Submit #495381: GNU ld 2.43 Illegal read access with --gc-sections --gc-keep-exporte optioninfo

TitleGNU ld 2.43 Illegal read access with --gc-sections --gc-keep-exporte option
Description**Description** A segv can occur in ld (part of binutils 2.43) when using the --gc-sections and --gc-keep-exported options with a specially crafted input file. This issue leads to memory corruption (illegal memory read access) and crashes. **Affected Version** GNU ld (GNU Binutils) 2.43 **Impact** This vulnerability can cause the linker (ld) to crash due to an illegal memory read access, resulting in application instability and denial of service. The illegal memory access may lead to undefined behavior, potentially corrupting memory and affecting other processes running on the system. If exploited, this issue could be leveraged in certain scenarios to escalate privileges or execute arbitrary code, depending on the environment in which ld is used. **Steps to Reproduce** Build binutils 2.43 with AddressSanitizer (e.g., CFLAGS="-g -fsanitize=address" ./configure && make -j). Run the following command: ./binutils-2.43/bins/bin/ld --gc-sections --gc-keep-exported $poc Observe the AddressSanitizer error indicating a segv. ./binutils-2.43/bins/bin/ld --gc-sections --gc-keep-exported /tmp/poc ./binutils-2.43/bins/bin/ld: warning: cannot find entry symbol _start; defaulting to 0000000000401000 ./binutils-2.43/bins/bin/ld: /tmp/poc: in function `reallocarray': openbsd-reallocarray.c:(.text+0x16d): undefined reference to `__errno_location' ./binutils-2.43/bins/bin/ld: /tmp/poc: in function `__afl_setup_first': openbsd-reallocarray.c:(.text+0x2a7): undefined reference to `getenv' ./binutils-2.43/bins/bin/ld: openbsd-reallocarray.c:(.text+0x2b8): undefined reference to `atoi' ./binutils-2.43/bins/bin/ld: /tmp/poc: in function `__afl_forkserver': openbsd-reallocarray.c:(.text+0x303): undefined reference to `write' ./binutils-2.43/bins/bin/ld: /tmp/poc: in function `__afl_fork_wait_loop': openbsd-reallocarray.c:(.text+0x327): undefined reference to `read' ./binutils-2.43/bins/bin/ld: openbsd-reallocarray.c:(.text+0x336): undefined reference to `fork' ./binutils-2.43/bins/bin/ld: openbsd-reallocarray.c:(.text+0x362): undefined reference to `write' ./binutils-2.43/bins/bin/ld: openbsd-reallocarray.c:(.text+0x37c): undefined reference to `waitpid' ./binutils-2.43/bins/bin/ld: openbsd-reallocarray.c:(.text+0x3a0): undefined reference to `write' ./binutils-2.43/bins/bin/ld: /tmp/poc: in function `__afl_fork_resume': openbsd-reallocarray.c:(.text+0x3b1): undefined reference to `close' ./binutils-2.43/bins/bin/ld: openbsd-reallocarray.c:(.text+0x3bd): undefined reference to `close' ./binutils-2.43/bins/bin/ld: /tmp/poc: in function `__afl_die': openbsd-reallocarray.c:(.text+0x492): undefined reference to `_exit' ./binutils-2.43/bins/bin/ld: /tmp/poc: in function `reallocarray': openbsd-reallocarray.c:(.text+0x161): undefined reference to `realloc' AddressSanitizer:DEADLYSIGNAL ================================================================= ==485892==ERROR: AddressSanitizer: SEGV on unknown address 0x00087fff8000 (pc 0x564fe3b3de6e bp 0x7ffc56de3df0 sp 0x7ffc56de3180 T0) ==485892==The signal is caused by a READ memory access. #0 0x564fe3b3de6e in _bfd_elf_write_section_eh_frame ./binutils-2.43/bfd/elf-eh-frame.c:2234:29 #1 0x564fe3ae8114 in elf_link_input_bfd ./binutils-2.43/bfd/elflink.c:12142:12 #2 0x564fe3ad6f0d in bfd_elf_final_link ./binutils-2.43/bfd/elflink.c:13107:11 #3 0x564fe38cfd0e in ldwrite ./binutils-2.43/ld/ldwrite.c:550:8 #4 0x564fe38ca4e9 in main ./binutils-2.43/ld/./ldmain.c:556:3 #5 0x7f1c87b4a082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16 #6 0x564fe37a26bd in _start (./binutils-2.43/bins/bin/ld+0x15a6bd) (BuildId: d9731e405748db264b62c84ded760ba4f068cb0a) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ./binutils-2.43/bfd/elf-eh-frame.c:2234:29 in _bfd_elf_write_section_eh_frame ==485892==ABORTING ** Env ** Distributor ID: Ubuntu Description: Ubuntu 20.04.6 LTS Release: 20.04 Codename: focal
Source⚠️ https://sourceware.org/bugzilla/show_bug.cgi?id=32642
User
 wenjusun (UID 80422)
Submission02/05/2025 01:57 PM (1 Year ago)
Moderation02/10/2025 11:58 AM (5 days later)
StatusAccepted
VulDB entry295083 [GNU Binutils 2.43 ld bfd/elf-eh-frame.c _bfd_elf_write_section_eh_frame memory corruption]
Points20

PreviousOverviewNext

Do you want to use VulDB in your project?

Use the official API to access entries easily!