elflink.c:14052:13)

swj22 at mails dot tsinghua.edu.cn Fri, 07 Feb 2025 17:56:04 -0800

https://sourceware.org/bugzilla/show_bug.cgi?id=32661


            Bug ID: 32661
           Summary: ld heap-buffer-overflow in _bfd_elf_gc_mark_rsec
                    (/bfd/elflink.c:14052:13)
           Product: binutils
           Version: 2.43
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: ld
          Assignee: unassigned at sourceware dot org
          Reporter: swj22 at mails dot tsinghua.edu.cn
  Target Milestone: ---

Created attachment 15931
  --> https://sourceware.org/bugzilla/attachment.cgi?id=15931&action=edit
poc

**Description**
A segv can occur in ld  when using the  ---gc-sections --gc-keep-exported
options with a specially crafted input file. This issue leads to heap buffer
overflow.

**Affected Version**
GNU ld (GNU Binutils) 2.43

**Steps to Reproduce**

Build binutils 2.43 with AddressSanitizer (e.g., CFLAGS="-g -fsanitize=address"
./configure && make -j).
Run the following command:
 /data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld  --gc-sections
--gc-keep-exported   /tmp/poc
=================================================================
==414662==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x603000001158 at pc 0x5606052b37c6 bp 0x7ffcc3174780 sp 0x7ffcc3174778
READ of size 8 at 0x603000001158 thread T0
    #0 0x5606052b37c5 in _bfd_elf_gc_mark_rsec
/data/swj/optfuzz/benchmark/binutils-2.43/bfd/elflink.c:14052:13
    #1 0x5606052b3c90 in _bfd_elf_gc_mark_reloc
/data/swj/optfuzz/benchmark/binutils-2.43/bfd/elflink.c:14091:10
    #2 0x5606052b4474 in _bfd_elf_gc_mark
/data/swj/optfuzz/benchmark/binutils-2.43/bfd/elflink.c:14143:11
    #3 0x5606052b98fc in bfd_elf_gc_sections
/data/swj/optfuzz/benchmark/binutils-2.43/bfd/elflink.c:14719:11
    #4 0x560605062b0d in lang_gc_sections
/data/swj/optfuzz/benchmark/binutils-2.43/ld/ldlang.c:7763:5
    #5 0x56060505c78b in lang_process
/data/swj/optfuzz/benchmark/binutils-2.43/ld/ldlang.c:8378:3
    #6 0x56060508634c in main
/data/swj/optfuzz/benchmark/binutils-2.43/ld/./ldmain.c:529:3
    #7 0x7f2e8906b082 in __libc_start_main
/build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16
    #8 0x560604f5e6bd in _start
(/data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld+0x15a6bd) (BuildId:
d9731e405748db264b62c84ded760ba4f068cb0a)

0x603000001158 is located 80 bytes to the right of 24-byte region
[0x6030000010f0,0x603000001108)
allocated by thread T0 here:
    #0 0x560604fe0dce in __interceptor_malloc
(/data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld+0x1dcdce) (BuildId:
d9731e405748db264b62c84ded760ba4f068cb0a)
    #1 0x5606055411a5 in objalloc_create
/data/swj/optfuzz/benchmark/binutils-2.43/libiberty/./objalloc.c:91:29
    #2 0x560605118fee in bfd_hash_table_init_n
/data/swj/optfuzz/benchmark/binutils-2.43/bfd/hash.c:441:28
    #3 0x5606051195d8 in bfd_hash_table_init
/data/swj/optfuzz/benchmark/binutils-2.43/bfd/hash.c:486:10
    #4 0x560605117824 in bfd_preserve_save
/data/swj/optfuzz/benchmark/binutils-2.43/bfd/format.c:156:10
    #5 0x560605115141 in bfd_check_format_matches
/data/swj/optfuzz/benchmark/binutils-2.43/bfd/format.c:455:8
    #6 0x56060504e298 in load_symbols
/data/swj/optfuzz/benchmark/binutils-2.43/ld/ldlang.c:3002:11
    #7 0x56060505f304 in open_input_bfds
/data/swj/optfuzz/benchmark/binutils-2.43/ld/ldlang.c:3622:13
    #8 0x56060505b9f3 in lang_process
/data/swj/optfuzz/benchmark/binutils-2.43/ld/ldlang.c:8194:3
    #9 0x56060508634c in main
/data/swj/optfuzz/benchmark/binutils-2.43/ld/./ldmain.c:529:3
    #10 0x7f2e8906b082 in __libc_start_main
/build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow
/data/swj/optfuzz/benchmark/binutils-2.43/bfd/elflink.c:14052:13 in
_bfd_elf_gc_mark_rsec
Shadow bytes around the buggy address:
  0x0c067fff81d0: 00 00 01 fa fa fa 00 00 01 fa fa fa 00 00 03 fa
  0x0c067fff81e0: fa fa 00 00 03 fa fa fa 00 00 03 fa fa fa 00 00
  0x0c067fff81f0: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
  0x0c067fff8200: 00 00 00 fa fa fa fd fd fd fa fa fa 00 00 00 fa
  0x0c067fff8210: fa fa fd fd fd fa fa fa fd fd fd fa fa fa 00 00
=>0x0c067fff8220: 00 fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa
  0x0c067fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==414662==ABORTING


**Env**
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.6 LTS
Release:        20.04
Codename:       focal

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug ld/32661] New: ld heap-buffer-overflow in _bfd_elf_gc_mark_rsec (/bfd/elflink.c:14052:13)

Reply via email to