Bug 22047

Summary: Heap out of bounds read in parse_comp_unit()
Product: binutils Reporter: Kamil Frankowicz <fumfi.255>
Component: binutilsAssignee: Not yet assigned to anyone <unassigned>
Status: RESOLVED FIXED    
Severity: normal CC: amodra, nickc
Priority: P2    
Version: 2.29   
Target Milestone: 2.29.1   
Host: Target:
Build: Last reconfirmed:
Attachments: POC to trigger heap out of bounds read (objdump)

Description Kamil Frankowicz 2017-08-30 20:21:51 UTC 
Created attachment 10377 [details]
POC to trigger heap out of bounds read (objdump)

After some fuzz testing I found a crashing test case.

Version: 2.29

Command: objdump -x -Wl -R -SD objdump_hoobr_parse_comp_unit

ASAN:

==15019==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000dc00 at pc 0x000000428212 bp 0x7ffc49ab82d0 sp 0x7ffc49ab7a78
READ of size 35 at 0x60400000dc00 thread T0
    #0 0x428211 in __interceptor_index /home/llvm/clang-3.9/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:468:5
    #1 0x7c6fbd in parse_comp_unit XYZ/binutils-2.29/bfd/./dwarf2.c:3453:14
    #2 0x7c6fbd in _bfd_dwarf2_find_nearest_line XYZ/binutils-2.29/bfd/./dwarf2.c:4696
    #3 0x7148fb in _bfd_elf_find_nearest_line XYZ/binutils-2.29/bfd/elf.c:8636:7
    #4 0x4f6709 in show_line XYZ/binutils-2.29/binutils/./objdump.c:1486:9
    #5 0x4f6709 in disassemble_bytes XYZ/binutils-2.29/binutils/./objdump.c:1791
    #6 0x4f6709 in disassemble_section XYZ/binutils-2.29/binutils/./objdump.c:2313
    #7 0x66e1d9 in bfd_map_over_sections XYZ/binutils-2.29/bfd/section.c:1395:5
    #8 0x4ebd50 in disassemble_data XYZ/binutils-2.29/binutils/./objdump.c:2449:3
    #9 0x4ebd50 in dump_bfd XYZ/binutils-2.29/binutils/./objdump.c:3546
    #10 0x4e8be1 in display_object_bfd XYZ/binutils-2.29/binutils/./objdump.c:3603:7
    #11 0x4e8be1 in display_any_bfd XYZ/binutils-2.29/binutils/./objdump.c:3692
    #12 0x4e7d5a in display_file XYZ/binutils-2.29/binutils/./objdump.c:3713:3
    #13 0x4e7d5a in main XYZ/binutils-2.29/binutils/./objdump.c:4015
    #14 0x7f485fa5882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #15 0x419d98 in _start (XYZ/binutils-2.29/binutils/objdump+0x419d98)

0x60400000dc00 is located 0 bytes to the right of 48-byte region [0x60400000dbd0,0x60400000dc00)
allocated by thread T0 here:
    #0 0x4b85ac in malloc /home/llvm/clang-3.9/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
    #1 0x6618b3 in bfd_malloc XYZ/binutils-2.29/bfd/libbfd.c:193:9
    #2 0x66f01b in bfd_simple_get_relocated_section_contents XYZ/binutils-2.29/bfd/simple.c:193:12
    #3 0x7bba33 in read_section XYZ/binutils-2.29/bfd/./dwarf2.c:556:8

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/llvm/clang-3.9/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:468:5 in __interceptor_index
Shadow bytes around the buggy address:
  0x0c087fff9b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9b60: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
  0x0c087fff9b70: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
=>0x0c087fff9b80:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bb0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 05
  0x0c087fff9bc0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
  0x0c087fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==15019==ABORTING
Comment 1 Sourceware Commits 2017-08-31 16:04:45 UTC 
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e4f2723003859dc6b33ca0dadbc4a7659ebf1643

commit e4f2723003859dc6b33ca0dadbc4a7659ebf1643
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Aug 31 17:03:23 2017 +0100

    Fix buffer read overrun by ensuring that DWARF sections containing strings always end in a NUL byte.
    
    	PR 22047
    	* dwarf2.c (read_section): If necessary add a terminating NUL byte
    	to dwarf string sections.
Comment 2 Nick Clifton 2017-08-31 16:07:33 UTC 
Hi Kamil,

  Thanks for reporting this bug.

  I have checked in a patch to the mainline development sources to fix the 
  problem, by ensuring that any DWARF section containing strings is 
  terminated with a NUL byte when it is read in.

  I have not applied the patch to the current 2.29 branch however as I am
  a little bit concerned that I may have overlooked something.  So I would
  like to wait a few days to see if any problems arise with this fix.

Cheers
  Nick
Comment 3 Sourceware Commits 2017-09-10 09:28:19 UTC 
The binutils-2_29-branch branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=4c730770f07e4b5da5ab0a7654056cc9532b967d

commit 4c730770f07e4b5da5ab0a7654056cc9532b967d
Author: Nick Clifton <nickc@redhat.com>
Date:   Sun Sep 10 10:26:33 2017 +0100

    Import fix from mainline that fixes buffer overrun errors when parsing corrupt DWARF debug information string sections.
    
    	PR 22047
    	* dwarf2.c (read_section): If necessary add a terminating NUL byte
    	to dwarf string sections.
Comment 4 Sourceware Commits 2017-10-01 02:05:01 UTC 
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=4b04bba2eb6b646e11a2c38c77667875b3db6828

commit 4b04bba2eb6b646e11a2c38c77667875b3db6828
Author: Alan Modra <amodra@gmail.com>
Date:   Sun Oct 1 12:07:59 2017 +1030

    PR22047, Heap out of bounds read in parse_comp_unit
    
    Like the PR22230 fix, we can allocate a buffer with an extra byte
    rather than letting bfd_simple_get_relocated_section_contents malloc
    and return a buffer.  Much better than allocating another buffer
    afterwards.
    
    	PR 22047
    	* dwarf2.c (read_section): Allocate buffer with extra byte for
    	bfd_simple_get_relocated_section_contents rather than copying
    	afterwards.
Comment 5 Alan Modra 2017-10-01 02:21:07 UTC 
Fixed