https://sourceware.org/bugzilla/show_bug.cgi?id=32663
Bug ID: 32663
Summary: ld heap-buffer-overflow in cache_bread_1
(bfd/cache.c:355:11)
Product: binutils
Version: 2.45 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: ld
Assignee: unassigned at sourceware dot org
Reporter: swj22 at mails dot tsinghua.edu.cn
Target Milestone: ---
Created attachment 15933
--> https://sourceware.org/bugzilla/attachment.cgi?id=15933&action=edit
poc
**Description**
A segv can occur in ld when using the -h options with a specially crafted
input file. This issue leads to head-buffer-overflow.
**Affected Version**
GNU ld (GNU Binutils) 2.45 (HEAD) Commit
66e701c09229d389f4046fddae586278fe3e014f
**Steps to Reproduce**
Build binutils 2.45 (HEAD) Commit 66e701c09229d389f4046fddae586278fe3e014f
with AddressSanitizer (e.g., CFLAGS="-g -fsanitize=address" ./configure && make
-j).
Run the following command:
/tmp/binutils-gdb/bins/bin/ld -h filename /tmp/poc
/tmp/binutils-gdb/bins/bin/ld: warning: /tmp/poc has a section extending past
end of file
/tmp/binutils-gdb/bins/bin/ld: warning: cannot find entry symbol _start;
defaulting to 0000000000401000
=================================================================
==1298061==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60b000000f1a at pc 0x56524c79f67e bp 0x7ffef7c860a0 sp 0x7ffef7c85870
WRITE of size 176 at 0x60b000000f1a thread T0
#0 0x56524c79f67d in fread (/tmp/binutils-gdb/bins/bin/ld+0x3a167d)
(BuildId: 10d4dd0ec0a37f5a)
#1 0x56524c94a329 in cache_bread_1 /tmp/binutils-gdb/bfd/cache.c:355:11
#2 0x56524c9498fc in cache_bread /tmp/binutils-gdb/bfd/cache.c:399:21
#3 0x56524c9331c8 in bfd_read /tmp/binutils-gdb/bfd/bfdio.c:369:11
#4 0x56524c952229 in _bfd_generic_get_section_contents
/tmp/binutils-gdb/bfd/libbfd.c:1330:7
#5 0x56524c974029 in bfd_get_section_contents
/tmp/binutils-gdb/bfd/section.c:1640:10
#6 0x56524c938a8f in bfd_get_full_section_contents
/tmp/binutils-gdb/bfd/compress.c:772:12
#7 0x56524cb4764c in bfd_simple_get_relocated_section_contents
/tmp/binutils-gdb/bfd/simple.c:221:12
#8 0x56524cb49783 in _bfd_dwarf2_slurp_debug_info
/tmp/binutils-gdb/bfd/./dwarf2.c:5555:10
#9 0x56524cb4e0bb in _bfd_dwarf2_find_nearest_line_with_alt
/tmp/binutils-gdb/bfd/./dwarf2.c:5818:9
#10 0x56524ca5746d in _bfd_elf_find_nearest_line_with_alt
/tmp/binutils-gdb/bfd/elf.c:9854:7
#11 0x56524ca5721c in _bfd_elf_find_nearest_line
/tmp/binutils-gdb/bfd/elf.c:9831:10
#12 0x56524c8cb324 in vfinfo /tmp/binutils-gdb/ld/ldmisc.c:342:10
#13 0x56524c8cdd0d in einfo /tmp/binutils-gdb/ld/ldmisc.c:618:3
#14 0x56524c8b6016 in reloc_overflow /tmp/binutils-gdb/ld/./ldmain.c:1596:3
#15 0x56524c9ad0b2 in elf_x86_64_relocate_section
/tmp/binutils-gdb/bfd/elf64-x86-64.c:4960:8
#16 0x56524cae40be in elf_link_input_bfd
/tmp/binutils-gdb/bfd/elflink.c:11903:10
#17 0x56524cad5f62 in bfd_elf_final_link
/tmp/binutils-gdb/bfd/elflink.c:13161:11
#18 0x56524c8b745e in ldwrite /tmp/binutils-gdb/ld/ldwrite.c:548:8
#19 0x56524c8b1a81 in main /tmp/binutils-gdb/ld/./ldmain.c:560:3
#20 0x7efe4d321082 in __libc_start_main
/build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16
#21 0x56524c783e6d in _start (/tmp/binutils-gdb/bins/bin/ld+0x385e6d)
(BuildId: 10d4dd0ec0a37f5a)
0x60b000000f1a is located 0 bytes to the right of 106-byte region
[0x60b000000eb0,0x60b000000f1a)
allocated by thread T0 here:
#0 0x56524c80657e in malloc (/tmp/binutils-gdb/bins/bin/ld+0x40857e)
(BuildId: 10d4dd0ec0a37f5a)
#1 0x56524c94dfe2 in bfd_malloc /tmp/binutils-gdb/bfd/libbfd.c:291:9
#2 0x56524cb495c1 in _bfd_dwarf2_slurp_debug_info
/tmp/binutils-gdb/bfd/./dwarf2.c:5540:49
#3 0x56524cb4e0bb in _bfd_dwarf2_find_nearest_line_with_alt
/tmp/binutils-gdb/bfd/./dwarf2.c:5818:9
#4 0x56524ca5746d in _bfd_elf_find_nearest_line_with_alt
/tmp/binutils-gdb/bfd/elf.c:9854:7
#5 0x56524ca5721c in _bfd_elf_find_nearest_line
/tmp/binutils-gdb/bfd/elf.c:9831:10
#6 0x56524c8cb324 in vfinfo /tmp/binutils-gdb/ld/ldmisc.c:342:10
#7 0x56524c8cdd0d in einfo /tmp/binutils-gdb/ld/ldmisc.c:618:3
#8 0x56524c8b6016 in reloc_overflow /tmp/binutils-gdb/ld/./ldmain.c:1596:3
#9 0x56524c9ad0b2 in elf_x86_64_relocate_section
/tmp/binutils-gdb/bfd/elf64-x86-64.c:4960:8
#10 0x56524cae40be in elf_link_input_bfd
/tmp/binutils-gdb/bfd/elflink.c:11903:10
#11 0x56524cad5f62 in bfd_elf_final_link
/tmp/binutils-gdb/bfd/elflink.c:13161:11
#12 0x56524c8b745e in ldwrite /tmp/binutils-gdb/ld/ldwrite.c:548:8
#13 0x56524c8b1a81 in main /tmp/binutils-gdb/ld/./ldmain.c:560:3
#14 0x7efe4d321082 in __libc_start_main
/build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/tmp/binutils-gdb/bins/bin/ld+0x3a167d) (BuildId: 10d4dd0ec0a37f5a) in fread
Shadow bytes around the buggy address:
0x0c167fff8190: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c167fff81a0: 00 fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
0x0c167fff81b0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c167fff81c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
0x0c167fff81d0: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
=>0x0c167fff81e0: 00 00 00[02]fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff81f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff8200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff8210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff8220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1298061==ABORTING
** Env **
Distributor ID: Ubuntu
Description: Ubuntu 20.04.6 LTS
Release: 20.04
Codename: focal
--
You are receiving this mail because:
You are on the CC list for the bug.
