Submit #495369: GNU ld 2.43 Illegal write accessinfo

TitleGNU ld 2.43 Illegal write access
Description**Description** A segv can occur in ld (part of binutils 2.43) when using the --version-exports-section and --shared options with a specially crafted input file. This issue leads to memory corruption (illegal memory access)and crashes. **Affected Version** GNU ld (GNU Binutils) 2.43 **Impact** This issue can cause the linker to crash due to illegal memory writes, leading to denial of service. **Steps to Reproduce** Build binutils 2.43 with AddressSanitizer (e.g., CFLAGS="-g -fsanitize=address" ./configure && make -j). Run the following command: ./binutils-2.43/bins/bin/ld --version-exports-section symbol --shared $poc Observe the AddressSanitizer error indicating a segv. (base) swj@amax /tmp/crash_tmp $ /data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld --version-exports-section symbol --shared /tmp/poc /data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld: warning: /tmp/poc has a section extending past end of file /data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld: /tmp/poc: warning: relocation against `' in read-only section `.text' /data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld: warning: a.out has a LOAD segment with RWX permissions /data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld: /data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld: DWARF error: found address size '0', this reader can only handle address sizes '2', '4' and '8' /tmp/poc: in function `no symbol': l_fork_pid:(.text+0x2a7): undefined reference to `' /data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld: /tmp/poc: in function `���������': l_fork_pid:(.text+0x327): undefined reference to `' /data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld: l_fork_pid:(.text+0x37c): undefined reference to `�������' l_fork_pid:(.text+0x37c): relocation truncated to fit: R_X86_64_SIZE32 against undefined symbol `�������' /data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld: /tmp/poc: in function `no symbol': l_fork_pid:(.text+0x492): undefined reference to `' /tmp/poc:(.debug_info+0x53): relocation truncated to fit: R_X86_64_32 against `.debug_str' /data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld: BFD (GNU Binutils) 2.43 assertion fail elflink.c:15630 AddressSanitizer:DEADLYSIGNAL ================================================================= ==484290==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000007 (pc 0x555d44825250 bp 0x7ffedac5fef0 sp 0x7ffedac5fe50 T0) ==484290==The signal is caused by a WRITE memory access. ==484290==Hint: address points to the zero page. #0 0x555d44825250 in bfd_putl64 /data/swj/optfuzz/benchmark/binutils-2.43/bfd/libbfd.c:989:11 #1 0x555d448d0d4d in bfd_elf64_swap_reloca_out /data/swj/optfuzz/benchmark/binutils-2.43/bfd/./elfcode.h:466:3 #2 0x555d449ca89f in elf_append_rela /data/swj/optfuzz/benchmark/binutils-2.43/bfd/elflink.c:15631:3 #3 0x555d44886c46 in elf_x86_64_finish_dynamic_symbol /data/swj/optfuzz/benchmark/binutils-2.43/bfd/elf64-x86-64.c:4959:4 #4 0x555d449afdd5 in elf_link_output_extsym /data/swj/optfuzz/benchmark/binutils-2.43/bfd/elflink.c:10938:14 #5 0x555d44821703 in bfd_hash_traverse /data/swj/optfuzz/benchmark/binutils-2.43/bfd/hash.c:814:8 #6 0x555d4499994c in bfd_elf_final_link /data/swj/optfuzz/benchmark/binutils-2.43/bfd/elflink.c:13182:3 #7 0x555d44791d0e in ldwrite /data/swj/optfuzz/benchmark/binutils-2.43/ld/ldwrite.c:550:8 #8 0x555d4478c4e9 in main /data/swj/optfuzz/benchmark/binutils-2.43/ld/./ldmain.c:556:3 #9 0x7f2c69b92082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16 #10 0x555d446646bd in _start (/data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld+0x15a6bd) (BuildId: d9731e405748db264b62c84ded760ba4f068cb0a) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /data/swj/optfuzz/benchmark/binutils-2.43/bfd/libbfd.c:989:11 in bfd_putl64 ==484290==ABORTING ** Env ** Distributor ID: Ubuntu Description: Ubuntu 20.04.6 LTS Release: 20.04 Codename: focal
Source⚠️ https://sourceware.org/bugzilla/show_bug.cgi?id=32638
User
 wenjusun (UID 80422)
Submission02/05/2025 13:13 (1 Year ago)
Moderation02/10/2025 11:47 (5 days later)
StatusAccepted
VulDB entry295081 [GNU Binutils 2.43 ld libbfd.c bfd_putl64 memory corruption]
Points20

PreviousOverviewNext

Do you want to use VulDB in your project?

Use the official API to access entries easily!