https://sourceware.org/bugzilla/show_bug.cgi?id=32703
Bug ID: 32703
Summary: Null pointer dereference in bfd/linker.c
Product: binutils
Version: 2.32
Status: UNCONFIRMED
Severity: critical
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: shiyuyuranzh at gmail dot com
Target Milestone: ---
Created attachment 15959
--> https://sourceware.org/bugzilla/attachment.cgi?id=15959&action=edit
Vulnerability paths
I have found a potential null pointer dereference bug in bfd/linker.c and would
like to report it to the maintainers.Can you please help me check it? Thank you
for your effort and patience!
Below is the execution sequence of the program that may produce null pointer
dereference bug.The specific paths are shown in the attachment.
There are a total of two vulnerabilities.
The path of the first vulnerability in the diagram is indicated by a red arrow.
First, in file bfd/hash.c, function bfd_hash_insert returns NULL in line 512.
Second, in file bfd/hash.c, function bfd_hash_lookup calls function
bfd_hash_insert on line 497 and returns.
Third, in file bfd/linker.c, function bfd_section_already_linked_table_lookup
calls function bfd_hash_lookup on line 497 and returns.
Fourth, in file bfd/linker.c, function _bfd_generic_section_already_linked
calls function bfd_section_already_linked_table_lookup on line 2947, which
causes variable ready_linked_ list to be assigned NULL.
Finally, the variable ready_linked_list was dereferenced at line 2949,
resulting in a null pointer dereference vulnerability.
In addition, the first three steps of the second exploit are the same as the
first. However, to make it easier to distinguish, starting from the fourth
step, I use the green arrow to indicate the second vulnerability.
Here is the path from the fourth step:
Fourth, in the file bfd/coffgen.c, the function
_bfd_coff_section_already_linked calls the function
bfd_section_already_linked_table_lookup, and the ready_linked_list is assigned
NULL.
Fifth, on line 2692, ready_linked_list is passed as the first argument to
function bfd_section_already_linked_table_insert
Finally, in the file bfd/linker.c, the function.
bfd_section_already_linked_table_insert dereferences ready_linked_list on line
2785, resulting in a null pointer dereference vulnerability.
Thank you very much for reading and I look forward to hearing from you!
--
You are receiving this mail because:
You are on the CC list for the bug.
