{"id":1800,"date":"2017-05-12T14:58:21","date_gmt":"2017-05-12T12:58:21","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=1800"},"modified":"2017-05-18T12:48:13","modified_gmt":"2017-05-18T10:48:13","slug":"binutils-multiple-crashes","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2017\/05\/12\/binutils-multiple-crashes\/","title":{"rendered":"binutils: multiple crashes"},"content":{"rendered":"

Description<\/strong>:
\nbinutils<\/a> are a collection of binary tools necessary to build programs.<\/p>\n

After the post on oss-security<\/a> from Thuan Pham I was interested too into the fuzz of binutils to see what will happen…Here are the partial results (I didn’t run the fuzzers against all command-line tools):<\/p>\n

# readelf -a $FILE\r\n==12002==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000039 at pc 0x0000005a4f79 bp 0x7ffea5d104d0 sp 0x7ffea5d104c8\r\nREAD of size 1 at 0x602000000039 thread T0\r\n    #0 0x5a4f78 in byte_get_little_endian \/var\/tmp\/portage\/sys-devel\/binutils-2.28\/work\/binutils-2.28\/binutils\/elfcomm.c:210:22\r\n    #1 0x565bc4 in process_mips_specific \/var\/tmp\/portage\/sys-devel\/binutils-2.28\/work\/binutils-2.28\/binutils\/readelf.c:15190:8\r\n    #2 0x52483a in process_arch_specific \/var\/tmp\/portage\/sys-devel\/binutils-2.28\/work\/binutils-2.28\/binutils\/readelf.c:16565:14\r\n    #3 0x52483a in process_object \/var\/tmp\/portage\/sys-devel\/binutils-2.28\/work\/binutils-2.28\/binutils\/readelf.c:16770\r\n    #4 0x50b57c in process_file \/var\/tmp\/portage\/sys-devel\/binutils-2.28\/work\/binutils-2.28\/binutils\/readelf.c:17138:13\r\n    #5 0x50b57c in main \/var\/tmp\/portage\/sys-devel\/binutils-2.28\/work\/binutils-2.28\/binutils\/readelf.c:17209\r\n    #6 0x7f2e28f6e680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #7 0x419f68 in dl_iterate_phdr (\/usr\/x86_64-pc-linux-gnu\/binutils-bin\/2.28\/readelf+0x419f68)\r\n\r\n0x602000000039 is located 0 bytes to the right of 9-byte region [0x602000000030,0x602000000039)\r\nallocated by thread T0 here:\r\n    #0 0x4cf918 in malloc \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_malloc_linux.cc:66\r\n    #1 0x50be47 in get_data \/var\/tmp\/portage\/sys-devel\/binutils-2.28\/work\/binutils-2.28\/binutils\/readelf.c:392:9\r\n    #2 0x565a00 in process_mips_specific \/var\/tmp\/portage\/sys-devel\/binutils-2.28\/work\/binutils-2.28\/binutils\/readelf.c:15169:32\r\n    #3 0x52483a in process_arch_specific \/var\/tmp\/portage\/sys-devel\/binutils-2.28\/work\/binutils-2.28\/binutils\/readelf.c:16565:14\r\n    #4 0x52483a in process_object \/var\/tmp\/portage\/sys-devel\/binutils-2.28\/work\/binutils-2.28\/binutils\/readelf.c:16770\r\n    #5 0x50b57c in process_file \/var\/tmp\/portage\/sys-devel\/binutils-2.28\/work\/binutils-2.28\/binutils\/readelf.c:17138:13\r\n    #6 0x50b57c in main \/var\/tmp\/portage\/sys-devel\/binutils-2.28\/work\/binutils-2.28\/binutils\/readelf.c:17209\r\n    #7 0x7f2e28f6e680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/var\/tmp\/portage\/sys-devel\/binutils-2.28\/work\/binutils-2.28\/binutils\/elfcomm.c:210:22 in byte_get_little_endian\r\n<\/font><\/pre>\n
Affected version:<\/strong>
\n2.28
\nFixed version:<\/strong>
\nN\/A
\nReproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00258-binutils-readelf-heapoverflow2-byte_get_little_endian<\/a>
\nCommit fix:<\/strong>
\nhttps:\/\/sourceware.org\/git\/gitweb.cgi?p=binutils-gdb.git;h=f32ba72991d2406b21ab17edc234a2f3fa7fb23d<\/a>
\nCVE:<\/strong>
\nCVE-2017-9038<\/p>\n
###########################################<\/p>\n
# readelf -a $FILE\r\n==20389==ERROR: AddressSanitizer failed to allocate 0x18da5b8000 (106742644736) bytes of LargeMmapAllocator (error code: 12)\r\n[...]\r\n==20389==AddressSanitizer CHECK failed: \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/sanitizer_common\/sanitizer_common.cc:120 \"((0 && \"unable to mmap\")) != (0)\" (0x0, 0x0)\r\n[...]\r\n    #8 0x66216d in xmalloc \/tmp\/portage\/sys-devel\/binutils-2.28\/work\/binutils-2.28\/libiberty\/xmalloc.c:148:12\r\n    #9 0x5e32c0 in cmalloc \/tmp\/portage\/sys-devel\/binutils-2.28\/work\/binutils-2.28\/binutils\/dwarf.c:7450:10\r\n    #10 0x582819 in get_program_headers \/tmp\/portage\/sys-devel\/binutils-2.28\/work\/binutils-2.28\/binutils\/readelf.c:4761:33\r\n    #11 0x55ab15 in process_program_headers \/tmp\/portage\/sys-devel\/binutils-2.28\/work\/binutils-2.28\/binutils\/readelf.c:4814:9\r\n    #12 0x52ea4f in process_object \/tmp\/portage\/sys-devel\/binutils-2.28\/work\/binutils-2.28\/binutils\/readelf.c:16751:7\r\n    #13 0x51780f in process_file \/tmp\/portage\/sys-devel\/binutils-2.28\/work\/binutils-2.28\/binutils\/readelf.c:17138:13\r\n    #14 0x51780f in main \/tmp\/portage\/sys-devel\/binutils-2.28\/work\/binutils-2.28\/binutils\/readelf.c:17209\r\n    #15 0x7f252d57178f in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #16 0x41a158 in getenv (\/usr\/x86_64-pc-linux-gnu\/binutils-bin\/2.28\/readelf+0x41a158)\r\n<\/font><\/pre>\n
Affected version:<\/strong>
\n2.28
\nFixed version:<\/strong>
\nN\/A
\nReproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00259-binutils-readelf-memallocfailure<\/a>
\nCommit fix:<\/strong>
\nhttps:\/\/sourceware.org\/git\/gitweb.cgi?p=binutils-gdb.git;h=82156ab704b08b124d319c0decdbd48b3ca2dac5<\/a>
\nCVE:<\/strong>
\nCVE-2017-9039<\/p>\n
###########################################<\/p>\n
# readelf -a $FILE\r\n==25206==WARNING: AddressSanitizer failed to allocate 0x40000000000070 bytes\r\n==25206==AddressSanitizer's allocator is terminating the process instead of returning 0\r\n==25206==If you don't like this behavior set allocator_may_return_null=1\r\n==25206==AddressSanitizer CHECK failed: \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/sanitizer_common\/sanitizer_allocator.cc:221 \"((0)) != (0)\" (0x0, 0x0)\r\n[...]\r\n    #6 0x66dcfd in xmalloc \/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/libiberty\/xmalloc.c:147:12\r\n    #7 0x5e5a20 in cmalloc \/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/binutils\/dwarf.c:8259:10\r\n    #8 0x5d2865 in process_mips_specific \/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/binutils\/readelf.c:15373:34\r\n    #9 0x54ac16 in process_arch_specific \/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/binutils\/readelf.c:17449:14\r\n    #10 0x54ac16 in process_object \/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/binutils\/readelf.c:17672\r\n    #11 0x5167f8 in process_file \/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/binutils\/readelf.c:18055:13\r\n    #12 0x5167f8 in main \/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/binutils\/readelf.c:18127\r\n    #13 0x7fca769b578f in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #14 0x41a088 in getenv (\/usr\/x86_64-pc-linux-gnu\/binutils-bin\/git\/readelf+0x41a088)\r\n<\/font><\/pre>\n
Affected version:<\/strong>
\nmaster after commit 82156ab704b08b124d319c0decdbd48b3ca2dac5 which fixed the bug above
\nFixed version:<\/strong>
\nN\/A
\nReproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00272-binutils-memallocfailure<\/a>
\nCommit fix:<\/strong>
\nhttps:\/\/sourceware.org\/git\/gitweb.cgi?p=binutils-gdb.git;h=7296a62a2a237f6b1ad8db8c38b090e9f592c8cf<\/a>
\nCVE:<\/strong>
\nCVE-2017-9040
\n###########################################<\/p>\n
# readelf -a $FILE\r\n==20287==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000039 at pc 0x00000064c061 bp 0x7ffcc34b2580 sp 0x7ffcc34b2578\r\nREAD of size 1 at 0x602000000039 thread T0\r\n    #0 0x64c060 in byte_get_little_endian \/tmp\/portage\/sys-devel\/binutils-2.28\/work\/binutils-2.28\/binutils\/elfcomm.c:210:22\r\n    #1 0x5d31c5 in process_mips_specific \/tmp\/portage\/sys-devel\/binutils-2.28\/work\/binutils-2.28\/binutils\/readelf.c:15190:8\r\n    #2 0x549e1d in process_arch_specific \/tmp\/portage\/sys-devel\/binutils-2.28\/work\/binutils-2.28\/binutils\/readelf.c:16565:14\r\n    #3 0x549e1d in process_object \/tmp\/portage\/sys-devel\/binutils-2.28\/work\/binutils-2.28\/binutils\/readelf.c:16770\r\n    #4 0x51780f in process_file \/tmp\/portage\/sys-devel\/binutils-2.28\/work\/binutils-2.28\/binutils\/readelf.c:17138:13\r\n    #5 0x51780f in main \/tmp\/portage\/sys-devel\/binutils-2.28\/work\/binutils-2.28\/binutils\/readelf.c:17209\r\n    #6 0x7fa5fc60b78f in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #7 0x41a158 in getenv (\/usr\/x86_64-pc-linux-gnu\/binutils-bin\/2.28\/readelf+0x41a158)\r\n\r\n0x602000000039 is located 0 bytes to the right of 9-byte region [0x602000000030,0x602000000039)\r\nallocated by thread T0 here:\r\n    #0 0x4d9828 in malloc \/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.0\/work\/compiler-rt-4.0.0.src\/lib\/asan\/asan_malloc_linux.cc:66\r\n    #1 0x518af2 in get_data \/tmp\/portage\/sys-devel\/binutils-2.28\/work\/binutils-2.28\/binutils\/readelf.c:392:9\r\n    #2 0x5d2ee2 in process_mips_specific \/tmp\/portage\/sys-devel\/binutils-2.28\/work\/binutils-2.28\/binutils\/readelf.c:15169:32\r\n    #3 0x549e1d in process_arch_specific \/tmp\/portage\/sys-devel\/binutils-2.28\/work\/binutils-2.28\/binutils\/readelf.c:16565:14\r\n    #4 0x549e1d in process_object \/tmp\/portage\/sys-devel\/binutils-2.28\/work\/binutils-2.28\/binutils\/readelf.c:16770\r\n    #5 0x51780f in process_file \/tmp\/portage\/sys-devel\/binutils-2.28\/work\/binutils-2.28\/binutils\/readelf.c:17138:13\r\n    #6 0x51780f in main \/tmp\/portage\/sys-devel\/binutils-2.28\/work\/binutils-2.28\/binutils\/readelf.c:17209\r\n    #7 0x7fa5fc60b78f in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/tmp\/portage\/sys-devel\/binutils-2.28\/work\/binutils-2.28\/binutils\/elfcomm.c:210:22 in byte_get_little_endian\r\n<\/font><\/pre>\n
Affected version:<\/strong>
\n2.28
\nFixed version:<\/strong>
\nN\/A
\nReproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00258-binutils-readelf-heapoverflow2-byte_get_little_endian<\/a>
\nCommit fix:<\/strong>
\nhttps:\/\/sourceware.org\/git\/gitweb.cgi?p=binutils-gdb.git;h=75ec1fdbb797a389e4fe4aaf2e15358a070dcc19<\/a>
\nhttps:\/\/sourceware.org\/git\/gitweb.cgi?p=binutils-gdb.git;h=c4ab9505b53cdc899506ed421fddb7e1f8faf7a3<\/a>
\nCVE:<\/strong>
\nCVE-2017-9041<\/p>\n
###########################################<\/p>\n
# readelf -a $FILE\r\n\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/binutils\/readelf.c:9447:39: runtime error: signed integer overflow: 7443 - -9223372036854775080 cannot be represented in type 'long'\r\n<\/font><\/pre>\n
Affected version:<\/strong>
\nmaster at 2017-04-12 (dunno about other versions)
\nFixed version:<\/strong>
\nN\/A
\nReproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00275-binutils-signintoverflow<\/a>
\nCommit fix:<\/strong>
\nhttps:\/\/sourceware.org\/git\/gitweb.cgi?p=binutils-gdb.git;h=7296a62a2a237f6b1ad8db8c38b090e9f592c8cf<\/a>
\nCVE:<\/strong>
\nCVE-2017-9042<\/p>\n
###########################################<\/p>\n
# readelf -a $FILE\r\n\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/binutils\/readelf.c:16941:18: runtime error: shift exponent 64 is too large for 64-bit type 'unsigned long'\r\n<\/font><\/pre>\n
Affected version:<\/strong>
\nmaster at 2017-04-12 (dunno about other versions)
\nFixed version:<\/strong>
\nN\/A
\nReproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00274-binutils-shifttoolarge<\/a>
\nCommit fix:<\/strong>
\nhttps:\/\/sourceware.org\/git\/gitweb.cgi?p=binutils-gdb.git;h=ddef72cdc10d82ba011a7ff81cafbbd3466acf54<\/a>
\nCVE:<\/strong>
\nCVE-2017-9043
\n###########################################<\/p>\n
# readelf -a $FILE\r\n==7569==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x0000005ca9f5 bp 0x7ffcef629b70 sp 0x7ffcef629b20 T0)\r\n==7569==The signal is caused by a READ memory access.\r\n==7569==Hint: address points to the zero page.\r\n    #0 0x5ca9f4 in print_symbol_for_build_attribute \/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/binutils\/readelf.c:16671:16\r\n    #1 0x5c2d08 in process_note \/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/binutils\/readelf.c\r\n    #2 0x5bc388 in process_notes_at \/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/binutils\/readelf.c:17232:13\r\n    #3 0x5bbc82 in process_corefile_note_segments \/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/binutils\/readelf.c:17262:8\r\n    #4 0x548d86 in process_object \/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/binutils\/readelf.c\r\n    #5 0x5167f8 in process_file \/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/binutils\/readelf.c:18055:13\r\n    #6 0x5167f8 in main \/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/binutils\/readelf.c:18127\r\n    #7 0x7f8ede38078f in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #8 0x41a088 in getenv (\/usr\/x86_64-pc-linux-gnu\/binutils-bin\/git\/readelf+0x41a088)\r\n\r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV \/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/binutils\/readelf.c:16671:16 in print_symbol_for_build_attribute\r\n==7569==ABORTING\r\n<\/font><\/pre>\n
Affected version:<\/strong>
\nmaster at 2017-04-12 (dunno about other versions)
\nFixed version:<\/strong>
\nN\/A
\nReproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00273-binutils-NULLptr-print_symbol_for_build_attribute<\/a>
\nCommit fix:<\/strong>
\nN\/A, seems to be fixed by one of the previous commits.
\nCVE:<\/strong>
\nCVE-2017-9044<\/p>\n
###########################################<\/p>\n
Credit:<\/strong>
\nThese bugs were discovered by Agostino Sarubbo of Gentoo.<\/p>\n
Timeline:<\/strong>
\n2017-04-01: first bug discovered and reported to upstream
\n2017-05-12: blog post about the issue
\n2017-05-18: CVE assigned<\/p>\n
Note:<\/strong>
\nThese bugs were found with American Fuzzy Lop<\/a>.<\/p>\n
Permalink:<\/strong><\/p>\n
binutils: multiple crashes<\/a><\/p><\/blockquote>\n