Summary: | Heap overflow in bfd_getl32 | ||
---|---|---|---|
Product: | binutils | Reporter: | Insu Yun <insu> |
Component: | binutils | Assignee: | Not yet assigned to anyone <unassigned> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | nickc |
Priority: | P2 | ||
Version: | 2.30 | ||
Target Milestone: | --- | ||
Host: | Target: | ||
Build: | Last reconfirmed: | ||
Attachments: | POC to trigger heap buffer overflow (objdump) |
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=80a0437873045cc08753fcac4af154e2931a99fd commit 80a0437873045cc08753fcac4af154e2931a99fd Author: Nick Clifton <nickc@redhat.com> Date: Thu Nov 16 14:53:32 2017 +0000 Prevent illegal memory accesses when parsing incorrecctly formated core notes. PR 22421 * elf.c (elfcore_grok_netbsd_procinfo): Check that the note is big enough. (elfcore_grok_openbsd_procinfo): Likewise. (elfcore_grok_nto_status): Likewise. Hi Insu, Thanks for reporting this bug. I have checked in a patch to add some checks for the core notes being the correct size before attempting to parse them, and this fixes the problem. Cheers Nick |
Created attachment 10581 [details] POC to trigger heap buffer overflow (objdump) Using our hybrid fuzzer, we found a crashing test case . Version: f617a0f6ceeb34dfd39d8673b0ab225c9127aab6(git) Command: ./objdump -x ../output-1/afl-1/crashes/id:000000,sig:06,sync:qsym,src:00381 ASAN: ================================================================= ==7340==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700000df84 at pc 0x0000005fa23e bp 0x7fffffffd8b0 sp 0x7fffffffd8a0 READ of size 4 at 0x60700000df84 thread T0 #0 0x5fa23d in bfd_getl32 /home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/libbfd.c:558 #1 0x71befd in elfcore_grok_nto_status /home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/elf.c:10217 #2 0x71befd in elfcore_grok_nto_note /home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/elf.c:10302 #3 0x6b5e88 in elf_parse_notes /home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/elf.c:11017 #4 0x6d9c31 in elf_read_notes /home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/elf.c:11066 #5 0x6d9c31 in bfd_section_from_phdr /home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/elf.c:2993 #6 0x6a9bc9 in bfd_elf64_core_file_p /home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/elfcore.h:277 #7 0x5ef092 in bfd_check_format_matches /home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/format.c:311 #8 0x421aab in display_object_bfd objdump.c:3629 #9 0x421aab in display_any_bfd objdump.c:3700 #10 0x40e771 in display_file objdump.c:3721 #11 0x40e771 in main objdump.c:4023 #12 0x7ffff68bc82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #13 0x411c48 in _start (/home/insu/projects/qsym-eval/apps/binutils/out2/objdump+0x411c48) 0x60700000df85 is located 0 bytes to the right of 69-byte region [0x60700000df40,0x60700000df85) allocated by thread T0 here: #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x5f8bfa in bfd_malloc /home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/libbfd.c:193 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/libbfd.c:558 bfd_getl32 Shadow bytes around the buggy address: 0x0c0e7fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff9be0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 =>0x0c0e7fff9bf0:[05]fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00 0x0c0e7fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==7340==ABORTING