CVE/output/size_s19_1/crashes/id:000015,sig:06,src:001140,op:havoc,rep:4
has a corrupt section with a size (c5e1ff08) larger than the file size
==35514==ERROR: AddressSanitizer failed to allocate 0x64003000 (1677733888)
bytes of LargeMmapAllocator (errno: 12)
==35514==Process memory map follows:
0x08048000-0x08754000
/home/zeroyu/experiment_without_cov/binutilstest_with_asan_but_no_cov/bin/size
0x08754000-0x08755000
/home/zeroyu/experiment_without_cov/binutilstest_with_asan_but_no_cov/bin/size
0x08755000-0x08780000
/home/zeroyu/experiment_without_cov/binutilstest_with_asan_but_no_cov/bin/size
0x08780000-0x08785000 [heap]
0x1ffff000-0x24000000
0x24000000-0x28000000
0x28000000-0x40000000
0x8fe00000-0x8ff00000
0x8fffd000-0xf4100000
0xf4200000-0xf4300000
0xf4400000-0xf4500000
0xf4600000-0xf4700000
0xf4800000-0xf4900000
0xf4a00000-0xf4b00000
0xf4c00000-0xf4d00000
0xf4e00000-0xf4f00000
0xf5000000-0xf5100000
0xf5200000-0xf5300000
0xf5400000-0xf5500000
0xf5600000-0xf5700000
0xf5800000-0xf5900000
0xf5a00000-0xf5b00000
0xf5c00000-0xf5d00000
0xf5e00000-0xf5f00000
0xf5f68000-0xf6100000 /usr/lib/locale/locale-archive
0xf6100000-0xf6200000
0xf6300000-0xf6400000
0xf6500000-0xf6600000
0xf6646000-0xf664a000
0xf664a000-0xf6651000 /usr/lib32/gconv/gconv-modules.cache
0xf6651000-0xf781e000
0xf781e000-0xf783a000 /usr/lib32/libgcc_s.so.1
0xf783a000-0xf783b000 /usr/lib32/libgcc_s.so.1
0xf783b000-0xf783c000
0xf783c000-0xf788f000 /lib32/libm-2.23.so
0xf788f000-0xf7890000 /lib32/libm-2.23.so
0xf7890000-0xf7891000 /lib32/libm-2.23.so
0xf7891000-0xf78aa000 /lib32/libpthread-2.23.so
0xf78aa000-0xf78ab000 /lib32/libpthread-2.23.so
0xf78ab000-0xf78ac000 /lib32/libpthread-2.23.so
0xf78ac000-0xf78ae000
0xf78ae000-0xf7a5b000 /lib32/libc-2.23.so
0xf7a5b000-0xf7a5c000 /lib32/libc-2.23.so
0xf7a5c000-0xf7a5e000 /lib32/libc-2.23.so
0xf7a5e000-0xf7a5f000 /lib32/libc-2.23.so
0xf7a5f000-0xf7a62000
0xf7a62000-0xf7a65000 /lib32/libdl-2.23.so
0xf7a65000-0xf7a66000 /lib32/libdl-2.23.so
0xf7a66000-0xf7a67000 /lib32/libdl-2.23.so
0xf7a67000-0xf7b6b000 /usr/lib32/libasan.so.2.0.0
0xf7b6b000-0xf7b6d000 /usr/lib32/libasan.so.2.0.0
0xf7b6d000-0xf7b6e000 /usr/lib32/libasan.so.2.0.0
0xf7b6e000-0xf7fc7000
0xf7fc7000-0xf7fd6000
0xf7fd6000-0xf7fd9000 [vvar]
0xf7fd9000-0xf7fda000 [vdso]
0xf7fda000-0xf7ffc000 /lib32/ld-2.23.so
0xf7ffc000-0xf7ffd000 /lib32/ld-2.23.so
0xf7ffd000-0xf7ffe000 /lib32/ld-2.23.so
0xfffdd000-0xffffe000 [stack]
==35514==End of process memory map.
==35514==AddressSanitizer CHECK failed:
../../../../../src/libsanitizer/sanitizer_common/sanitizer_posix.cc:121
"(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
#0 0xf7b06797 (/usr/lib32/libasan.so.2+0x9f797)
#1 0xf7b0ba69 in __sanitizer::CheckFailed(char const*, int, char const*,
unsigned long long, unsigned long long) (/usr/lib32/libasan.so.2+0xa4a69)
#2 0xf7b14d6f (/usr/lib32/libasan.so.2+0xadd6f)
#3 0xf7a823dd (/usr/lib32/libasan.so.2+0x1b3dd)
#4 0xf7afddbb in malloc (/usr/lib32/libasan.so.2+0x96dbb)
#5 0x862b3a8 in _objalloc_alloc objalloc.c:143
#6 0x80b0555 in bfd_alloc
/home/zeroyu/experiment_without_cov/binutils-2.32/bfd/opncls.c:949
#7 0x80b0555 in bfd_alloc2
/home/zeroyu/experiment_without_cov/binutils-2.32/bfd/opncls.c:978
#8 0x81a156d in setup_group
/home/zeroyu/experiment_without_cov/binutils-2.32/bfd/elf.c:658
#9 0x81a156d in _bfd_elf_make_section_from_shdr
/home/zeroyu/experiment_without_cov/binutils-2.32/bfd/elf.c:1053
#10 0x8197dbc in bfd_section_from_shdr
/home/zeroyu/experiment_without_cov/binutils-2.32/bfd/elf.c:2494
#11 0x838f4ad in bfd_elf32_object_p
/home/zeroyu/experiment_without_cov/binutils-2.32/bfd/elfcode.h:818
#12 0x8094407 in bfd_check_format_matches
/home/zeroyu/experiment_without_cov/binutils-2.32/bfd/format.c:315
#13 0x8053d8e in display_bfd
/home/zeroyu/experiment_without_cov/binutils-2.32/binutils/size.c:304
#14 0x8053d8e in display_file
/home/zeroyu/experiment_without_cov/binutils-2.32/binutils/size.c:407
#15 0x804f2ed in main
/home/zeroyu/experiment_without_cov/binutils-2.32/binutils/size.c:241
#16 0xf78c6636 in __libc_start_main (/lib32/libc.so.6+0x18636)
#17 0x805136b
(/home/zeroyu/experiment_without_cov/binutilstest_with_asan_but_no_cov/bin/size+0x805136b)
[Inferior 1 (process 35514) exited with code 01]
[Thread debugging using libthread_db enabled]
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
