Bug 22421

Summary: Heap overflow in bfd_getl32
Product: binutils Reporter: Insu Yun <insu>
Component: binutilsAssignee: Not yet assigned to anyone <unassigned>
Status: RESOLVED FIXED    
Severity: normal CC: nickc
Priority: P2    
Version: 2.30   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:
Attachments: POC to trigger heap buffer overflow (objdump)

Description Insu Yun 2017-11-11 14:07:23 UTC 
Created attachment 10581 [details]
POC to trigger heap buffer overflow (objdump)

Using our hybrid fuzzer, we found a crashing test case
.
Version: f617a0f6ceeb34dfd39d8673b0ab225c9127aab6(git)
Command: ./objdump -x ../output-1/afl-1/crashes/id:000000,sig:06,sync:qsym,src:00381
ASAN:

=================================================================
==7340==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700000df84 at pc 0x0000005fa23e bp 0x7fffffffd8b0 sp 0x7fffffffd8a0
READ of size 4 at 0x60700000df84 thread T0
    #0 0x5fa23d in bfd_getl32 /home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/libbfd.c:558
    #1 0x71befd in elfcore_grok_nto_status /home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/elf.c:10217
    #2 0x71befd in elfcore_grok_nto_note /home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/elf.c:10302
    #3 0x6b5e88 in elf_parse_notes /home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/elf.c:11017
    #4 0x6d9c31 in elf_read_notes /home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/elf.c:11066
    #5 0x6d9c31 in bfd_section_from_phdr /home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/elf.c:2993
    #6 0x6a9bc9 in bfd_elf64_core_file_p /home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/elfcore.h:277
    #7 0x5ef092 in bfd_check_format_matches /home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/format.c:311
    #8 0x421aab in display_object_bfd objdump.c:3629
    #9 0x421aab in display_any_bfd objdump.c:3700
    #10 0x40e771 in display_file objdump.c:3721
    #11 0x40e771 in main objdump.c:4023
    #12 0x7ffff68bc82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x411c48 in _start (/home/insu/projects/qsym-eval/apps/binutils/out2/objdump+0x411c48)

0x60700000df85 is located 0 bytes to the right of 69-byte region [0x60700000df40,0x60700000df85)
allocated by thread T0 here:
    #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x5f8bfa in bfd_malloc /home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/libbfd.c:193

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/libbfd.c:558 bfd_getl32
Shadow bytes around the buggy address:
  0x0c0e7fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9be0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c0e7fff9bf0:[05]fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
  0x0c0e7fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==7340==ABORTING
Comment 1 Sourceware Commits 2017-11-16 14:54:51 UTC 
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=80a0437873045cc08753fcac4af154e2931a99fd

commit 80a0437873045cc08753fcac4af154e2931a99fd
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Nov 16 14:53:32 2017 +0000

    Prevent illegal memory accesses when parsing incorrecctly formated core notes.
    
    	PR 22421
    	* elf.c (elfcore_grok_netbsd_procinfo): Check that the note is big enough.
    	(elfcore_grok_openbsd_procinfo): Likewise.
    	(elfcore_grok_nto_status): Likewise.
Comment 2 Nick Clifton 2017-11-16 14:58:08 UTC 
Hi Insu,

  Thanks for reporting this bug.  I have checked in a patch to add some checks for the core notes being the correct size before attempting to parse them, and this fixes the problem.

Cheers
  Nick