Bug 24236

Summary: size: Heap buffer overflow in _bfd_archive_64_bit_slurp_armap
Product: binutils Reporter: spinpx <spinpx>
Component: binutilsAssignee: Alan Modra <amodra>
Status: RESOLVED FIXED    
Severity: normal CC: pereezdprofiss
Priority: P2    
Version: 2.33   
Target Milestone: 2.33   
Host: Target:
Build: Last reconfirmed: 2019-02-19 00:00:00
Attachments: input triggers the bug

Description spinpx 2019-02-19 12:21:21 UTC
- Intel Xeon Gold 5118 processors and 256 GB memory
- Linux n18-065-139 4.19.0-1-amd64 #1 SMP Debian 4.19.12-1 (2018-12-22) x86_64 GNU/Linux
- clang version 4.0.0 (tags/RELEASE_400/final)
- version: commit c72e75a64030b0f6535a80481f37968ad55c333a (Feb 19 2019)
- run: size input_file

- Exploitable:
Description: Heap error
Short description: HeapError (10/22)
Hash: 0ab5d0005e74fc041576aa73a2a94770.f78de5a987638de0bf17f6470949c81d
Exploitability Classification: EXPLOITABLE
Explanation: The target's backtrace indicates that libc has detected a heap error or that the target was executing a heap function when it stopped. This could be due to heap corruption, passing a bad pointer to a heap function such as free(), etc. Since heap errors might include buffer overflows, use-after-free situations, etc. they are generally considered exploitable.
Other tags: AbortSignal (20/22)

- stack:
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007fb7ebcef535 in __GI_abort () at abort.c:79
#2  0x00007fb7ebd46778 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7fb7ebe5128d \"%s\\n\") at ../sysdeps/posix/libc_fatal.c:181
#3  0x00007fb7ebd4ce6a in malloc_printerr (str=str@entry=0x7fb7ebe53018 \"double free or corruption (!prev)\") at malloc.c:5341
#4  0x00007fb7ebd4e98c in _int_free (av=0x7fb7ebe88c40 <main_arena>, p=0xc49ac0, have_lock=<optimized out>) at malloc.c:4309
#5  0x00000000005b6a64 in objalloc_free (o=0xc46780) at /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/objalloc.c:187
#6  0x00000000004227f9 in _bfd_delete_bfd (abfd=0xc46660) at /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/opncls.c:126
#7  bfd_close_all_done (abfd=0xc46660) at /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/opncls.c:773
#8  0x00000000004225e8 in bfd_close (abfd=0xc46660) at /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/opncls.c:735"
#9  0x00000000004043dd in display_file (filename=0x7ffceb73e23b \"/mnt/raid/user/chenpeng/FuzzingBench/size/crashes_matryoshka_cmin_crash/id:000000-crash_2\") at /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:409
#10 0x0000000000403cc5 in main (argc=<optimized out>, argv=0x7fb7ebd048bb <__GI_raise+267>) at /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:241"

- asan report:
==1423785==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000004e78 at pc 0x0000007f787c bp 0x7ffff511d170 sp 0x7ffff511d168
WRITE of size 1 at 0x621000004e78 thread T0
    #0 0x7f787b in _bfd_archive_64_bit_slurp_armap /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/archive64.c:126:15
    #1 0x4fcfd6 in bfd_slurp_armap /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/archive.c:1152:14
    #2 0x4fc895 in bfd_generic_archive_p /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/archive.c:875:8
    #3 0x5207e5 in bfd_check_format_matches /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/format.c:315:14
    #4 0x51f82e in bfd_check_format /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/format.c:94:10
    #5 0x4f1eb5 in display_file /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:431:7
    #6 0x4f1aa5 in main /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:260:7
    #7 0x7f0399a5209a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #8 0x41d5e9 in _start (/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size+0x41d5e9)

0x621000004e78 is located 0 bytes to the right of 4472-byte region [0x621000003d00,0x621000004e78)
allocated by thread T0 here:
    #0 0x4c42dc in malloc /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66:3
    #1 0x8affb0 in _objalloc_alloc /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/objalloc.c:143:22
    #2 0x52e450 in bfd_alloc /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/opncls.c:949:9
    #3 0x52c5cc in bfd_zalloc /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/opncls.c:998:9
    #4 0x7f74c7 in _bfd_archive_64_bit_slurp_armap /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/archive64.c:98:39
    #5 0x4fcfd6 in bfd_slurp_armap /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/archive.c:1152:14
    #6 0x4fc895 in bfd_generic_archive_p /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/archive.c:875:8
    #7 0x5207e5 in bfd_check_format_matches /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/format.c:315:14
    #8 0x51f82e in bfd_check_format /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/format.c:94:10
    #9 0x4f1eb5 in display_file /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:431:7
    #10 0x4f1aa5 in main /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:260:7
    #11 0x7f0399a5209a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

SUMMARY: AddressSanitizer: heap-buffer-overflow /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/archive64.c:126:15 in _bfd_archive_64_bit_slurp_armap
Shadow bytes around the buggy address:
  0x0c427fff8970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff89a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff89b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fff89c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
  0x0c427fff89d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff89e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff89f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1423785==ABORTING
Comment 1 spinpx 2019-02-19 12:21:53 UTC
Created attachment 11618 [details]
input triggers the bug
Comment 2 Sourceware Commits 2019-02-20 01:20:59 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8abac8031ed369a2734b1cdb7df28a39a54b4b49

commit 8abac8031ed369a2734b1cdb7df28a39a54b4b49
Author: Alan Modra <amodra@gmail.com>
Date:   Wed Feb 20 08:21:24 2019 +1030

    PR24236, Heap buffer overflow in _bfd_archive_64_bit_slurp_armap
    
    	PR 24236
    	* archive64.c (_bfd_archive_64_bit_slurp_armap): Move code adding
    	sentinel NUL to string buffer nearer to loop where it is used.
    	Don't go past sentinel when scanning strings, and don't write
    	NUL again.
    	* archive.c (do_slurp_coff_armap): Simplify string handling to
    	archive64.c style.
Comment 3 Alan Modra 2019-02-20 01:22:15 UTC
Fixed
Comment 4 spinpx 2019-03-01 07:16:23 UTC
CVE-2019-9075
Comment 5 promask 2019-09-29 16:25:29 UTC
))