https://sourceware.org/bugzilla/show_bug.cgi?id=29855
Bug ID: 29855
Summary: Local variable `ch_type` in function
`bfd_init_section_decompress_status` can be
uninitialized.
Product: binutils
Version: 2.40 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: r3tr0spect2019 at gmail dot com
Target Milestone: ---
Created attachment 14483
--> https://sourceware.org/bugzilla/attachment.cgi?id=14483&action=edit
PoC
# Reproduce
cd binutils-gdb
git reset --hard 09a5d200e6166522e0d0a9276bd6b2227ac5ace1
mkdir msan && cd msan
export CC=clang
export CXX=clang++
../configure --disable-gdb --disable-gdbserver --disable-gdbsupport
--disable-libdecnumber --disable-readline --disable-sim --disable-libbacktrace
--disable-gas --disable-ld --disable-werror --enable-targets=all
CPPFLAGS=-DDEBUG CFLAGS="-g -O0 -fsanitize=memory"
make all-binutils MAKEINFO=true && true
echo "" | binutils/addr2line -e ../ch_type_uninit.bin
# Output
binutils/addr2line: ../ch_type_uninit.bin: no group info for section
'.init_array.2'
==158888==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x563380931b2f in _bfd_elf_make_section_from_shdr
/binutils-gdb/msan/bfd/../../bfd/elf.c:1238:8
#1 0x56338094e31d in bfd_section_from_shdr
/binutils-gdb/msan/bfd/../../bfd/elf.c:2102:13
#2 0x563380902617 in bfd_elf64_object_p
/binutils-gdb/msan/bfd/../../bfd/elfcode.h:842:7
#3 0x5633807c61f0 in bfd_check_format_matches
/binutils-gdb/msan/bfd/../../bfd/format.c:353:17
#4 0x56338078b06f in process_file
/binutils-gdb/msan/binutils/../../binutils/addr2line.c:451:9
#5 0x56338078a7e5 in main
/binutils-gdb/msan/binutils/../../binutils/addr2line.c:579:10
#6 0x7f7d2ee55d8f in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#7 0x7f7d2ee55e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#8 0x5633806f95c4 in _start
(/binutils-gdb/msan/binutils/addr2line+0x18e5c4)
SUMMARY: MemorySanitizer: use-of-uninitialized-value
/binutils-gdb/msan/bfd/../../bfd/elf.c:1238:8 in
_bfd_elf_make_section_from_shdr
Exiting
Aborted (core dumped)
# Analysis
At function `bfd_init_section_decompress_status`[1], local variable is supposed
to be initialized by function `bfd_check_compression_header`[2]. However, since
this function call is inside an `else if` branch, if the previous `if` branch
is taken, the `ch_type` can be uninitialized and thus directly used to assign
`sec->compress_status`. Therefore, when the `compress_status` field is used in
a branch condition, the memory sanitizer aborts.
[1]
https://github.com/bminor/binutils-gdb/blob/125b7ff73a691353de114149a3a3951828cfb2be/bfd/compress.c#L532
[2]
https://github.com/bminor/binutils-gdb/blob/125b7ff73a691353de114149a3a3951828cfb2be/bfd/compress.c#L568
[3]
https://github.com/bminor/binutils-gdb/blob/125b7ff73a691353de114149a3a3951828cfb2be/bfd/compress.c#L589
[4]
https://github.com/bminor/binutils-gdb/blob/125b7ff73a691353de114149a3a3951828cfb2be/bfd/elf.c#L1238
--
You are receiving this mail because:
You are on the CC list for the bug.
