Bug 22373

Summary: Integer overflow in pe_bfd_read_buildid()
Product: binutils Reporter: Mingi Cho <mgcho.minic>
Component: binutilsAssignee: Not yet assigned to anyone <unassigned>
Status: RESOLVED FIXED    
Severity: normal CC: nickc
Priority: P2    
Version: 2.30   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:
Attachments: POC of the crash

Description Mingi Cho 2017-10-31 05:01:26 UTC 
Created attachment 10560 [details]
POC of the crash

Triggered by "./objdump -x $POC"
Tested on Ubuntu 16.04 (x86)


Integer overflow is occurring when checking size of debug directory of the PE format binary file.


The GDB debugging information is as follows:

(gdb) r -x $POC

Program received signal SIGSEGV, Segmentation fault.
0x080c55f5 in bfd_getl32 (p=0x8276000) at libbfd.c:557
557	  v = (unsigned long) addr[0];
(gdb) bt
#0  0x080c55f5 in bfd_getl32 (p=0x8276000) at libbfd.c:557
#1  0x08155ff6 in _bfd_pei_swap_debugdir_in (abfd=0x8255a08, ext1=0x8276000, in1=0xbfffe168) at peigen.c:1119
#2  0x0814d8e6 in pe_bfd_read_buildid (abfd=0x8255a08) at ./peicode.h:1353
#3  0x0814b813 in pe_bfd_object_p (abfd=0x8255a08) at ./peicode.h:1497
#4  0x080c323c in bfd_check_format_matches (abfd=0x8255a08, format=bfd_object, matching=0xbfffedb0) at format.c:311
#5  0x0804b5be in display_object_bfd (abfd=0x8255a08) at ./objdump.c:3609
#6  0x0804b587 in display_any_bfd (file=0x8255a08, level=0) at ./objdump.c:3700
#7  0x0804b2b1 in display_file (
    filename=0xbffff257 "/home/min/fuzzing/result/binutils/objdump_x_D_s_pe_1/crashes/id:000015,sig:06,src:000270,op:havoc,rep:64", target=0x0, last_file=1) at ./objdump.c:3721
#8  0x0804ae80 in main (argc=3, argv=0xbffff044) at ./objdump.c:4023


Proposed patch:

--- a/bfd/peicode.h
+++ b/bfd/peicode.h
@@ -1328,7 +1328,7 @@ pe_bfd_read_buildid (bfd *abfd)
   dataoff = addr - section->vma;
 
   /* PR 20605: Make sure that the data is really there.  */
-  if (dataoff + size > section->size)
+  if (size > section->size - dataoff)
     {
       _bfd_error_handler (_("%B: Error: Debug Data ends beyond end of debug directory."),
                          abfd);


Credits:

This vulnerability was discovered by Mingi Cho and Taekyoung Kwon of the Information Security Lab, Yonsei University. Please contact mgcho.minic@gmail.com and taekyoung@yonsei.ac.kr if you need more information about the vulnerability and the lab.
Comment 1 cvs-commit@gcc.gnu.org 2017-10-31 14:31:12 UTC 
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0bb6961f18b8e832d88b490d421ca56cea16c45b

commit 0bb6961f18b8e832d88b490d421ca56cea16c45b
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Oct 31 14:29:40 2017 +0000

    Fix illegal memory access triggered when parsing a PE binary with a corrupt data dictionary.
    
    	PR 22373
    	* peicode.h (pe_bfd_read_buildid): Check for invalid size and data
    	offset values.
Comment 2 Nick Clifton 2017-10-31 14:34:07 UTC 
Hi Mingi,

  Thank you for reporting this bug, and for providing a patch as well.

  I have checked in a variant of your patch, since it occurred to me
  that the dataoff value might also be excessively large, and this
  would not have been caught by either the original code or your patch.

Cheers
  Nick
Comment 3 cvs-commit@gcc.gnu.org 2017-11-01 12:38:39 UTC 
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e0115a844607b280449986e661f551dff49a9031

commit e0115a844607b280449986e661f551dff49a9031
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Nov 1 12:37:33 2017 +0000

    Update check for invalid values in pe_bfd_read_buildid function.
    
    	PR 22373
    	* peicode.h (pe_bfd_read_buildid): Revise check for invalid size
    	and offset in light of further possible bogus values.
Comment 4 Alan Modra 2018-05-09 05:40:37 UTC 
*** Bug 22372 has been marked as a duplicate of this bug. ***