[Bug binutils/22421] New: Heap overflow in bfd_getl32
https://sourceware.org/bugzilla/show_bug.cgi?id=22421 Bug ID: 22421 Summary: Heap overflow in bfd_getl32 Product: binutils Version: 2.30 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: insu at gatech dot edu Target Milestone: --- Created attachment 10581 --> https://sourceware.org/bugzilla/attachment.cgi?id=10581&action=edit POC to trigger heap buffer overflow (objdump) Using our hybrid fuzzer, we found a crashing test case . Version: f617a0f6ceeb34dfd39d8673b0ab225c9127aab6(git) Command: ./objdump -x ../output-1/afl-1/crashes/id:00,sig:06,sync:qsym,src:00381 ASAN: = ==7340==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6070df84 at pc 0x005fa23e bp 0x7fffd8b0 sp 0x7fffd8a0 READ of size 4 at 0x6070df84 thread T0 #0 0x5fa23d in bfd_getl32 /home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/libbfd.c:558 #1 0x71befd in elfcore_grok_nto_status /home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/elf.c:10217 #2 0x71befd in elfcore_grok_nto_note /home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/elf.c:10302 #3 0x6b5e88 in elf_parse_notes /home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/elf.c:11017 #4 0x6d9c31 in elf_read_notes /home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/elf.c:11066 #5 0x6d9c31 in bfd_section_from_phdr /home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/elf.c:2993 #6 0x6a9bc9 in bfd_elf64_core_file_p /home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/elfcore.h:277 #7 0x5ef092 in bfd_check_format_matches /home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/format.c:311 #8 0x421aab in display_object_bfd objdump.c:3629 #9 0x421aab in display_any_bfd objdump.c:3700 #10 0x40e771 in display_file objdump.c:3721 #11 0x40e771 in main objdump.c:4023 #12 0x768bc82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #13 0x411c48 in _start (/home/insu/projects/qsym-eval/apps/binutils/out2/objdump+0x411c48) 0x6070df85 is located 0 bytes to the right of 69-byte region [0x6070df40,0x6070df85) allocated by thread T0 here: #0 0x76f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x5f8bfa in bfd_malloc /home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/libbfd.c:193 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/libbfd.c:558 bfd_getl32 Shadow bytes around the buggy address: 0x0c0e7fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff9be0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 =>0x0c0e7fff9bf0:[05]fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00 0x0c0e7fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe ==7340==ABORTING -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug ld/22423] New: PT_PHDR segment is marked with PF_X
https://sourceware.org/bugzilla/show_bug.cgi?id=22423 Bug ID: 22423 Summary: PT_PHDR segment is marked with PF_X Product: binutils Version: 2.30 (HEAD) Status: NEW Severity: normal Priority: P2 Component: ld Assignee: unassigned at sourceware dot org Reporter: hjl.tools at gmail dot com Target Milestone: --- [hjl@gnu-tools-1 tmp]$ cat /export/gnu/import/git/sources/binutils-gdb/ld/testsuite/ld-elf/start.s .text .global start /* Used by SH targets. */ start: .global _start _start: .global __start __start: .global main/* Used by HPPA targets. */ main: .dc.a 0 [hjl@gnu-tools-1 tmp]$ as -o x.o /export/gnu/import/git/sources/binutils-gdb/ld/testsuite/ld-elf/start.s [hjl@gnu-tools-1 tmp]$ ld -pie --no-dynamic-linker x.o [hjl@gnu-tools-1 tmp]$ readelf -l a.out Elf file type is DYN (Shared object file) Entry point 0x169 There are 4 program headers, starting at offset 64 Program Headers: Type Offset VirtAddr PhysAddr FileSizMemSiz Flags Align LOAD 0x 0x 0x 0x0178 0x0178 R E0x20 LOAD 0x0f20 0x00200f20 0x00200f20 0x00e0 0x00e0 RW 0x20 DYNAMIC0x0f20 0x00200f20 0x00200f20 0x00e0 0x00e0 RW 0x8 GNU_RELRO 0x0f20 0x00200f20 0x00200f20 0x00e0 0x00e0 R 0x1 Section to Segment mapping: Segment Sections... 00 .hash .gnu.hash .dynsym .dynstr .text 01 .dynamic 02 .dynamic 03 .dynamic [hjl@gnu-tools-1 tmp]$ ld.gold -pie x.o [hjl@gnu-tools-1 tmp]$ readelf -l a.out Elf file type is DYN (Shared object file) Entry point 0x1f0 There are 6 program headers, starting at offset 64 Program Headers: Type Offset VirtAddr PhysAddr FileSizMemSiz Flags Align PHDR 0x0040 0x0040 0x0040 0x0150 0x0150 R 0x8 INTERP 0x0190 0x0190 0x0190 0x000f 0x000f R 0x1 [Requesting program interpreter: /lib/ld64.so.1] LOAD 0x 0x 0x 0x01f8 0x01f8 R E0x1000 LOAD 0x0f30 0x1f30 0x1f30 0x00d0 0x00d0 RW 0x1000 DYNAMIC0x0f30 0x1f30 0x1f30 0x00d0 0x00d0 RW 0x8 GNU_RELRO 0x0f30 0x1f30 0x1f30 0x00d0 0x00d0 RW 0x8 Section to Segment mapping: Segment Sections... 00 01 .interp 02 .interp .dynsym .dynstr .gnu.hash .hash .text 03 .dynamic 04 .dynamic 05 .dynamic [hjl@gnu-tools-1 tmp]$ We have] m->p_type = PT_PHDR; /* FIXME: UnixWare and Solaris set PF_X, Irix 5 does not. */ m->p_flags = PF_R | PF_X; m->p_flags_valid = 1; m->includes_phdrs = 1; It was reasonable 20 years ago. But it is wrong today when the primary OS of GNU ld is Linux. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug ld/22423] PT_PHDR segment is marked with PF_X
https://sourceware.org/bugzilla/show_bug.cgi?id=22423 Paul Pluzhnikov changed: What|Removed |Added CC||ppluzhnikov at google dot com --- Comment #1 from Paul Pluzhnikov --- > It was reasonable 20 years ago. Normally PT_PHDR overlaps with the first PT_LOAD. If you keep that, the flags on PT_PHDR don't matter (the first PT_LOAD will have PF_X). If you don't keep the overlap, you'll waste an entire page for 64-byte PT_PHDR. Also, a lot of programs assume that the first PT_LOAD "covers" PT_PHDR and starts with ElfW(Ehdr). It's not guaranteed, but it has been true for the last 20 years. You'll break all such programs. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug ld/22423] PT_PHDR segment is marked with PF_X
https://sourceware.org/bugzilla/show_bug.cgi?id=22423 --- Comment #2 from H.J. Lu --- (In reply to Paul Pluzhnikov from comment #1) > > It was reasonable 20 years ago. > > Normally PT_PHDR overlaps with the first PT_LOAD. > > If you keep that, the flags on PT_PHDR don't matter (the first PT_LOAD will > have PF_X). > > If you don't keep the overlap, you'll waste an entire page for 64-byte > PT_PHDR. > > Also, a lot of programs assume that the first PT_LOAD "covers" PT_PHDR and > starts with ElfW(Ehdr). It's not guaranteed, but it has been true for the > last 20 years. You'll break all such programs. My patch does't change the first PT_LOAD permission. We just have: Elf file type is EXEC (Executable file) Entry point 0x8048310 There are 9 program headers, starting at offset 52 Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align PHDR 0x34 0x08048034 0x08048034 0x00120 0x00120 R 0x4 INTERP 0x000154 0x08048154 0x08048154 0x00013 0x00013 R 0x1 [Requesting program interpreter: /lib/ld-linux.so.2] LOAD 0x00 0x08048000 0x08048000 0x005d0 0x005d0 R E 0x1000 LOAD 0x000f0c 0x08049f0c 0x08049f0c 0x0010c 0x00110 RW 0x1000 Nothing will break. I am working on -z readonly, which is equivalent to --rosegment for gold. With -z readonly, I got Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align PHDR 0x34 0x00400034 0x00400034 0x00160 0x00160 R 0x4 INTERP 0x000194 0x00400194 0x00400194 0x0001a 0x0001a R 0x1 [Requesting program interpreter: /libx32/ld-linux-x32.so.2] LOAD 0x00 0x0040 0x0040 0x0037c 0x0037c R 0x20 LOAD 0x000e68 0x00600e68 0x00600e68 0x00195 0x00195 R E 0x20 LOAD 0x001000 0x00601000 0x00601000 0x0011c 0x0011c R 0x20 LOAD 0x200ef0 0x00800ef0 0x00800ef0 0x00134 0x00138 RW 0x20 It makes permission of PHDR segment the same as the first LOAD segment. Again, nothing should break. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
