[Bug ld/20906] New: LD: ld crashes for malformed inputs

[boehme.marcel at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=20906

            Bug ID: 20906
           Summary: LD: ld crashes for malformed inputs
           Product: binutils
           Version: 2.28 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: ld
          Assignee: unassigned at sourceware dot org
          Reporter: boehme.marcel at gmail dot com
  Target Milestone: ---

Dear all,

The following bug was found with AFLFast, a fork of AFL, in a 24 hour fuzzing
session on Binutils. Thanks also to Van-Thuan Pham.

The linker crashes with an invalid write of size 1 for the following execution
on 14.04 x86_64 for Binutils v2.24 and trunk. It does not crash on Ubuntu 16.04
x86_64 Binutils v2.26.1 or trunk but the invalid write is still there.

$ printf
"\x6b\x22\x17\x1d\x00\x7f\x00\x00\x00\x00\x00\x52\x6e\x71\x1d\x00\x00\x01\x00\x00\x00\x00\x00\x00\x52\x6b\x22\x00\xdf\x12\xef\x17\x66\x52\x6b\x22\x17\x1d\x00\x6b\x22\x00\xdf\x2e\xef\x00\x69"
> test
$ ./ld test
*** Error in `/home/ubuntu/subjects/binutils-gdb/ld/ld-new': malloc(): memory
corruption: 0x000000000188a6e0 ***
Aborted

ASAN reports it sometimes as use-after-free and sometimes as heap-based buffer
overflow:
=================================================================
==8360==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000c828
at pc 0x000000413f9e bp 0x7ffd709c9a00 sp 0x7ffd709c99f8
WRITE of size 1 at 0x60200000c828 thread T0
    #0 0x413f9d in yylex
/home/ubuntu/subjects/binutils-gdb/obj-asan/ld/ldlex.l:420
    #1 0x404901 in yyparse
/home/ubuntu/subjects/binutils-gdb/obj-asan/ld/ldgram.c:2298
    #2 0x43845e in load_symbols ../../ld/ldlang.c:2818
    #3 0x43c299 in open_input_bfds ../../ld/ldlang.c:3346
    #4 0x4568f7 in lang_process ../../ld/ldlang.c:6871
    #5 0x465a39 in main ../../ld/ldmain.c:428
    #6 0x7fdb8cba8f44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #7 0x403968 
(/home/ubuntu/subjects/binutils-gdb/obj-asan/ld/ld-new+0x403968)

0x60200000c828 is located 8 bytes to the left of 2-byte region
[0x60200000c830,0x60200000c832)
allocated by thread T0 here:
    #0 0x7fdb8df293a8 in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc23a8)
    #1 0x92547b in xmalloc ../../libiberty/xmalloc.c:148
    #2 0x92571a in xstrdup ../../libiberty/xstrdup.c:34
    #3 0x413ba4 in yylex
/home/ubuntu/subjects/binutils-gdb/obj-asan/ld/ldlex.l:379
    #4 0x404901 in yyparse
/home/ubuntu/subjects/binutils-gdb/obj-asan/ld/ldgram.c:2298
    #5 0x43845e in load_symbols ../../ld/ldlang.c:2818
    #6 0x43c299 in open_input_bfds ../../ld/ldlang.c:3346
    #7 0x4568f7 in lang_process ../../ld/ldlang.c:6871
    #8 0x465a39 in main ../../ld/ldmain.c:428
    #9 0x7fdb8cba8f44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/ubuntu/subjects/binutils-gdb/obj-asan/ld/ldlex.l:420 in yylex

The stacktraces vary significantly for different fuzzing inputs but it is
always the call to yyparse that crashes the linker.

Best regards,
- Marcel

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils