Re: binutils: two NULL pointer dereference in elflink.c

[Marcus Meissner <meissner () suse de>]

Hi,

But it did not crash, so the pointer never got derefenced, NULL was just
passed through pointer arithmetics.

_bfd_generic_link_add_one_symbol() in 2.28 catches bh being NULL
(The if (*hashp==NULL)) checks.)

Ciao, Marcus

On Mon, Apr 10, 2017 at 07:47:33AM +0000, Agostino Sarubbo wrote:
> Description:
> binutils are a collection of binary tools necessary to build programs.
>
> An updated clang version were able to discover two null pointer dereference in the following simple way:
>
> # echo "int main () { return 0; }" > test.c
> # cc test.c -o test
> /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/bfd/elflink.c:124:12: runtime error: member access within 
> null pointer of type 'struct elf_link_hash_entry'                            
>
> /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/bfd/elflink.c:11979:58: runtime error: member access within 
> null pointer of type 'elf_section_list' (aka 'struct elf_section_list')  
> Affected version:
> 2.28
>
> Fixed version:
> N/A
>
> Commit fix:
> https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ad32986fdf9da1c8748e47b8b45100398223dba8
>
> Credit:
> This bug was discovered by Agostino Sarubbo of Gentoo.
>
> CVE:
> CVE-2017-7614
>
> Timeline:
> 2017-04-01: bug discovered and reported to upstream
> 2017-04-04: upstream released a patch
> 2017-04-05: blog post about the issue
> 2017-04-09: CVE assigned
>
> Note:
> This bug was found with clang’s Undefined Behavior Sanitizer.
>
> Permalink:
> https://blogs.gentoo.org/ago/2017/04/05/binutils-two-null-pointer-dereference-in-elflink-c/
>
> --
> Agostino Sarubbo
> Gentoo Linux Developer


-- 
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 
53-432,,serv=loki,mail=wotan,type=real <meissner () suse de>