Bug 21412 - global-buffer-overflow in objcopy
Summary: global-buffer-overflow in objcopy
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.28
: P2 normal
Target Milestone: ---
Assignee: Alan Modra
: 21410 21413 (view as bug list)
Depends on:
Reported: 2017-04-22 05:04 UTC by Manh-Dung Nguyen
Modified: 2017-05-02 01:37 UTC (History)
2 users (show)

See Also:
Last reconfirmed: 2017-04-23 00:00:00

Bug triggering input (162 bytes, application/x-object)
2017-04-22 05:04 UTC, Manh-Dung Nguyen

Note You need to log in before you can comment on or make changes to this bug.
Description Manh-Dung Nguyen 2017-04-22 05:04:03 UTC
Created attachment 10008 [details]
Bug triggering input

Dear All,

This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks also to Marcel Böhme and Van-Thuan Pham.

This bug was found on Ubuntu 14.04 64-bit & binutils was checked out from main repository at git://sourceware.org/git/binutils-gdb.git. Its commit is a6c21d4a553de184562fd8409a5bcd3f2cc2561a (Wed Apr 19 13:16:05 2017).

binutils was built with ASAN using gcc-6.2 and clang-3.4. The configure command was:

CC=clang CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=undefined,address -fno-omit-frame-pointer -g -Wno-error" ../configure --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim

To reproduce:
Download the attached file - bug_1
objcopy --compress-debug-sections bug_1

ASAN says:
==149346==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000001a69aa4 at pc 0x00000044f150 bp 0x7ffe5c0b4d90 sp 0x7ffe5c0b4550
READ of size 1 at 0x000001a69aa4 thread T0
    #0 0x44f14f in __interceptor_strcmp (/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/objcopy+0x44f14f)
    #1 0xb11a0a in _bfd_elf_get_reloc_section /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/elf.c:3568:10
    #2 0xb3e092 in assign_section_numbers /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/elf.c:3844:8
    #3 0xb15eb0 in _bfd_elf_compute_section_file_positions /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/elf.c:4184:8
    #4 0xb7af5f in _bfd_elf_write_object_contents /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/elf.c:6289:12
    #5 0x846b86 in bfd_close /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/opncls.c:733:13
    #6 0x4ebecf in copy_file /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objcopy.c:3340:51
    #7 0x4d6716 in copy_main /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objcopy.c:5266:3
    #8 0x4cac8a in main /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objcopy.c:5367:5
    #9 0x7f1ca55e3f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
    #10 0x4ca31c in _start (/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/objcopy+0x4ca31c)
Comment 1 Alan Modra 2017-04-23 02:44:43 UTC
*** Bug 21410 has been marked as a duplicate of this bug. ***
Comment 2 Alan Modra 2017-04-23 02:49:43 UTC
*** Bug 21413 has been marked as a duplicate of this bug. ***
Comment 3 Sourceware Commits 2017-04-23 11:54:00 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:


commit bce964aa6c777d236fbd641f2bc7bb931cfe4bf3
Author: Alan Modra <amodra@gmail.com>
Date:   Sun Apr 23 11:03:34 2017 +0930

    PR 21412, get_reloc_section assumes .rel/.rela name for SHT_REL/RELA.
    This patch fixes an assumption made by code that runs for objcopy and
    strip, that SHT_REL/SHR_RELA sections are always named starting with a
    .rel/.rela prefix.  I'm also modifying the interface for
    elf_backend_get_reloc_section, so any backend function just needs to
    handle name mapping.
    	PR 21412
    	* elf-bfd.h (struct elf_backend_data <get_reloc_section>): Change
    	parameters and comment.
    	(_bfd_elf_get_reloc_section): Delete.
    	(_bfd_elf_plt_get_reloc_section): Declare.
    	* elf.c (_bfd_elf_plt_get_reloc_section, elf_get_reloc_section):
    	New functions.  Don't blindly skip over assumed .rel/.rela prefix.
    	Extracted from..
    	(_bfd_elf_get_reloc_section): ..here.  Delete.
    	(assign_section_numbers): Call elf_get_reloc_section.
    	* elf64-ppc.c (elf_backend_get_reloc_section): Define.
    	* elfxx-target.h (elf_backend_get_reloc_section): Update.
Comment 4 Alan Modra 2017-04-23 13:34:28 UTC
Comment 5 Manh-Dung Nguyen 2017-05-02 01:37:05 UTC
Thanks Alan Modra. This is CVE-2017-8393.