Bug 21916 - Null-Deref and OOB Read in ELF Parsing
Summary: Null-Deref and OOB Read in ELF Parsing
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.30
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
: 22080 22366 (view as bug list)
Depends on:
Blocks:
 
Reported: 2017-08-07 17:31 UTC by Ned Williamson
Modified: 2017-10-30 02:21 UTC (History)
3 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
3 testcases with ASAN output (2.07 KB, application/x-xz)
2017-08-07 17:31 UTC, Ned Williamson
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ned Williamson 2017-08-07 17:31:20 UTC
Created attachment 10324 [details]
3 testcases with ASAN output

Hi there, I have a few more testcases to report. One triggers a null-dereference, and the other two trigger two out of bounds reads which I think are caused by distinct issues.

I've attached the cases here. Building with a recent version of clang+ASAN should show the bugs when running `for fn in bugs4/*; do echo $fn; ./objdump -d $fn; done`.
Comment 1 Sourceware Commits 2017-08-08 12:21:16 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=24d3e51bf0612c6cf5e9a824b982e7ed38e741c8

commit 24d3e51bf0612c6cf5e9a824b982e7ed38e741c8
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Aug 8 13:20:02 2017 +0100

    Fix address violation problems when parsing corrupt ELF binaries.
    
    	PR 21916
    	* elf-attrs.c (_bfd_elf_parse_attributes): Complain about very
    	small section lengths.
    	* elf.c (_bfd_elf_setup_sections): Skip empty entries in the group
    	table.
    	(elfcore_grok_freebsd_prstatus): Add checks to make sure that
    	there is enough data present in the note.
Comment 2 Nick Clifton 2017-08-08 12:22:11 UTC
Hi Ned,

  Thanks for reporting these problems.  I have checked in a small patch which
  address all of the issues that you detected.

Cheers
  Nick
Comment 3 Sourceware Commits 2017-09-04 16:06:59 UTC
The binutils-2_29-branch branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d6f8dea6798528de0fc762409595251eeeb1f547

commit d6f8dea6798528de0fc762409595251eeeb1f547
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Sep 4 17:05:17 2017 +0100

    Import patch from mainline to fix address violation errors when parsing corrupt ELF binaries.
    
    	PR 21916
    	* elf-attrs.c (_bfd_elf_parse_attributes): Complain about very
    	small section lengths.
    	* elf.c (_bfd_elf_setup_sections): Skip empty entries in the group
    	table.
    	(elfcore_grok_freebsd_prstatus): Add checks to make sure that
    	there is enough data present in the note.
Comment 4 H.J. Lu 2017-09-05 00:26:12 UTC
*** Bug 22080 has been marked as a duplicate of this bug. ***
Comment 5 Alan Modra 2017-10-30 02:21:28 UTC
*** Bug 22366 has been marked as a duplicate of this bug. ***