{"id":2331,"date":"2017-10-03T16:34:10","date_gmt":"2017-10-03T14:34:10","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=2331"},"modified":"2017-10-04T12:58:38","modified_gmt":"2017-10-04T10:58:38","slug":"binutils-null-pointer-dereference-in-bfd_hash_hash-hash-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2017\/10\/03\/binutils-null-pointer-dereference-in-bfd_hash_hash-hash-c\/","title":{"rendered":"binutils: NULL pointer dereference in bfd_hash_hash (hash.c)"},"content":{"rendered":"<p><strong>Description<\/strong>:<br \/>\n<a href=\"https:\/\/sourceware.org\/binutils\/\">binutils<\/a> is a set of tools necessary to build programs.<\/p>\n<p>The stacktrace of this issue appears to be a NULL pointer access. However the upstream maintainer changed the summary of the bugreport to &#8220;DW_AT_name with out of bounds reference&#8221;. The commit also reference to &#8220;DW_AT_name with out of bounds reference&#8221;<\/p>\n<p>The complete ASan output of the issue:<\/p>\n<pre><font size=\"2\"># nm -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D $FILE\r\n==8739==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000053bf16 bp 0x7ffcab59ee60 sp 0x7ffcab59ee20 T0)\r\n==8739==The signal is caused by a READ memory access.\r\n==8739==Hint: address points to the zero page.\r\n    #0 0x53bf15 in bfd_hash_hash \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/bfd\/hash.c:441:15\r\n    #1 0x53bf15 in bfd_hash_lookup \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/bfd\/hash.c:467\r\n    #2 0x6a2049 in insert_info_hash_table \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/bfd\/dwarf2.c:487:37\r\n    #3 0x6a2049 in comp_unit_hash_info \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/bfd\/dwarf2.c:3776\r\n    #4 0x6a2049 in stash_maybe_update_info_hash_tables \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/bfd\/dwarf2.c:4120\r\n    #5 0x69cbbc in stash_maybe_enable_info_hash_tables \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/bfd\/dwarf2.c:4214:3\r\n    #6 0x69cbbc in _bfd_dwarf2_find_nearest_line \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/bfd\/dwarf2.c:4613\r\n    #7 0x5f330e in _bfd_elf_find_line \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/bfd\/elf.c:8695:10\r\n    #8 0x5176a3 in print_symbol \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/binutils\/nm.c:1003:9\r\n    #9 0x514e4d in print_symbols \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/binutils\/nm.c:1084:7\r\n    #10 0x514e4d in display_rel_file \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/binutils\/nm.c:1200\r\n    #11 0x510976 in display_file \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/binutils\/nm.c:1318:7\r\n    #12 0x50f4ce in main \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/binutils\/nm.c:1792:12\r\n    #13 0x7fd148c7b680 in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.23-r4\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #14 0x41a638 in chmod (\/usr\/x86_64-pc-linux-gnu\/binutils-bin\/git\/nm+0x41a638)\r\n\r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/bfd\/hash.c:441:15 in bfd_hash_hash\r\n==8739==ABORTING\r\n<\/font><\/pre>\n<p><strong>Affected version:<\/strong><br \/>\n2.29.51.20170924 and maybe past releases<\/p>\n<p><strong>Fixed version:<\/strong><br \/>\nN\/A<\/p>\n<p><strong>Commit fix:<\/strong><br \/>\n<a href=\"https:\/\/sourceware.org\/git\/gitweb.cgi?p=binutils-gdb.git;h=11855d8a1f11b102a702ab76e95b22082cccf2f8\">https:\/\/sourceware.org\/git\/gitweb.cgi?p=binutils-gdb.git;h=11855d8a1f11b102a702ab76e95b22082cccf2f8<\/a><\/p>\n<p><strong>Credit:<\/strong><br \/>\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n<p><strong>CVE:<\/strong><br \/>\nCVE-2017-15022<\/p>\n<p><strong>Reproducer:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00375-binutils-NULLptr-bfd_hash_hash\">https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00375-binutils-NULLptr-bfd_hash_hash<\/a><\/p>\n<p><strong>Timeline:<\/strong><br \/>\n2017-09-25: bug discovered and reported to upstream<br \/>\n2017-09-25: upstream released a patch<br \/>\n2017-10-03: blog post about the issue<br \/>\n2017-10-04: CVE assigned<\/p>\n<p><strong>Note:<\/strong><br \/>\nThis bug was found with <a href=\"http:\/\/lcamtuf.coredump.cx\/afl\">American Fuzzy Lop<\/a>.<br \/>\nThis bug was identified with bare metal servers donated by <a href=\"https:\/\/www.packet.net\/\">Packet<\/a>. This work is also supported by the <a href=\"https:\/\/www.coreinfrastructure.org\">Core<br \/>\nInfrastructure Initiative<\/a>.                                                                                                                                                                                    <\/p>\n<p><strong>Permalink:<\/strong>                                                                                                                                                                                       <\/p>\n<blockquote class=\"wp-embedded-content\" data-secret=\"mQeOiUPtWi\"><p><a href=\"http:\/\/blogs.gentoo.org\/ago\/2017\/10\/03\/binutils-null-pointer-dereference-in-bfd_hash_hash-hash-c\/\">binutils: NULL pointer dereference in bfd_hash_hash (hash.c)<\/a><\/p><\/blockquote>\n<p><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" src=\"http:\/\/blogs.gentoo.org\/ago\/2017\/10\/03\/binutils-null-pointer-dereference-in-bfd_hash_hash-hash-c\/embed\/#?secret=mQeOiUPtWi\" data-secret=\"mQeOiUPtWi\" width=\"600\" height=\"338\" title=\"&#8220;binutils: NULL pointer dereference in bfd_hash_hash (hash.c)&#8221; &#8212; agostino&#039;s blog\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: binutils is a set of tools necessary to build programs. The stacktrace of this issue appears to be a NULL pointer access. However the upstream maintainer changed the summary of the bugreport to &#8220;DW_AT_name with out of bounds reference&#8221;. &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ago\/2017\/10\/03\/binutils-null-pointer-dereference-in-bfd_hash_hash-hash-c\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-BB","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/2331"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=2331"}],"version-history":[{"count":2,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/2331\/revisions"}],"predecessor-version":[{"id":2342,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/2331\/revisions\/2342"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=2331"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=2331"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=2331"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}