Bug 24005

Summary: CVE-2018-20671 objdump integer overflow in load_specific_debug_section
Product: binutils Reporter: tfx <tfx_sec>
Component: binutilsAssignee: Not yet assigned to anyone <unassigned>
Status: RESOLVED FIXED    
Severity: critical CC: nickc, tfx_sec
Priority: P2    
Version: 2.32   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:
Attachments: POC3
patch

Description tfx 2018-12-19 03:11:05 UTC 
Created attachment 11473 [details]
POC3

I use 32bit objdump in 64bit Ubuntu 16.04.4 LTS.

The source Code show as follow in objdump.c.
>2528  bfd_size_type amt;

>2543  amt = section->size + 1;
>2544  section->start = contents = malloc (amt);
>2545  section->user_data = sec;
>2546  if (amt == 0
>2547      || section->start == NULL
>2548      || !bfd_get_full_section_contents (abfd, sec, &contents))
>2549    {
>2550      free_debug_section (debug);

Integer overflow when section->size is 0xFFFFFFFF in line 2543, it will trigger heap overflow in bfd_get_full_section_contents in line 2548. Finally crash in line 2550.

The part of crash output show as follow.

./objdump -g POC3

*** Error in `./objdump': free(): invalid next size (fast): 0x0a0d06b8 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x67377)[0xf7d8a377]
/lib/i386-linux-gnu/libc.so.6(+0x6d2f7)[0xf7d902f7]
/lib/i386-linux-gnu/libc.so.6(+0x6dc31)[0xf7d90c31]
./binutils/objdump[0x804f2c9]
./binutils/objdump[0x804efb9]
./binutils/objdump[0x804f463]
./binutils/objdump[0x80a69f5]
./binutils/objdump[0x804f60f]
./binutils/objdump[0x805174f]
./binutils/objdump[0x805182f]
./binutils/objdump[0x8051a7e]
./binutils/objdump[0x8051aeb]
./binutils/objdump[0x8052458]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf7)[0xf7d3b637]
./binutils/objdump[0x8049b51]
======= Memory map: ========
08048000-08246000 r-xp 00000000 08:22 438569                             /e/vul/testcase/binutils/binutils-gdb/binutils/objdump
08246000-08247000 r--p 001fd000 08:22 438569                             /e/vul/testcase/binutils/binutils-gdb/binutils/objdump
08247000-0824c000 rw-p 001fe000 08:22 438569                             /e/vul/testcase/binutils/binutils-gdb/binutils/objdump
0824c000-08253000 rw-p 00000000 00:00 0 
0a0c6000-0a0e7000 rw-p 00000000 00:00 0                                  [heap]
f7900000-f7921000 rw-p 00000000 00:00 0 
f7921000-f7a00000 ---p 00000000 00:00 0 
f7adf000-f7afb000 r-xp 00000000 08:06 3802106                            /lib/i386-linux-gnu/libgcc_s.so.1
f7afb000-f7afc000 r--p 0001b000 08:06 3802106                            /lib/i386-linux-gnu/libgcc_s.so.1
f7afc000-f7afd000 rw-p 0001c000 08:06 3802106                            /lib/i386-linux-gnu/libgcc_s.so.1
f7b22000-f7d22000 r--p 00000000 08:06 527047                             /usr/lib/locale/locale-archive
f7d22000-f7d23000 rw-p 00000000 00:00 0 
f7d23000-f7ed3000 r-xp 00000000 08:06 3805752                            /lib/i386-linux-gnu/libc-2.23.so
f7ed3000-f7ed5000 r--p 001af000 08:06 3805752                            /lib/i386-linux-gnu/libc-2.23.so
f7ed5000-f7ed6000 rw-p 001b1000 08:06 3805752                            /lib/i386-linux-gnu/libc-2.23.so
f7ed6000-f7ed9000 rw-p 00000000 00:00 0 
f7ed9000-f7edc000 r-xp 00000000 08:06 3805774                            /lib/i386-linux-gnu/libdl-2.23.so
f7edc000-f7edd000 r--p 00002000 08:06 3805774                            /lib/i386-linux-gnu/libdl-2.23.so
f7edd000-f7ede000 rw-p 00003000 08:06 3805774                            /lib/i386-linux-gnu/libdl-2.23.so
f7efa000-f7efb000 rw-p 00000000 00:00 0 
f7efb000-f7f02000 r--s 00000000 08:06 676504                             /usr/lib/i386-linux-gnu/gconv/gconv-modules.cache
f7f02000-f7f03000 r--p 002d4000 08:06 527047                             /usr/lib/locale/locale-archive
f7f03000-f7f04000 rw-p 00000000 00:00 0 
f7f04000-f7f07000 r--p 00000000 00:00 0                                  [vvar]
f7f07000-f7f09000 r-xp 00000000 00:00 0                                  [vdso]
f7f09000-f7f2c000 r-xp 00000000 08:06 3805748                            /lib/i386-linux-gnu/ld-2.23.so
f7f2c000-f7f2d000 r--p 00022000 08:06 3805748                            /lib/i386-linux-gnu/ld-2.23.so
f7f2d000-f7f2e000 rw-p 00023000 08:06 3805748                            /lib/i386-linux-gnu/ld-2.23.so
ffd91000-ffdb2000 rw-p 00000000 00:00 0                                  [stack]
Aborted
Comment 1 tfx 2018-12-19 03:12:23 UTC 
Created attachment 11474 [details]
patch
Comment 2 Sourceware Commits 2019-01-04 13:46:34 UTC 
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=11fa9f134fd658075c6f74499c780df045d9e9ca

commit 11fa9f134fd658075c6f74499c780df045d9e9ca
Author: Nick Clifton <nickc@redhat.com>
Date:   Fri Jan 4 13:44:34 2019 +0000

    Fix a possible integer overflow problem when examining corrupt binaries using a 32-bit binutil.
    
    	PR 24005
    	* objdump.c (load_specific_debug_section): Check for integer
    	overflow before attempting to allocate contents.
Comment 3 Nick Clifton 2019-01-04 13:52:17 UTC 
Hi mhsec,

  Thanks for reporting this problem.  Unfortunately your proposed patch
  will not work as it will prevent the tools from handling 64-bit binaries
  with very large section sizes.

  Instead I have checked in an alternative patch which checks for integer
  overflow before attempting to allocate any memory, which prevents the
  heap corruption from happening.

Cheers
  Nick
Comment 4 tfx 2019-01-04 14:14:16 UTC 
(In reply to Nick Clifton from comment #3)
> Hi mhsec,
> 
>   Thanks for reporting this problem.  Unfortunately your proposed patch
>   will not work as it will prevent the tools from handling 64-bit binaries
>   with very large section sizes.
> 
>   Instead I have checked in an alternative patch which checks for integer
>   overflow before attempting to allocate any memory, which prevents the
>   heap corruption from happening.
> 
> Cheers
>   Nick

Hi Nick

I think the problem still exist if file size more than 0x100000000.
 
`amt > bfd_get_file_size (abfd)`
Comment 5 Nick Clifton 2019-01-04 14:21:01 UTC 
(In reply to mhsec from comment #4)
 
> I think the problem still exist if file size more than 0x100000000.
 
A file bigger than 100 gigabytes ?  Yes that probably would cause problems for lots of tools, not just objdump.
Comment 6 tfx 2019-01-04 15:06:01 UTC 
It's 4GB, not 100GB.
Of course I also think that this situation does not have to be considered.
So my patch might work.