https://sourceware.org/bugzilla/show_bug.cgi?id=23772
Bug ID: 23772
Summary: A NULL-Pointer dereference problems in ldlang.c in
program ld (member access within null pointer of type
'union lang_statement_union')
Product: binutils
Version: 2.31
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: wcventure at 126 dot com
Target Milestone: ---
Created attachment 11324
--> https://sourceware.org/bugzilla/attachment.cgi?id=11324&action=edit
POC
Hi, there.
A NULL-Pointer dereference problems in program ld of the latest binutils code
base. A crafted input can cause the member access within null pointer of type
'union lang_statement_union' in ldlang.c.
I have confirmed it with address sanitizer too. Please use the "./ld -E $POC"
to reproduce the bug.
The ASAN dumps the stack trace as follows:
./ld: unknown architecture of input file `POC_ld_NULLp1' is incompatible with
i386:x86-64 output
ldlang.c:916:7: runtime error: member access within null pointer of type 'union
lang_statement_union'
SUMMARY: AddressSanitizer: undefined-behavior ldlang.c:916:7 in
ldlang.c:931:7: runtime error: member access within null pointer of type 'union
lang_statement_union'
SUMMARY: AddressSanitizer: undefined-behavior ldlang.c:931:7 in
ldlang.c:6726:3: runtime error: member access within null pointer of type
'union lang_statement_union'
SUMMARY: AddressSanitizer: undefined-behavior ldlang.c:6726:3 in
eelf_x86_64.c:1646:5: runtime error: member access within null pointer of type
'union lang_statement_union'
SUMMARY: AddressSanitizer: undefined-behavior eelf_x86_64.c:1646:5 in
./ld: warning: cannot find entry symbol _start; not setting start address
==11972==WARNING: AddressSanitizer failed to allocate 0x11131111110 bytes
==11972==AddressSanitizer's allocator is terminating the process instead of
returning 0
==11972==If you don't like this behavior set allocator_may_return_null=1
==11972==AddressSanitizer CHECK failed:
/build/llvm-toolchain-3.8-_PD09B/llvm-toolchain-3.8-3.8/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:147
"((0)) != (0)" (0x0, 0x0)
#0 0x4c2ccd in __asan::AsanCheckFailed(char const*, int, char const*,
unsigned long long, unsigned long long)
(/media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_ASAN_O1/build/bin/ld+0x4c2ccd)
#1 0x4c98f3 in __sanitizer::CheckFailed(char const*, int, char const*,
unsigned long long, unsigned long long)
(/media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_ASAN_O1/build/bin/ld+0x4c98f3)
#2 0x4c7476 in __sanitizer::ReportAllocatorCannotReturnNull()
(/media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_ASAN_O1/build/bin/ld+0x4c7476)
#3 0x41f28c in __asan::asan_malloc(unsigned long,
__sanitizer::BufferedStackTrace*)
(/media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_ASAN_O1/build/bin/ld+0x41f28c)
#4 0x4b96a1 in malloc
(/media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_ASAN_O1/build/bin/ld+0x4b96a1)
#5 0xc7fb87 in bfd_malloc
/media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_ASAN_O1/bfd/libbfd.c:271:9
#6 0x16bd13f in bfd_elf_final_link
/media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_ASAN_O1/bfd/elflink.c:12035:38
#7 0x7e87dc in ldwrite
/media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_ASAN_O1/ld/ldwrite.c:581:8
#8 0x7bac80 in main
/media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_ASAN_O1/ld/./ldmain.c:454:3
#9 0x7efcf5e8282f in __libc_start_main
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#10 0x4195b8 in _start
(/media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_ASAN_O1/build/bin/ld+0x4195b8)
Aborted
(This bug was found by NTU-Cyber Security Lab. If you have any questions,
please let me know.)
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
