Summary: | Heap out of bounds read in parse_comp_unit() | ||
---|---|---|---|
Product: | binutils | Reporter: | Kamil Frankowicz <fumfi.255> |
Component: | binutils | Assignee: | Not yet assigned to anyone <unassigned> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | amodra, nickc |
Priority: | P2 | ||
Version: | 2.29 | ||
Target Milestone: | 2.29.1 | ||
Host: | Target: | ||
Build: | Last reconfirmed: | ||
Attachments: | POC to trigger heap out of bounds read (objdump) |
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e4f2723003859dc6b33ca0dadbc4a7659ebf1643 commit e4f2723003859dc6b33ca0dadbc4a7659ebf1643 Author: Nick Clifton <nickc@redhat.com> Date: Thu Aug 31 17:03:23 2017 +0100 Fix buffer read overrun by ensuring that DWARF sections containing strings always end in a NUL byte. PR 22047 * dwarf2.c (read_section): If necessary add a terminating NUL byte to dwarf string sections. Hi Kamil, Thanks for reporting this bug. I have checked in a patch to the mainline development sources to fix the problem, by ensuring that any DWARF section containing strings is terminated with a NUL byte when it is read in. I have not applied the patch to the current 2.29 branch however as I am a little bit concerned that I may have overlooked something. So I would like to wait a few days to see if any problems arise with this fix. Cheers Nick The binutils-2_29-branch branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=4c730770f07e4b5da5ab0a7654056cc9532b967d commit 4c730770f07e4b5da5ab0a7654056cc9532b967d Author: Nick Clifton <nickc@redhat.com> Date: Sun Sep 10 10:26:33 2017 +0100 Import fix from mainline that fixes buffer overrun errors when parsing corrupt DWARF debug information string sections. PR 22047 * dwarf2.c (read_section): If necessary add a terminating NUL byte to dwarf string sections. The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=4b04bba2eb6b646e11a2c38c77667875b3db6828 commit 4b04bba2eb6b646e11a2c38c77667875b3db6828 Author: Alan Modra <amodra@gmail.com> Date: Sun Oct 1 12:07:59 2017 +1030 PR22047, Heap out of bounds read in parse_comp_unit Like the PR22230 fix, we can allocate a buffer with an extra byte rather than letting bfd_simple_get_relocated_section_contents malloc and return a buffer. Much better than allocating another buffer afterwards. PR 22047 * dwarf2.c (read_section): Allocate buffer with extra byte for bfd_simple_get_relocated_section_contents rather than copying afterwards. Fixed |
Created attachment 10377 [details] POC to trigger heap out of bounds read (objdump) After some fuzz testing I found a crashing test case. Version: 2.29 Command: objdump -x -Wl -R -SD objdump_hoobr_parse_comp_unit ASAN: ==15019==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000dc00 at pc 0x000000428212 bp 0x7ffc49ab82d0 sp 0x7ffc49ab7a78 READ of size 35 at 0x60400000dc00 thread T0 #0 0x428211 in __interceptor_index /home/llvm/clang-3.9/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:468:5 #1 0x7c6fbd in parse_comp_unit XYZ/binutils-2.29/bfd/./dwarf2.c:3453:14 #2 0x7c6fbd in _bfd_dwarf2_find_nearest_line XYZ/binutils-2.29/bfd/./dwarf2.c:4696 #3 0x7148fb in _bfd_elf_find_nearest_line XYZ/binutils-2.29/bfd/elf.c:8636:7 #4 0x4f6709 in show_line XYZ/binutils-2.29/binutils/./objdump.c:1486:9 #5 0x4f6709 in disassemble_bytes XYZ/binutils-2.29/binutils/./objdump.c:1791 #6 0x4f6709 in disassemble_section XYZ/binutils-2.29/binutils/./objdump.c:2313 #7 0x66e1d9 in bfd_map_over_sections XYZ/binutils-2.29/bfd/section.c:1395:5 #8 0x4ebd50 in disassemble_data XYZ/binutils-2.29/binutils/./objdump.c:2449:3 #9 0x4ebd50 in dump_bfd XYZ/binutils-2.29/binutils/./objdump.c:3546 #10 0x4e8be1 in display_object_bfd XYZ/binutils-2.29/binutils/./objdump.c:3603:7 #11 0x4e8be1 in display_any_bfd XYZ/binutils-2.29/binutils/./objdump.c:3692 #12 0x4e7d5a in display_file XYZ/binutils-2.29/binutils/./objdump.c:3713:3 #13 0x4e7d5a in main XYZ/binutils-2.29/binutils/./objdump.c:4015 #14 0x7f485fa5882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #15 0x419d98 in _start (XYZ/binutils-2.29/binutils/objdump+0x419d98) 0x60400000dc00 is located 0 bytes to the right of 48-byte region [0x60400000dbd0,0x60400000dc00) allocated by thread T0 here: #0 0x4b85ac in malloc /home/llvm/clang-3.9/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3 #1 0x6618b3 in bfd_malloc XYZ/binutils-2.29/bfd/libbfd.c:193:9 #2 0x66f01b in bfd_simple_get_relocated_section_contents XYZ/binutils-2.29/bfd/simple.c:193:12 #3 0x7bba33 in read_section XYZ/binutils-2.29/bfd/./dwarf2.c:556:8 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/llvm/clang-3.9/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:468:5 in __interceptor_index Shadow bytes around the buggy address: 0x0c087fff9b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9b60: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00 0x0c087fff9b70: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00 =>0x0c087fff9b80:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9bb0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 05 0x0c087fff9bc0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00 0x0c087fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==15019==ABORTING