Summary: | An out-of-bounds read in pex64_xdata_print_uwd_codes | ||
---|---|---|---|
Product: | binutils | Reporter: | Mingi Cho <mgcho.minic> |
Component: | binutils | Assignee: | Not yet assigned to anyone <unassigned> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | nickc |
Priority: | P2 | ||
Version: | 2.33 | ||
Target Milestone: | --- | ||
Host: | Target: | ||
Build: | Last reconfirmed: | ||
Attachments: | Poc to trigger bug |
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=03da31c6764c1bca9b0b0529344a8ea933c825ea commit 03da31c6764c1bca9b0b0529344a8ea933c825ea Author: Nick Clifton <nickc@redhat.com> Date: Thu Aug 22 14:37:03 2019 +0100 Fix an illegal memory access when dumping corrupt x86_64 PE unwind data. PR 24922 * pei-x86_64.c (pex64_xdata_print_uwd_codes): Add checks before reading data from extra records. Hi Mingi, Thanks for reporting this problem. I have checked in a patch to add extra checks to catch this kind of buffer overflow. Cheers Nick |
Created attachment 11956 [details] Poc to trigger bug Triggered by "./objdump -x $POC" Tested on Ubuntu 16.04 An out-of-bounds read occurred when processing malformed input. configuration: CC=clang-5.0 CFLAGS="-m32 -Wextra -Wno-missing-field-initializers -fsanitize=address -fno-omit-frame-pointer -g" CXX=clang++-5.0 CXXFLAGS="-m32" ./configure --disable-gdb --disable-gold --disable-gas --disable-gprof ASAN output: ==108913==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf2a028af at pc 0x0832aa07 bp 0xffd22f58 sp 0xffd22f4c READ of size 1 at 0xf2a028af thread T0 #0 0x832aa06 in bfd_getl32 /home/seclab/binutils-gdb/bfd/libbfd.c:698:24 #1 0x873c1a5 in pex64_xdata_print_uwd_codes /home/seclab/binutils-gdb/bfd/pei-x86_64.c:244:14 #2 0x8738e6e in pex64_dump_xdata /home/seclab/binutils-gdb/bfd/pei-x86_64.c:441:5 #3 0x872ad92 in pex64_bfd_print_pdata_section /home/seclab/binutils-gdb/bfd/pei-x86_64.c:757:8 #4 0x8726c5e in pex64_bfd_print_pdata /home/seclab/binutils-gdb/bfd/pei-x86_64.c:793:12 #5 0x877ba9d in _bfd_pex64_print_private_bfd_data_common /home/seclab/binutils-gdb/bfd/pex64igen.c:2917:5 #6 0x873595a in pe_print_private_bfd_data /home/seclab/binutils-gdb/bfd/./peicode.h:336:8 #7 0x8174bd4 in dump_bfd_private_header /home/seclab/binutils-gdb/binutils/./objdump.c:3352:8 #8 0x817312f in dump_bfd /home/seclab/binutils-gdb/binutils/./objdump.c:3992:5 #9 0x8171f56 in display_object_bfd /home/seclab/binutils-gdb/binutils/./objdump.c:4132:7 #10 0x8171e54 in display_any_bfd /home/seclab/binutils-gdb/binutils/./objdump.c:4222:5 #11 0x81714a0 in display_file /home/seclab/binutils-gdb/binutils/./objdump.c:4243:3 #12 0x8170bed in main /home/seclab/binutils-gdb/binutils/./objdump.c:4561:6 #13 0xf74bf636 in __libc_start_main /build/glibc-GoSbp4/glibc-2.23/csu/../csu/libc-start.c:291 #14 0x806e677 in _start (/home/seclab/fuzzing-experiment/fuzzing/program/x86/binutils-triage-clang/master/bin/objdump+0x806e677) Credits: Mingi Cho, Seoyoung Kim, and Taekyoung Kwon of the Information Security Lab, Yonsei University.