https://sourceware.org/bugzilla/show_bug.cgi?id=32636
Bug ID: 32636
Summary: ld heap-buffer-overflow in _bfd_elf_gc_mark_rsec
(bfd/elflink.c:14038:22)
Product: binutils
Version: 2.43
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: ld
Assignee: unassigned at sourceware dot org
Reporter: swj22 at mails dot tsinghua.edu.cn
Target Milestone: ---
**Description**
A heap-buffer-overflow can occur in ld (part of binutils 2.43) when using the
-w and --gc-sections options with a specially crafted input file that has a
sufficiently long file path. This issue leads to memory corruption and
potential crashes.
**Affected Version**
Binutils 2.43
**Steps to Reproduce**
Build binutils 2.43 with AddressSanitizer (e.g., CFLAGS="-g -fsanitize=address"
./configure && make -j).
Prepare a file named thisisapocpocpocpocpocpocpocpocpoc (or similarly long).
Run the following command:
./binutils-2.43/bins.bin/ld -w --gc-sections
./thisisapocpocpocpocpocpocpocpocpoc
Observe the AddressSanitizer error indicating a heap-buffer-overflow.
/data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld --gc-sections
--print-gc-sections -w ./thisisapocpocpocpocpocpocpocpocpoc
/data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld: warning:
./thisisapocpocpocpocpocpocpocpocpoc has a section extending past end of file
/data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld:
./thisisapocpocpocpocpocpocpocpocpoc: invalid string offset 2303260209 >= 414
for section `.strtab'
=================================================================
==482554==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x62100001a0e0 at pc 0x55cef964f6a4 bp 0x7ffeef9b6e40 sp 0x7ffeef9b6e38
READ of size 8 at 0x62100001a0e0 thread T0
#0 0x55cef964f6a3 in _bfd_elf_gc_mark_rsec
/data/swj/optfuzz/benchmark/binutils-2.43/bfd/elflink.c:14042:23
#1 0x55cef964fc90 in _bfd_elf_gc_mark_reloc
/data/swj/optfuzz/benchmark/binutils-2.43/bfd/elflink.c:14091:10
#2 0x55cef9650474 in _bfd_elf_gc_mark
/data/swj/optfuzz/benchmark/binutils-2.43/bfd/elflink.c:14143:11
#3 0x55cef9651d96 in _bfd_elf_gc_mark_extra_sections
/data/swj/optfuzz/benchmark/binutils-2.43/bfd/elflink.c:14354:11
#4 0x55cef9655a16 in bfd_elf_gc_sections
/data/swj/optfuzz/benchmark/binutils-2.43/bfd/elflink.c:14725:3
#5 0x55cef93feb0d in lang_gc_sections
/data/swj/optfuzz/benchmark/binutils-2.43/ld/ldlang.c:7763:5
#6 0x55cef93f878b in lang_process
/data/swj/optfuzz/benchmark/binutils-2.43/ld/ldlang.c:8378:3
#7 0x55cef942234c in main
/data/swj/optfuzz/benchmark/binutils-2.43/ld/./ldmain.c:529:3
#8 0x7fce3215f082 in __libc_start_main
/build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16
#9 0x55cef92fa6bd in _start
(/data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld+0x15a6bd) (BuildId:
d9731e405748db264b62c84ded760ba4f068cb0a)
0x62100001a0e0 is located 0 bytes to the right of 4064-byte region
[0x621000019100,0x62100001a0e0)
allocated by thread T0 here:
#0 0x55cef937cdce in __interceptor_malloc
(/data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld+0x1dcdce) (BuildId:
d9731e405748db264b62c84ded760ba4f068cb0a)
#1 0x55cef98dd1d2 in objalloc_create
/data/swj/optfuzz/benchmark/binutils-2.43/libiberty/./objalloc.c:95:26
#2 0x55cef94d037d in _bfd_new_bfd
/data/swj/optfuzz/benchmark/binutils-2.43/bfd/opncls.c:99:18
#3 0x55cef94d0d8e in bfd_fopen
/data/swj/optfuzz/benchmark/binutils-2.43/bfd/opncls.c:296:10
#4 0x55cef94d1c78 in bfd_openr
/data/swj/optfuzz/benchmark/binutils-2.43/bfd/opncls.c:392:10
#5 0x55cef9440c80 in ldfile_try_open_bfd
/data/swj/optfuzz/benchmark/binutils-2.43/ld/./ldfile.c:356:20
#6 0x55cef9442ed5 in ldfile_open_file
/data/swj/optfuzz/benchmark/binutils-2.43/ld/./ldfile.c:643:11
#7 0x55cef93ea0bb in load_symbols
/data/swj/optfuzz/benchmark/binutils-2.43/ld/ldlang.c:2992:3
#8 0x55cef93fb304 in open_input_bfds
/data/swj/optfuzz/benchmark/binutils-2.43/ld/ldlang.c:3622:13
#9 0x55cef93f79f3 in lang_process
/data/swj/optfuzz/benchmark/binutils-2.43/ld/ldlang.c:8194:3
#10 0x55cef942234c in main
/data/swj/optfuzz/benchmark/binutils-2.43/ld/./ldmain.c:529:3
#11 0x7fce3215f082 in __libc_start_main
/build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow
/data/swj/optfuzz/benchmark/binutils-2.43/bfd/elflink.c:14042:23 in
_bfd_elf_gc_mark_rsec
Shadow bytes around the buggy address:
0x0c427fffb3c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb3d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb3e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb3f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fffb410: 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa
0x0c427fffb420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==482554==ABORTING
** Env **
Distributor ID: Ubuntu
Description: Ubuntu 20.04.6 LTS
Release: 20.04
Codename: focal
--
You are receiving this mail because:
You are on the CC list for the bug.
