[Bug binutils/22303] New: readelf - Heap out of bounds read in byte_get_little_endian()
https://sourceware.org/bugzilla/show_bug.cgi?id=22303 Bug ID: 22303 Summary: readelf - Heap out of bounds read in byte_get_little_endian() Product: binutils Version: 2.29 Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: fumfi.255 at gmail dot com Target Milestone: --- Created attachment 10532 --> https://sourceware.org/bugzilla/attachment.cgi?id=10532&action=edit PoC to trigger heap out of bounds read (readelf) After some fuzz testing I found a crashing test case. Version: 2.29 Command: readelf -a binutils_hoobr_byte_get_little_endian ASAN: ==29757==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e016b1 at pc 0x005aa3cb bp 0x7ffed905ac30 sp 0x7ffed905ac28 READ of size 1 at 0x61e016b1 thread T0 #0 0x5aa3ca in byte_get_little_endian XYZ/binutils-2.29/binutils/elfcomm.c:214:22 #1 0x54d723 in print_core_note XYZ/binutils-2.29/binutils/readelf.c:16281:18 #2 0x54d723 in process_note XYZ/binutils-2.29/binutils/readelf.c:17486 #3 0x54d723 in process_notes_at XYZ/binutils-2.29/binutils/readelf.c:17643 #4 0x515fee in process_corefile_note_segments XYZ/binutils-2.29/binutils/readelf.c:17673:8 #5 0x515fee in process_note_sections XYZ/binutils-2.29/binutils/readelf.c:17799 #6 0x515fee in process_notes XYZ/binutils-2.29/binutils/readelf.c:17812 #7 0x515fee in process_object XYZ/binutils-2.29/binutils/readelf.c:18083 #8 0x4efe7d in process_file XYZ/binutils-2.29/binutils/readelf.c:18472:13 #9 0x4efe7d in main XYZ/binutils-2.29/binutils/readelf.c:18544 #10 0x7fa36537882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #11 0x419f78 in _start (XYZ/binutils-2.29/binutils/readelf+0x419f78) 0x61e016b1 is located 0 bytes to the right of 2609-byte region [0x61e00c80,0x61e016b1) allocated by thread T0 here: #0 0x4c0c7c in __interceptor_malloc /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66:3 #1 0x4f0e36 in get_data XYZ/binutils-2.29/binutils/readelf.c:392:9 SUMMARY: AddressSanitizer: heap-buffer-overflow XYZ/binutils-2.29/binutils/elfcomm.c:214:22 in byte_get_little_endian Shadow bytes around the buggy address: 0x0c3c7fff8280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3c7fff8290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3c7fff82a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3c7fff82b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3c7fff82c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c3c7fff82d0: 00 00 00 00 00 00[01]fa fa fa fa fa fa fa fa fa 0x0c3c7fff82e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3c7fff82f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3c7fff8300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3c7fff8310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3c7fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb ==29757==ABORTING -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug gas/22304] XPASS tests in gas and unknown successes in ld
https://sourceware.org/bugzilla/show_bug.cgi?id=22304 H.J. Lu changed: What|Removed |Added CC||hp at bitrange dot com -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug gas/22304] New: XPASS tests in gas and unknown successes in ld
https://sourceware.org/bugzilla/show_bug.cgi?id=22304 Bug ID: 22304 Summary: XPASS tests in gas and unknown successes in ld Product: binutils Version: 2.30 (HEAD) Status: NEW Severity: normal Priority: P2 Component: gas Assignee: unassigned at sourceware dot org Reporter: hjl.tools at gmail dot com Target Milestone: --- Target: cris On x86-64, cross binutils to cris-linux gave XPASS: gas/cris/shexpr-1 XPASS: gas/cris/range-err-1.s (test for errors, line 29) XPASS: gas/cris/range-err-1.s (test for errors, line 38) XPASS: gas/cris/range-err-1.s (test for errors, line 50) These should be removed. Similar check can be used to detect 64-bit AS: commit 7ed1dab994fa1c0cf49d10608b8e77271c9804b4 Author: H.J. Lu Date: Wed Aug 9 16:32:30 2017 -0700 LD_CLASS: Check .libs/ld-new for linker first When --enable-shared is used, ./ld-new may be a shell script and the real linker is .libs/ld-new. We should check .libs/ld-new first. * testsuite/config/default.exp (LD_CLASS): Check .libs/ld-new for linker first. commit 978c05401b0f0ac7a94cca7db19b1dec0c5bd698 Author: H.J. Lu Date: Wed Aug 9 15:04:05 2017 -0700 Run PR ld/17618 test only with 64-bit ELF linker PR ld/17618 test requires 64-bit linker to run. Set LD_CLASS to "64bit" for 64-bit ELF linker and run PR ld/17618 test only if $LD_CLASS is "64bit". More checks can be added to support 64-bit linkers in non-ELF format. On both i686 and x86-64, there are === ld Summary === # of expected passes644 # of expected failures 3 # of unknown successes 3 # of untested testcases 26 # of unsupported tests 42 These unknown successes should be removed. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug ld/22300] Abort in elf32_hppa_relocate_section at elf32-hppa.c:4055 building debian polyml
https://sourceware.org/bugzilla/show_bug.cgi?id=22300 --- Comment #2 from dave.anglin at bell dot net --- Will check. I thought the debug info that I posted was for the trunk but I see it was for "GNU ld (GNU Binutils) 2.29.51.20170819". -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug ld/22300] Abort in elf32_hppa_relocate_section at elf32-hppa.c:4055 building debian polyml
https://sourceware.org/bugzilla/show_bug.cgi?id=22300 --- Comment #3 from dave.anglin at bell dot net --- On 2017-10-15, at 7:57 PM, amodra at gmail dot com wrote: > Have you tried with current HEAD? Same error occurs with current head. Starting program: /home/dave/gnu/binutils/objdir/ld/.libs/ld-new -plugin /usr/lib/gcc/hppa-linux-gnu/7/liblto_plugin.so -plugin-opt=/usr/lib/gcc/hppa-linux-gnu/7/lto-wrapper -plugin-opt=-fresolution=-debug.res -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_s -plugin-opt=-pass-through=-lc -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_s --sysroot=/ --build-id --eh-frame-hdr -dynamic-linker /lib/ld.so.1 -o .libs/poly /usr/lib/gcc/hppa-linux-gnu/7/../../../hppa-linux-gnu/crt1.o /usr/lib/gcc/hppa-linux-gnu/7/../../../hppa-linux-gnu/crti.o /usr/lib/gcc/hppa-linux-gnu/7/crtbegin.o -L/usr/lib/gcc/hppa-linux-gnu/7 -L/usr/lib/gcc/hppa-linux-gnu/7/../../../hppa-linux-gnu -L/usr/lib/gcc/hppa-linux-gnu/7/../../.. -L/lib/hppa-linux-gnu -L/usr/lib/hppa-linux-gnu --as-needed polyexport.o libpolymain/.libs/libpolymain.a libpolyml/.libs/libpolyml.so -lpthread -lffi -lm -ldl -lstdc++ -lgcc_s -lgcc -v -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/gcc/hppa-linux-gnu/7/crtend.o /usr/lib/gcc/hppa-linux-gnu/7/../../../hppa-linux-gnu/crtn.o GNU ld (GNU Binutils) 2.29.51.20171016 /home/dave/gnu/binutils/objdir/ld/.libs/ld-new: BFD (GNU Binutils) 2.29.51.20171016 internal error, aborting at ../../src/bfd/elf32-hppa.c:3937 in elf32_hppa_relocate_section -- John David Anglin dave.ang...@bell.net -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/22306] New: Invalid free() in slurp_symtab() [Heap corruption]
https://sourceware.org/bugzilla/show_bug.cgi?id=22306 Bug ID: 22306 Summary: Invalid free() in slurp_symtab() [Heap corruption] Product: binutils Version: 2.30 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: mgcho.minic at gmail dot com Target Milestone: --- Created attachment 10533 --> https://sourceware.org/bugzilla/attachment.cgi?id=10533&action=edit poc for heap corruption Triggered by "./objdump -x $POC" The GDB debugging information is as follows: (gdb) r -x $POC (gdb) bt #0 0xb7fd9ce5 in __kernel_vsyscall () #1 0xb7e2bea9 in __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:54 #2 0xb7e2d407 in __GI_abort () at abort.c:89 #3 0xb7e6737c in __libc_message (do_abort=2, fmt=0xb7f5fdf4 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175 #4 0xb7e6d2f7 in malloc_printerr (action=, str=0xb7f5fef0 "free(): invalid next size (fast)", ptr=, ar_ptr=0xb7fb2780 ) at malloc.c:5006 #5 0xb7e6dc31 in _int_free (av=0xb7fb2780 , p=, have_lock=0) at malloc.c:3867 #6 0x080f3f55 in aout_get_external_symbols (abfd=0x81e9a08) at ./aoutx.h:1370 #7 0x080f3d15 in aout_32_slurp_symbol_table (abfd=0x81e9a08) at ./aoutx.h:1757 #8 0x080f4e30 in aout_32_get_symtab_upper_bound (abfd=0x81e9a08) at ./aoutx.h:2522 #9 0x0804aea7 in slurp_symtab (abfd=0x81e9a08) at ./objdump.c:615 #10 dump_bfd (abfd=0x81e9a08) at ./objdump.c:3523 #11 0x0804aa6e in display_object_bfd (abfd=0x81e9a08) at ./objdump.c:3611 #12 display_any_bfd (file=0x81e9a08, level=) at ./objdump.c:3700 #13 0x0804a4ea in display_file (filename=0xb30f "/tmp/heap-corruption", target=, last_file=) at ./objdump.c:3721 #14 main (argc=, argv=) at ./objdump.c:4023 Credits: This vulnerability was discovered by Mingi Cho and Taekyoung Kwon of the Information Security Lab, Yonsei University. Please contact mgcho.mi...@gmail.com and taekyo...@yonsei.ac.kr if you need more information about the vulnerability and the lab. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/22306] Invalid free() in slurp_symtab() [Heap corruption]
https://sourceware.org/bugzilla/show_bug.cgi?id=22306 Alan Modra changed: What|Removed |Added Status|UNCONFIRMED |ASSIGNED Last reconfirmed||2017-10-17 Assignee|unassigned at sourceware dot org |amodra at gmail dot com Ever confirmed|0 |1 --- Comment #1 from Alan Modra --- Reproduces on x86_64 with a CC="gcc -m32" build, and likely on 32-bit hosts. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/22306] Invalid free() in slurp_symtab() [Heap corruption]
https://sourceware.org/bugzilla/show_bug.cgi?id=22306 --- Comment #2 from cvs-commit at gcc dot gnu.org --- The master branch has been updated by Alan Modra : https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0301ce1486b1450f219202677f30d0fa97335419 commit 0301ce1486b1450f219202677f30d0fa97335419 Author: Alan Modra Date: Tue Oct 17 16:43:47 2017 +1030 PR22306, Invalid free() in slurp_symtab() PR 22306 * aoutx.h (aout_get_external_symbols): Handle stringsize of zero, and error for any other size that doesn't cover the header word. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/22306] Invalid free() in slurp_symtab() [Heap corruption]
https://sourceware.org/bugzilla/show_bug.cgi?id=22306 Alan Modra changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED Target Milestone|--- |2.30 --- Comment #3 from Alan Modra --- Fixed. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/22307] New: Heap out of bounds read in _bfd_elf_parse_gnu_properties()
https://sourceware.org/bugzilla/show_bug.cgi?id=22307 Bug ID: 22307 Summary: Heap out of bounds read in _bfd_elf_parse_gnu_properties() Product: binutils Version: 2.30 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: mgcho.minic at gmail dot com Target Milestone: --- Created attachment 10535 --> https://sourceware.org/bugzilla/attachment.cgi?id=10535&action=edit POC to trigger heap out of bounds read Triggered by "./objdump -x $POC" Tested on Ubuntu 16.04 (x86) The GDB debugging information is as follows: (gdb) r -x $POC Program received signal SIGSEGV, Segmentation fault. bfd_getl32 (p=0x21edd94) at libbfd.c:557 557 v = (unsigned long) addr[0]; (gdb) bt #0 bfd_getl32 (p=0x21edd94) at libbfd.c:557 #1 0x080e6288 in _bfd_elf_parse_gnu_properties (abfd=, note=) at elf-properties.c:98 #2 0x080bfbfc in elfobj_grok_gnu_note (abfd=, note=) at elf.c:9815 #3 elf_parse_notes (abfd=, buf=, size=, offset=) at elf.c:11028 #4 0x080bf3f8 in _bfd_elf_make_section_from_shdr (abfd=, hdr=, name=, shindex=) at elf.c:1092 #5 0x080c266f in bfd_section_from_shdr (abfd=, shindex=) at elf.c:2421 #6 0x080bbc65 in bfd_elf32_object_p (abfd=) at ./elfcode.h:805 #7 0x080a6eca in bfd_check_format_matches (abfd=, format=, matching=) at format.c:311 #8 0x0804a940 in display_object_bfd (abfd=0x81e9a08) at ./objdump.c:3609 #9 display_any_bfd (file=0x81e9a08, level=) at ./objdump.c:3700 #10 0x0804a4ea in display_file (filename=0xb305 "/tmp/objdump/libbfd_getl_crash", target=, last_file=) at ./objdump.c:3721 #11 main (argc=, argv=) at ./objdump.c:4023 Credits: This vulnerability was discovered by Mingi Cho and Taekyoung Kwon of the Information Security Lab, Yonsei University. Please contact mgcho.mi...@gmail.com and taekyo...@yonsei.ac.kr if you need more information about the vulnerability and the lab. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
