Submeter #495329: GNU binutils/ld 2.43 Heap-based Buffer Overflowinformação

TítuloGNU binutils/ld 2.43 Heap-based Buffer Overflow
Descrição**Description** A heap-buffer-overflow can occur in ld (part of binutils 2.43) when using the -w and --gc-sections options with a specially crafted input file that has a sufficiently long file path. This issue leads to memory corruption and potential crashes. **Affected Version** Binutils 2.43 **Impact** Potential crash due to corrupting heap memory. May lead to application instability or other unexpected behavior. In certain contexts, could potentially be used to execute arbitrary code. **Steps to Reproduce** Build binutils 2.43 with AddressSanitizer (e.g., CFLAGS="-g -fsanitize=address" ./configure && make -j). Prepare a file named thisisapocpocpocpocpocpocpocpocpoc (or similarly long). Run the following command: ./binutils-2.43/bins.bin/ld -w --gc-sections ./thisisapocpocpocpocpocpocpocpocpoc Observe the AddressSanitizer error indicating a heap-buffer-overflow. /data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld --gc-sections --print-gc-sections -w ./thisisapocpocpocpocpocpocpocpocpoc /data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld: warning: ./thisisapocpocpocpocpocpocpocpocpoc has a section extending past end of file /data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld: ./thisisapocpocpocpocpocpocpocpocpoc: invalid string offset 2303260209 >= 414 for section `.strtab' ================================================================= ==482554==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001a0e0 at pc 0x55cef964f6a4 bp 0x7ffeef9b6e40 sp 0x7ffeef9b6e38 READ of size 8 at 0x62100001a0e0 thread T0 #0 0x55cef964f6a3 in _bfd_elf_gc_mark_rsec /data/swj/optfuzz/benchmark/binutils-2.43/bfd/elflink.c:14042:23 #1 0x55cef964fc90 in _bfd_elf_gc_mark_reloc /data/swj/optfuzz/benchmark/binutils-2.43/bfd/elflink.c:14091:10 #2 0x55cef9650474 in _bfd_elf_gc_mark /data/swj/optfuzz/benchmark/binutils-2.43/bfd/elflink.c:14143:11 #3 0x55cef9651d96 in _bfd_elf_gc_mark_extra_sections /data/swj/optfuzz/benchmark/binutils-2.43/bfd/elflink.c:14354:11 #4 0x55cef9655a16 in bfd_elf_gc_sections /data/swj/optfuzz/benchmark/binutils-2.43/bfd/elflink.c:14725:3 #5 0x55cef93feb0d in lang_gc_sections /data/swj/optfuzz/benchmark/binutils-2.43/ld/ldlang.c:7763:5 #6 0x55cef93f878b in lang_process /data/swj/optfuzz/benchmark/binutils-2.43/ld/ldlang.c:8378:3 #7 0x55cef942234c in main /data/swj/optfuzz/benchmark/binutils-2.43/ld/./ldmain.c:529:3 #8 0x7fce3215f082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16 #9 0x55cef92fa6bd in _start (/data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld+0x15a6bd) (BuildId: d9731e405748db264b62c84ded760ba4f068cb0a) 0x62100001a0e0 is located 0 bytes to the right of 4064-byte region [0x621000019100,0x62100001a0e0) allocated by thread T0 here: #0 0x55cef937cdce in __interceptor_malloc (/data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld+0x1dcdce) (BuildId: d9731e405748db264b62c84ded760ba4f068cb0a) #1 0x55cef98dd1d2 in objalloc_create /data/swj/optfuzz/benchmark/binutils-2.43/libiberty/./objalloc.c:95:26 #2 0x55cef94d037d in _bfd_new_bfd /data/swj/optfuzz/benchmark/binutils-2.43/bfd/opncls.c:99:18 #3 0x55cef94d0d8e in bfd_fopen /data/swj/optfuzz/benchmark/binutils-2.43/bfd/opncls.c:296:10 #4 0x55cef94d1c78 in bfd_openr /data/swj/optfuzz/benchmark/binutils-2.43/bfd/opncls.c:392:10 #5 0x55cef9440c80 in ldfile_try_open_bfd /data/swj/optfuzz/benchmark/binutils-2.43/ld/./ldfile.c:356:20 #6 0x55cef9442ed5 in ldfile_open_file /data/swj/optfuzz/benchmark/binutils-2.43/ld/./ldfile.c:643:11 #7 0x55cef93ea0bb in load_symbols /data/swj/optfuzz/benchmark/binutils-2.43/ld/ldlang.c:2992:3 #8 0x55cef93fb304 in open_input_bfds /data/swj/optfuzz/benchmark/binutils-2.43/ld/ldlang.c:3622:13 #9 0x55cef93f79f3 in lang_process /data/swj/optfuzz/benchmark/binutils-2.43/ld/ldlang.c:8194:3 #10 0x55cef942234c in main /data/swj/optfuzz/benchmark/binutils-2.43/ld/./ldmain.c:529:3 #11 0x7fce3215f082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16 SUMMARY: AddressSanitizer: heap-buffer-overflow /data/swj/optfuzz/benchmark/binutils-2.43/bfd/elflink.c:14042:23 in _bfd_elf_gc_mark_rsec Shadow bytes around the buggy address: 0x0c427fffb3c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffb3d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffb3e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffb3f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffb400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c427fffb410: 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa 0x0c427fffb420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffb430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffb440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffb450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffb460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==482554==ABORTING ** Env ** Distributor ID: Ubuntu Description: Ubuntu 20.04.6 LTS Release: 20.04 Codename: focal
Fonte⚠️ https://sourceware.org/bugzilla/show_bug.cgi?id=32636
Utilizador
 wenjusun (UID 80422)
Submissão05/02/2025 10h29 (há 1 Ano)
Moderação10/02/2025 11h18 (5 days later)
EstadoAceite
Entrada VulDB295079 [GNU Binutils 2.43 ld elflink.c _bfd_elf_gc_mark_rsec Excesso de tampão]
Pontos20

VoltarVisão GeralPróximo

Interested in the pricing of exploits?

See the underground prices here!