[Bug ld/33010] New: Heap Buffer Overflow in ld-new's fwrite During EH Frame Header Writing

Tue, 27 May 2025 10:05:48 -0700 

https://sourceware.org/bugzilla/show_bug.cgi?id=33010

            Bug ID: 33010
           Summary: Heap Buffer Overflow in ld-new's fwrite During EH
                    Frame Header Writing
           Product: binutils
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: ld
          Assignee: unassigned at sourceware dot org
          Reporter: xdcao.cs at gmail dot com
  Target Milestone: ---

Summary
Heap Buffer Overflow in ld-new's fwrite During EH Frame Header Writing


Environment
elfutils version: 0.192
OS: Ubuntu 22.04.5 LTS


Steps to reproduce
# export CFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address"
# export CXXFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address"
#  ./configure --enable-maintainer-mode --disable-debuginfod
# make -j64 & make install

root@c6c01f72391e:# ./ld-new --eh-frame-hdr POC                                 
./ld-new: warning: cannot find entry symbol _start; defaulting to
0000000000401000                                                                
./ld-new: /workspace/POC/binutils/POC_binutils_ld_heap-buffer-overflow: in
function `reallocarray':                                                        
openbsd-reallocarray.c:(.text+0x16d): undefined reference to `__errno_location' 
./ld-new: /workspace/POC/binutils/POC_binutils_ld_heap-buffer-overflow: in
function `__afl_setup_first':                                                   
openbsd-reallocarray.c:(.text+0x2a7): undefined reference to `getenv'           
./ld-new: openbsd-reallocarray.c:(.text+0x2b8): undefined reference to `atoi'   
./ld-new: /workspace/POC/binutils/POC_binutils_ld_heap-buffer-overflow: in
function `__afl_forkserver':                                                    
openbsd-reallocarray.c:(.text+0x303): undefined reference to `write'
./ld-new: /workspace/POC/binutils/POC_binutils_ld_heap-buffer-overflow: in
function `__afl_fork_wait_loop':
openbsd-reallocarray.c:(.text+0x327): undefined reference to `read'
./ld-new: openbsd-reallocarray.c:(.text+0x336): undefined reference to `fork'
./ld-new: openbsd-reallocarray.c:(.text+0x362): undefined reference to `write'
./ld-new: openbsd-reallocarray.c:(.text+0x37c): undefined reference to
`waitpid'
./ld-new: openbsd-reallocarray.c:(.text+0x3a0): undefined reference to `write'
./ld-new: /workspace/POC/binutils/POC_binutils_ld_heap-buffer-overflow: in
function `__afl_fork_resume':
openbsd-reallocarray.c:(.text+0x3b1): undefined reference to `close'
./ld-new: openbsd-reallocarray.c:(.text+0x3bd): undefined reference to `close'
./ld-new: /workspace/POC/binutils/POC_binutils_ld_heap-buffer-overflow: in
function `__afl_die':
openbsd-reallocarray.c:(.text+0x492): undefined reference to `_exit'
./ld-new: /workspace/POC/binutils/POC_binutils_ld_heap-buffer-overflow: in
function `reallocarray':
openbsd-reallocarray.c:(.text+0x161): undefined reference to `realloc'
=================================================================
==1751117==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000000518 at pc 0x000000438aee bp 0x7ffe85da12e0 sp 0x7ffe85da0aa8
READ of size 12 at 0x602000000518 thread T0
    #0 0x438aed in fwrite (/workspace/new-test/fuzzdir/fz-ld/ld-new+0x438aed)
    #1 0x1c7eaa9 in cache_bwrite
/workspace/new-test/program/binutils-gdb/bfd/cache.c:435:12
    #2 0xc06729 in bfd_write
/workspace/new-test/program/binutils-gdb/bfd/bfdio.c:412:12
    #3 0xc22f52 in _bfd_generic_set_section_contents
/workspace/new-test/program/binutils-gdb/bfd/libbfd.c:1351:10
    #4 0xd1247f in _bfd_elf_set_section_contents
/workspace/new-test/program/binutils-gdb/bfd/elf.c:10006:10
    #5 0xc4704f in bfd_set_section_contents
/workspace/new-test/program/binutils-gdb/bfd/section.c:1527:7
    #6 0xde39aa in write_dwarf_eh_frame_hdr
/workspace/new-test/program/binutils-gdb/bfd/elf-eh-frame.c:2507:8
    #7 0xde230c in _bfd_elf_write_section_eh_frame_hdr
/workspace/new-test/program/binutils-gdb/bfd/elf-eh-frame.c:2539:12
    #8 0xd83762 in bfd_elf_final_link
/workspace/new-test/program/binutils-gdb/bfd/elflink.c:13822:9
    #9 0x544f29 in ldwrite
/workspace/new-test/program/binutils-gdb/ld/ldwrite.c:548:8
    #10 0x53b0b0 in main
/workspace/new-test/program/binutils-gdb/ld/./ldmain.c:912:3
    #11 0x7f2d1a920d8f in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #12 0x7f2d1a920e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #13 0x4206f4 in _start (/workspace/new-test/fuzzdir/fz-ld/ld-new+0x4206f4)

0x602000000518 is located 0 bytes to the right of 8-byte region
[0x602000000510,0x602000000518)
allocated by thread T0 here:
    #0 0x49b5bd in malloc (/workspace/new-test/fuzzdir/fz-ld/ld-new+0x49b5bd)
    #1 0xc1ea01 in bfd_malloc
/workspace/new-test/program/binutils-gdb/bfd/libbfd.c:291:9
    #2 0xde230c in _bfd_elf_write_section_eh_frame_hdr
/workspace/new-test/program/binutils-gdb/bfd/elf-eh-frame.c:2539:12
    #3 0x544f29 in ldwrite
/workspace/new-test/program/binutils-gdb/ld/ldwrite.c:548:8
    #4 0x7f2d1a920d8f in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/workspace/new-test/fuzzdir/fz-ld/ld-new+0x438aed) in fwrite
Shadow bytes around the buggy address:
  0x0c047fff8050: fa fa fd fd fa fa fd fd fa fa 00 00 fa fa 00 00
  0x0c047fff8060: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8070: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8080: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
  0x0c047fff8090: fa fa 00 fa fa fa 00 05 fa fa fd fd fa fa fd fd
=>0x0c047fff80a0: fa fa 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1751117==ABORTING

POC
https://drive.google.com/file/d/1Gm0oxSpUaIo7j_3jInHslX3faR_IJqDq/view?usp=sharing


Credit
Xiaoguo Li (CUPL)
Xudong Cao (UCAS)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Reply via email to