[Bug ld/32662] New: ld Out-of-bounds Read in _bfd_generic_link_output_symbols (bfd/linker.c:2211:34)

Fri, 07 Feb 2025 18:21:21 -0800 

https://sourceware.org/bugzilla/show_bug.cgi?id=32662

            Bug ID: 32662
           Summary: ld Out-of-bounds Read in
                    _bfd_generic_link_output_symbols
                    (bfd/linker.c:2211:34)
           Product: binutils
           Version: 2.43
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: ld
          Assignee: unassigned at sourceware dot org
          Reporter: swj22 at mails dot tsinghua.edu.cn
  Target Milestone: ---

Created attachment 15932
  --> https://sourceware.org/bugzilla/attachment.cgi?id=15932&action=edit
poc

**Description**
A segv can occur in ld  when using the  --oformat options with a specially
crafted input file. This issue leads to heap buffer overflow.

**Affected Version**
GNU ld (GNU Binutils) 2.43

**Steps to Reproduce**

Build binutils 2.43 with AddressSanitizer (e.g., CFLAGS="-g -fsanitize=address"
./configure && make -j).
Run the following command:
/data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld --oformat binary /tmp/poc
/data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld: section .debug_line LMA
[0000000000000000,000000000000002b] overlaps section .debug_info LMA
[0000000000000000,0000000000000039]
/data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld: warning: cannot find
entry symbol _start; defaulting to 0000000000400000
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3123836==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000044 (pc
0x55ad25498cf1 bp 0x7ffd503606b0 sp 0x7ffd50360230 T0)
==3123836==The signal is caused by a READ memory access.
==3123836==Hint: address points to the zero page.
    #0 0x55ad25498cf1 in _bfd_generic_link_output_symbols
/data/swj/optfuzz/benchmark/binutils-2.43/bfd/linker.c:2211:34
    #1 0x55ad254964e5 in _bfd_generic_final_link
/data/swj/optfuzz/benchmark/binutils-2.43/bfd/linker.c:1865:11
    #2 0x55ad253f8d0e in ldwrite
/data/swj/optfuzz/benchmark/binutils-2.43/ld/ldwrite.c:550:8
    #3 0x55ad253f34e9 in main
/data/swj/optfuzz/benchmark/binutils-2.43/ld/./ldmain.c:556:3
    #4 0x7fc8d7d5f082 in __libc_start_main
/build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16
    #5 0x55ad252cb6bd in _start
(/data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld+0x15a6bd) (BuildId:
d9731e405748db264b62c84ded760ba4f068cb0a)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/data/swj/optfuzz/benchmark/binutils-2.43/bfd/linker.c:2211:34 in
_bfd_generic_link_output_symbols
==3123836==ABORTING

**Env**
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.6 LTS
Release:        20.04
Codename:       focal

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Reply via email to