[Bug binutils/21909] New: Stack buffer overflow in pr_int_type - prdbg.c:586
https://sourceware.org/bugzilla/show_bug.cgi?id=21909
Bug ID: 21909
Summary: Stack buffer overflow in pr_int_type - prdbg.c:586
Product: binutils
Version: 2.30 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: martino.sani at gmail dot com
Target Milestone: ---
Created attachment 10316
--> https://sourceware.org/bugzilla/attachment.cgi?id=10316&action=edit
Binary POC (zipped)
Hello,
American fuzzy lop detects a stack buffer overflow in pr_int_type -
prdbg.c:586.
pr_int_type stores the ab variable on the stack, and writes a string into it
without verifying its length.
static bfd_boolean
pr_int_type (void *p, unsigned int size, bfd_boolean unsignedp)
{
char ab[10];
// !!!
sprintf (ab, "%sint%d", unsignedp ? "u" : "", size * 8);
}
E.g: In the attached POC when size has value 17 and unsignedp 1, sprintf
writes 11 chars into ab:
tot len = len("int") + len("u") + len(str(size * 8))
# stacktrace
WRITE of size 12 at 0x7ffea8f9b42a thread T0
#0 0x4a0b01 in vsprintf (/tmp/binutils/master/build/bin/objdump+0x4a0b01)
#1 0x4a0d62 in __interceptor_sprintf
(/tmp/binutils/master/build/bin/objdump+0x4a0d62)
#2 0x5756a1 in pr_int_type
/tmp/binutils/master/binutils-gdb/binutils/prdbg.c:586:3
#3 0x58fd8c in debug_write_type
/tmp/binutils/master/binutils-gdb/binutils/debug.c:2491:14
#4 0x591968 in debug_write_type
/tmp/binutils/master/binutils-gdb/binutils/debug.c:2588:9
#5 0x58df6c in debug_write_name
/tmp/binutils/master/binutils-gdb/binutils/debug.c:2382:13
#6 0x58da8c in debug_write
/tmp/binutils/master/binutils-gdb/binutils/debug.c:2350:14
#7 0x5752ef in print_debugging_info
/tmp/binutils/master/binutils-gdb/binutils/prdbg.c:316:20
#8 0x50fbc7 in dump_bfd
/tmp/binutils/master/binutils-gdb/binutils/./objdump.c:3555:9
#9 0x50f201 in display_object_bfd
/tmp/binutils/master/binutils-gdb/binutils/./objdump.c:3603:7
#10 0x50f0e9 in display_any_bfd
/tmp/binutils/master/binutils-gdb/binutils/./objdump.c:3692:5
#11 0x50ebe8 in display_file
/tmp/binutils/master/binutils-gdb/binutils/./objdump.c:3713:3
#12 0x50e430 in main
/tmp/binutils/master/binutils-gdb/binutils/./objdump.c:4015:6
#13 0x7f022cccb2b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#14 0x419d79 in _start (/tmp/binutils/master/build/bin/objdump+0x419d79)
# GIT version (master branch) - git://sourceware.org/git/binutils-gdb.git
a66930b357fee4ae716bfc8816e78c0f9c024005
# Command line to reproduce the issue
$ ./objdump -e poc.bin
--
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug ld/21910] New: Common symbol override test (comm-data.exp): Segmentation fault on x86_64-linux-musl
https://sourceware.org/bugzilla/show_bug.cgi?id=21910
Bug ID: 21910
Summary: Common symbol override test (comm-data.exp):
Segmentation fault on x86_64-linux-musl
Product: binutils
Version: 2.29
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: ld
Assignee: unassigned at sourceware dot org
Reporter: awilfox at adelielinux dot org
Target Milestone: ---
I'm new to hacking on bfd but I'm trying to pick it up. ld actually fails a
number of tests on x86_64-linux-musl target (52 on 2.28, and 74 on 2.29), and
I'm trying to see what I can do to make them pass.
The first one is in ld-elf/comm-data.exp: the second link causes a segmentation
fault:
Executing on host: sh -c
{/usr/src/aports/main/binutils/src/binutils-2.29/ld/../gas/as-new
-I/usr/src/aports/main/binutils/src/binutils-2.29/ld/testsuite/ld-elf -o
tmpdir/comm-data2.o --defsym ELF64=1
/usr/src/aports/main/binutils/src/binutils-2.29/ld/testsuite/ld-elf/comm-data2.s
2>&1} /dev/null ld.tmp (timeout = 300)
Executing on host: sh -c
{/usr/src/aports/main/binutils/src/binutils-2.29/ld/ld-new -o
tmpdir/comm-data -z norelro
-L/usr/src/aports/main/binutils/src/binutils-2.29/ld/testsuite/ld-elf -T
comm-data2.ld -Ltmpdir -lcomm-data tmpdir/comm-data2.o 2>&1} /dev/null ld.tmp
(timeout = 300)
sh: line 1: 11283 Segmentation fault
/usr/src/aports/main/binutils/src/binutils-2.29/ld/ld-new -o tmpdir/comm-data
-z norelro
-L/usr/src/aports/main/binutils/src/binutils-2.29/ld/testsuite/ld-elf -T
comm-data2.ld -Ltmpdir -lcomm-data tmpdir/comm-data2.o 2>&1
FAIL: Common symbol override test
Changing the ld-new wrapper to exec ld under gdb yielded this backtrace:
Starting program:
/usr/src/aports/main/binutils/src/binutils-2.29/ld/.libs/lt-ld-new -o
tmpdir/comm-data -z norelro
-L/usr/src/aports/main/binutils/src/binutils-2.29/ld/testsuite/ld-elf -T
comm-data2.ld -Ltmpdir -lcomm-data tmpdir/comm-data2.o
Program received signal SIGSEGV, Segmentation fault.
0x77a9b3a8 in bfd_elf_final_link (abfd=, info=) at elflink.c:12347
12347 if (elf_section_data
(o->output_section)->this_hdr.sh_type == SHT_NOTE)
(gdb) bt
#0 0x77a9b3a8 in bfd_elf_final_link (abfd=,
info=) at elflink.c:12347
#1 0x55578199 in ldwrite () at ldwrite.c:577
#2 0x55561c9d in main (argc=, argv=) at
./ldmain.c:462
(gdb) p o->output_section
$1 = 0x558840b0 <_bfd_std_section+560>
(gdb) p (struct bfd_elf_section_data*)(o->output_section)->used_by_bfd
$2 = (struct bfd_elf_section_data *) 0x0
That's no good. Changing bfd/elflink.c:12341:
- if (o == NULL)
+ if (o == NULL || elf_section_data (o->output_section) == NULL)
gave me the following output instead:
/usr/src/aports/main/binutils/src/binutils-2.29/ld/.libs/lt-ld-new: could not
find section .gnu.hash
/usr/src/aports/main/binutils/src/binutils-2.29/ld/.libs/lt-ld-new: final link
failed: Nonrepresentable section on output
This is about as far as I could get with my current knowledge in binutils, as I
am unable to determine why exactly that would happen.
--
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug ld/21910] Common symbol override test (comm-data.exp): Segmentation fault on x86_64-linux-musl
https://sourceware.org/bugzilla/show_bug.cgi?id=21910 A. Wilcox changed: What|Removed |Added Keywords||testsuite Target||x86_64-foxkit-linux-musl Host||x86_64-foxkit-linux-musl Build||x86_64-foxkit-linux-musl -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug ld/21910] Common symbol override test (comm-data.exp): Segmentation fault on x86_64-linux-musl
https://sourceware.org/bugzilla/show_bug.cgi?id=21910 --- Comment #1 from A. Wilcox --- This appears to be because my environment sets --hash-style=gnu. Does the test suite not support --hash-style=gnu? If so this bug may be closed as invalid. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug ld/21910] Common symbol override test (comm-data.exp): Segmentation fault on x86_64-linux-musl
https://sourceware.org/bugzilla/show_bug.cgi?id=21910 Alan Modra changed: What|Removed |Added Status|UNCONFIRMED |NEW Last reconfirmed||2017-08-06 CC||amodra at gmail dot com Ever confirmed|0 |1 --- Comment #2 from Alan Modra --- You are correct that --hash-style=gnu causes this problem, along with /DISCARD/ in comm-data2.ld throwing away .gnu.hash, but it is also true that ld shouldn't segfault even when given crazy input. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
