[Bug ld/32603] New: ld segv in bfd_set_format

Mon, 27 Jan 2025 02:19:18 -0800 

https://sourceware.org/bugzilla/show_bug.cgi?id=32603

            Bug ID: 32603
           Summary: ld segv in bfd_set_format
           Product: binutils
           Version: 2.43
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: ld
          Assignee: unassigned at sourceware dot org
          Reporter: swj22 at mails dot tsinghua.edu.cn
  Target Milestone: ---

**Description**
A segmentation fault (SEGV) occurs in the ld command when the -w and -o options
are used simultaneously, and the file specified by the -o option either does
not have write permissions for the current user or points to a directory. This
issue is detected by AddressSanitizer, which identifies a read access to an
invalid memory address, leading to a program crash.

**Affected Versions**
binutils 2.43

**Impact**
This vulnerability can cause the program to crash, affecting system stability
and availability. In some cases, an attacker may exploit this vulnerability to
perform a denial-of-service (DoS) attack.

**Example**
(base) swj@amax /tmp $ /data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld 
-w -o/root/1234
AddressSanitizer:DEADLYSIGNAL
=================================================================
==376931==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000048 (pc
0x5621f87aa617 bp 0x7ffe400e2e50 sp 0x7ffe400e2da0 T0)
==376931==The signal is caused by a READ memory access.
==376931==Hint: address points to the zero page.
    #0 0x5621f87aa617 in bfd_set_format
/data/swj/optfuzz/benchmark/binutils-2.43/bfd/format.c:765:7
    #1 0x5621f870a34f in open_output
/data/swj/optfuzz/benchmark/binutils-2.43/ld/ldlang.c:3443:8
    #2 0x5621f86efb32 in ldlang_open_output
/data/swj/optfuzz/benchmark/binutils-2.43/ld/ldlang.c:3464:7
    #3 0x5621f86d3c57 in lang_for_each_statement_worker
/data/swj/optfuzz/benchmark/binutils-2.43/ld/ldlang.c:1040:7
    #4 0x5621f86d3e9b in lang_for_each_statement
/data/swj/optfuzz/benchmark/binutils-2.43/ld/ldlang.c:1083:3
    #5 0x5621f86ed960 in lang_process
/data/swj/optfuzz/benchmark/binutils-2.43/ld/ldlang.c:8172:3
    #6 0x5621f871834c in main
/data/swj/optfuzz/benchmark/binutils-2.43/ld/./ldmain.c:529:3
    #7 0x7fc91d1fe082 in __libc_start_main
/build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16
    #8 0x5621f85f06bd in _start
(/data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld+0x15a6bd) (BuildId:
d9731e405748db264b62c84ded760ba4f068cb0a)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/data/swj/optfuzz/benchmark/binutils-2.43/bfd/format.c:765:7 in bfd_set_format
==376931==ABORTING

No poc file is needed

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Reply via email to