Created attachment 10008 [details] Bug triggering input Dear All, This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks also to Marcel Böhme and Van-Thuan Pham. This bug was found on Ubuntu 14.04 64-bit & binutils was checked out from main repository at git://sourceware.org/git/binutils-gdb.git. Its commit is a6c21d4a553de184562fd8409a5bcd3f2cc2561a (Wed Apr 19 13:16:05 2017). binutils was built with ASAN using gcc-6.2 and clang-3.4. The configure command was: CC=clang CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=undefined,address -fno-omit-frame-pointer -g -Wno-error" ../configure --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim To reproduce: Download the attached file - bug_1 objcopy --compress-debug-sections bug_1 ASAN says: ==149346==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000001a69aa4 at pc 0x00000044f150 bp 0x7ffe5c0b4d90 sp 0x7ffe5c0b4550 READ of size 1 at 0x000001a69aa4 thread T0 #0 0x44f14f in __interceptor_strcmp (/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/objcopy+0x44f14f) #1 0xb11a0a in _bfd_elf_get_reloc_section /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/elf.c:3568:10 #2 0xb3e092 in assign_section_numbers /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/elf.c:3844:8 #3 0xb15eb0 in _bfd_elf_compute_section_file_positions /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/elf.c:4184:8 #4 0xb7af5f in _bfd_elf_write_object_contents /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/elf.c:6289:12 #5 0x846b86 in bfd_close /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/opncls.c:733:13 #6 0x4ebecf in copy_file /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objcopy.c:3340:51 #7 0x4d6716 in copy_main /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objcopy.c:5266:3 #8 0x4cac8a in main /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objcopy.c:5367:5 #9 0x7f1ca55e3f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287 #10 0x4ca31c in _start (/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/objcopy+0x4ca31c)
*** Bug 21410 has been marked as a duplicate of this bug. ***
*** Bug 21413 has been marked as a duplicate of this bug. ***
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=bce964aa6c777d236fbd641f2bc7bb931cfe4bf3 commit bce964aa6c777d236fbd641f2bc7bb931cfe4bf3 Author: Alan Modra <amodra@gmail.com> Date: Sun Apr 23 11:03:34 2017 +0930 PR 21412, get_reloc_section assumes .rel/.rela name for SHT_REL/RELA. This patch fixes an assumption made by code that runs for objcopy and strip, that SHT_REL/SHR_RELA sections are always named starting with a .rel/.rela prefix. I'm also modifying the interface for elf_backend_get_reloc_section, so any backend function just needs to handle name mapping. PR 21412 * elf-bfd.h (struct elf_backend_data <get_reloc_section>): Change parameters and comment. (_bfd_elf_get_reloc_section): Delete. (_bfd_elf_plt_get_reloc_section): Declare. * elf.c (_bfd_elf_plt_get_reloc_section, elf_get_reloc_section): New functions. Don't blindly skip over assumed .rel/.rela prefix. Extracted from.. (_bfd_elf_get_reloc_section): ..here. Delete. (assign_section_numbers): Call elf_get_reloc_section. * elf64-ppc.c (elf_backend_get_reloc_section): Define. * elfxx-target.h (elf_backend_get_reloc_section): Update.
Fixed
Thanks Alan Modra. This is CVE-2017-8393.