Bug 19323 - [FG-VD-15-113] BinUtils-2.25 Objdump Heap Overflow Vulnerability Notification
Summary: [FG-VD-15-113] BinUtils-2.25 Objdump Heap Overflow Vulnerability Notification
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.25
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-12-01 19:49 UTC by Kushal Shah
Modified: 2016-03-19 01:08 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
PoC File. (2.24 KB, application/x-sharedlib)
2015-12-01 19:49 UTC, Kushal Shah
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Kushal Shah 2015-12-01 19:49:26 UTC
Created attachment 8825 [details]
PoC File.

The PoC file is attached with this post.

Use the Objdump tool with -s parameter to open the PoC file and with output destination set as /dev/null in order to reproduce this vulnerability.

I have tested it on the Kali 2.0 platform.
Comment 1 Alan Modra 2015-12-02 04:24:34 UTC
This is not a "vulnerability".  You have an object file which has been corrupted to say it has 2147483648 program headers.  Trying to allocate 2147483648*32 bytes of course fails, no surprise there.  objdump correctly returns an out of memory error.
Comment 2 Kushal Shah 2015-12-03 19:26:12 UTC
Hi Alan, 

I re-ran the PoC using both readelf and objdump and I saw that the "readelf" tool returns an out-of-memory error and "objdump" crashes with a Segmentation Fault and using Valgrind we can see that there is a Heap Overflow caused by Objdump.

I am attaching both the "out-of-memory" error obtained using readelf and also the gdb and valgrind output confirming the heap overflow vulnerability in objdump.

I would also like to request you if you could share the out-of-memory error output returned by objdump using the PoC and reproduction steps provided previously?

Vulnerability Confirmation using GDB & Valgrind: -

##########----------Valgrind Output----------##########

# valgrind --tool=memcheck --leak-check=full --track-origins=yes --show-reachable=yes --keep-stacktraces=alloc-and-free --num-callers=40 --track-fds=yes -v binutils-gdb/binutils/objdump -s /root/Desktop/file1 /dev/null
==13429== Invalid write of size 4
==13429==    at 0x82499B7: bfd_elf32_swap_phdr_in (elfcode.h:367)
==13429==    by 0x824D0B4: bfd_elf32_object_p (elfcode.h:782)
==13429==    by 0x81E00F6: bfd_check_format_matches.part.1 (format.c:305)
==13429==    by 0x806734F: display_object_bfd (objdump.c:3418)
==13429==    by 0x806734F: display_any_bfd (objdump.c:3509)
==13429==    by 0x8053ECA: display_file (objdump.c:3530)
==13429==    by 0x8053ECA: main (objdump.c:3813)
==13429==  Address 0x420bdf0 is 0 bytes after a block of size 4,064 alloc'd
==13429==    at 0x40291CC: malloc (vg_replace_malloc.c:296)
==13429==    by 0x851B130: objalloc_create (objalloc.c:95)
==13429==    by 0x81F049B: _bfd_new_bfd (opncls.c:73)
==13429==    by 0x81F049B: bfd_fopen (opncls.c:199)
==13429==    by 0x81F049B: bfd_openr (opncls.c:287)
==13429==    by 0x8053E83: display_file (objdump.c:3523)
==13429==    by 0x8053E83: main (objdump.c:3813)
==13429== 
==13429== Invalid write of size 4
==13429==    at 0x82499FF: bfd_elf32_swap_phdr_in (elfcode.h:369)
==13429==    by 0x824D0B4: bfd_elf32_object_p (elfcode.h:782)
==13429==    by 0x81E00F6: bfd_check_format_matches.part.1 (format.c:305)
==13429==    by 0x806734F: display_object_bfd (objdump.c:3418)
==13429==    by 0x806734F: display_any_bfd (objdump.c:3509)
==13429==    by 0x8053ECA: display_file (objdump.c:3530)
==13429==    by 0x8053ECA: main (objdump.c:3813)
==13429==  Address 0x420bdf4 is 4 bytes after a block of size 4,064 alloc'd
==13429==    at 0x40291CC: malloc (vg_replace_malloc.c:296)
==13429==    by 0x851B130: objalloc_create (objalloc.c:95)
==13429==    by 0x81F049B: _bfd_new_bfd (opncls.c:73)
==13429==    by 0x81F049B: bfd_fopen (opncls.c:199)
==13429==    by 0x81F049B: bfd_openr (opncls.c:287)
==13429==    by 0x8053E83: display_file (objdump.c:3523)
==13429==    by 0x8053E83: main (objdump.c:3813)
==13429== 
==13429== Invalid write of size 4
==13429==    at 0x8249A0E: bfd_elf32_swap_phdr_in (elfcode.h:370)
==13429==    by 0x824D0B4: bfd_elf32_object_p (elfcode.h:782)
==13429==    by 0x81E00F6: bfd_check_format_matches.part.1 (format.c:305)
==13429==    by 0x806734F: display_object_bfd (objdump.c:3418)
==13429==    by 0x806734F: display_any_bfd (objdump.c:3509)
==13429==    by 0x8053ECA: display_file (objdump.c:3530)
==13429==    by 0x8053ECA: main (objdump.c:3813)
==13429==  Address 0x420bdf8 is 8 bytes after a block of size 4,064 alloc'd
==13429==    at 0x40291CC: malloc (vg_replace_malloc.c:296)
==13429==    by 0x851B130: objalloc_create (objalloc.c:95)
==13429==    by 0x81F049B: _bfd_new_bfd (opncls.c:73)
==13429==    by 0x81F049B: bfd_fopen (opncls.c:199)
==13429==    by 0x81F049B: bfd_openr (opncls.c:287)
==13429==    by 0x8053E83: display_file (objdump.c:3523)
==13429==    by 0x8053E83: main (objdump.c:3813)
==13429== 
==13429== Invalid write of size 4
==13429==    at 0x8249A1A: bfd_elf32_swap_phdr_in (elfcode.h:371)
==13429==    by 0x824D0B4: bfd_elf32_object_p (elfcode.h:782)
==13429==    by 0x81E00F6: bfd_check_format_matches.part.1 (format.c:305)
==13429==    by 0x806734F: display_object_bfd (objdump.c:3418)
==13429==    by 0x806734F: display_any_bfd (objdump.c:3509)
==13429==    by 0x8053ECA: display_file (objdump.c:3530)
==13429==    by 0x8053ECA: main (objdump.c:3813)
==13429==  Address 0x420bdfc is 12 bytes after a block of size 4,064 alloc'd
==13429==    at 0x40291CC: malloc (vg_replace_malloc.c:296)
==13429==    by 0x851B130: objalloc_create (objalloc.c:95)
==13429==    by 0x81F049B: _bfd_new_bfd (opncls.c:73)
==13429==    by 0x81F049B: bfd_fopen (opncls.c:199)
==13429==    by 0x81F049B: bfd_openr (opncls.c:287)
==13429==    by 0x8053E83: display_file (objdump.c:3523)
==13429==    by 0x8053E83: main (objdump.c:3813)
==13429== 
==13429== Invalid write of size 4
==13429==    at 0x8249938: bfd_elf32_swap_phdr_in (elfcode.h:356)
==13429==    by 0x824D0B4: bfd_elf32_object_p (elfcode.h:782)
==13429==    by 0x81E00F6: bfd_check_format_matches.part.1 (format.c:305)
==13429==    by 0x806734F: display_object_bfd (objdump.c:3418)
==13429==    by 0x806734F: display_any_bfd (objdump.c:3509)
==13429==    by 0x8053ECA: display_file (objdump.c:3530)
==13429==    by 0x8053ECA: main (objdump.c:3813)
==13429==  Address 0x420be00 is 16 bytes after a block of size 4,064 alloc'd
==13429==    at 0x40291CC: malloc (vg_replace_malloc.c:296)
==13429==    by 0x851B130: objalloc_create (objalloc.c:95)
==13429==    by 0x81F049B: _bfd_new_bfd (opncls.c:73)
==13429==    by 0x81F049B: bfd_fopen (opncls.c:199)
==13429==    by 0x81F049B: bfd_openr (opncls.c:287)
==13429==    by 0x8053E83: display_file (objdump.c:3523)
==13429==    by 0x8053E83: main (objdump.c:3813)
==13429== 
==13429== Invalid write of size 4
==13429==    at 0x8249946: bfd_elf32_swap_phdr_in (elfcode.h:357)
==13429==    by 0x824D0B4: bfd_elf32_object_p (elfcode.h:782)
==13429==    by 0x81E00F6: bfd_check_format_matches.part.1 (format.c:305)
==13429==    by 0x806734F: display_object_bfd (objdump.c:3418)
==13429==    by 0x806734F: display_any_bfd (objdump.c:3509)
==13429==    by 0x8053ECA: display_file (objdump.c:3530)
==13429==    by 0x8053ECA: main (objdump.c:3813)
==13429==  Address 0x420be04 is 20 bytes after a block of size 4,064 in arena "client"
==13429== 

valgrind: m_mallocfree.c:304 (get_bszB_as_is): Assertion 'bszB_lo == bszB_hi' failed.
valgrind: Heap block lo/hi size mismatch: lo = 4112, hi = 6.
This is probably caused by your program erroneously writing past the
end of a heap block and corrupting heap metadata.

##########----------Valgrind Output----------##########

##########----------GDB Output----------##########

#gdb --args binutils-gdb/binutils/objdump -s /root/Desktop/file1 /dev/null
0xb7c1d927 <__GI__IO_fread+7>   mov    0x34(%esp),%edi                                                                                                                                                        │
   │0xb7c1d92b <__GI__IO_fread+11>  imul   0x38(%esp),%edi                                                                                                                                                        │
   │0xb7c1d930 <__GI__IO_fread+16>  call   0xb7cdd14b <__x86.get_pc_thunk.bx>                                                                                                                                     │
   │0xb7c1d935 <__GI__IO_fread+21>  add    $0x1426cb,%ebx                                                                                                                                                         │
   │0xb7c1d93b <__GI__IO_fread+27>  mov    0x3c(%esp),%esi                                                                                                                                                        │
   │0xb7c1d93f <__GI__IO_fread+31>  test   %edi,%edi                                                                                                                                                              │
   │0xb7c1d941 <__GI__IO_fread+33>  je     0xb7c1d9e0 <__GI__IO_fread+192>                                                                                                                                        │
   │0xb7c1d947 <__GI__IO_fread+39>  mov    (%esi),%eax                                                                                                                                                            │
   │0xb7c1d949 <__GI__IO_fread+41>  and    $0x8000,%eax                                                                                                                                                           │
   │0xb7c1d94e <__GI__IO_fread+46>  jne    0xb7c1d985 <__GI__IO_fread+101>                                                                                                                                        │
   │0xb7c1d950 <__GI__IO_fread+48>  mov    0x48(%esi),%edx                                                                                                                                                        │
   │0xb7c1d953 <__GI__IO_fread+51>  mov    %gs:0x8,%ebp                                                                                                                                                           │
  >│0xb7c1d95a <__GI__IO_fread+58>  cmp    0x8(%edx),%ebp ----------------------------------->Crash happens here.
   │0xb7c1d95d <__GI__IO_fread+61>  je     0xb7c1d981 <__GI__IO_fread+97>                                                                                                                                         │
   │0xb7c1d95f <__GI__IO_fread+63>  mov    $0x1,%ecx                                                                                                                                                              │
   │0xb7c1d964 <__GI__IO_fread+68>  cmpl   $0x0,%gs:0xc                                                                                                                                                           │
   │0xb7c1d96c <__GI__IO_fread+76>  je     0xb7c1d96f <__GI__IO_fread+79>                                                                                                                                         │
   │0xb7c1d96e <__GI__IO_fread+78>  lock cmpxchg %ecx,(%edx)                                                                                                                                                      │
   │0xb7c1d972 <__GI__IO_fread+82>  jne    0xb7c1da23 <_L_lock_53>                                                                                                                                                │
   │0xb7c1d978 <__GI__IO_fread+88>  mov    0x48(%esi),%eax                                                                                                                                                        │
   │0xb7c1d97b <__GI__IO_fread+91>  mov    0x48(%esi),%edx                                                                                                                                                        │
   │0xb7c1d97e <__GI__IO_fread+94>  mov    %ebp,0x8(%eax)                                                                                                                                                         │
   │0xb7c1d981 <__GI__IO_fread+97>  addl   $0x1,0x4(%edx)                                                                                                                                                         │
   │0xb7c1d985 <__GI__IO_fread+101> mov    0x30(%esp),%eax                                                                                                                                                        │
   │0xb7c1d989 <__GI__IO_fread+105> mov    %edi,0x8(%esp)                                                                                                                                                         │
   │0xb7c1d98d <__GI__IO_fread+109> mov    %esi,(%esp)                                                                                                                                                            │
   │0xb7c1d990 <__GI__IO_fread+112> mov    %eax,0x4(%esp)                                                                                                                                                         │
   │0xb7c1d994 <__GI__IO_fread+116> call   0xb7c2a090 <__GI__IO_sgetn>                                                                                                                                            │
   │0xb7c1d999 <__GI__IO_fread+121> testl  $0x8000,(%esi)
(gdb) r
Starting program: /usr/bin/objdump -s /root/Desktop/file1 /dev/null

Program received signal SIGSEGV, Segmentation fault.
0xb7c1d95a in __GI__IO_fread (buf=0xbffff21c, size=1, count=32, fp=0x80a4528) at iofread.c:41
(gdb) bt
bt
#0  0xb7c1d95a in __GI__IO_fread (buf=0xbffff21c, size=1, count=32, fp=0x80a4528) at iofread.c:41
#1  0xb7dac6e3 in ?? () from /usr/lib/libbfd-2.25-system.so
#2  0xb7dab879 in bfd_bread () from /usr/lib/libbfd-2.25-system.so
#3  0xb7dd6ce4 in bfd_elf32_object_p () from /usr/lib/libbfd-2.25-system.so
#4  0xb7db11b7 in bfd_check_format_matches () from /usr/lib/libbfd-2.25-system.so
#5  0x0804fa60 in ?? ()
#6  0x08051e11 in ?? ()
#7  0x0804c1b6 in ?? ()
#8  0xb7bd3a63 in __libc_start_main (main=0x804ba20, argc=4, argv=0xbffff4d4, init=0x8080e20, fini=0x8080e90, rtld_fini=0xb7fedc90 <_dl_fini>, stack_end=0xbffff4cc) at libc-start.c:287
#9  0x0804c340 in ?? ()
(gdb) x $edx
0x6469676b:     Cannot access memory at address 0x6469676b
(gdb) x $ebp
x $ebp
0xb7bb9940:     0xb7bb9940
(gdb) x $esi
x $esi
0x80a4528:      0x00000000
(gdb) x $eax
x $eax
0x0:    Cannot access memory at address 0x0
(gdb) x $eip
x $eip
0xb7c1d95a <__GI__IO_fread+58>: 0x74086a3b
(gdb) 

##########----------GDB Output----------##########

"ReadElf" Output showing out-of-memory error: -

##########----------ReadElf Output----------##########

readelf -a /root/Desktop/file1
ELF Header:
  Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF32
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              DYN (Shared object file)
  Machine:                           Intel 80386
  Version:                           0x1
  Entry point address:               0x753
  Start of program headers:          52 (bytes into file)
  Start of section headers:          4364 (bytes into file)
  Flags:                             0x0
  Size of this header:               52 (bytes)
  Size of program headers:           32 (bytes)
  Number of program headers:         65535 (-2147483648)
  Size of section headers:           40 (bytes)
  Number of section headers:         27
  Section header string table index: 26

Section Headers:
  [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
  [ 0]                   NULL            00000000 000000 000000 00      0 2147483648  0
  [ 1] .interp           PROGBITS        00000154 000154 000013 00   A  0   0  1
  [ 2] .note.ABI-tag     NOTE            00000168 000168 000020 00   A  0   0  4
  [ 3] .note.gnu.build-i NOTE            00000188 000188 000024 00   A  0   0  4
  [ 4] .gnu.hash         GNU_HASH        000001ac 0001ac 000034 04   A  5   0  4
  [ 5] .dynsym           DYNSYM          000001e0 0001e0 000130 10   A  6   1  4
  [ 6] .dynstr           STRTAB          00000310 000310 00012c 00   A  0   0  1
  [ 7] .gnu.version      VERSYM          0000043c 00043c 000026 02   A  5   0  2
  [ 8] .gnu.version_r    VERNEED         00000464 000464 000050 00   A  6   1  4
  [ 9] .rel.dyn          REL             000004b4 0004b4 000050 08   A  5   0  4
  [10] .rel.plt          REL             00000504 000504 000048 08  AI  5  12  4
  [11] .init             PROGBITS        0000054c 00054c 000023 00  AX  0   0  4
  [12] .plt              PROGBITS        00000570 000570 0000a0 04  AX  0   0 16
  [13] .text             PROGBITS        00000610 000610 000354 00  AX  0   0 16
  [14] .fini             PROGBITS        00000964 000964 000014 00  AX  0   0  4
  [15] .rodata           PROGBITS        00000978 000978 00003a 00   A  0   0  4
  [16] .eh_frame_hdr     PROGBITS        000009b4 0009b4 000034 00   A  0   0  4
  [17] .eh_frame         PROGBITS        000009e8 0009e8 0000f4 00   A  0   0  4
  [18] .init_array       INIT_ARRAY      00001ea8 000ea8 000004 00  WA  0   0  4
  [19] .fini_array       FINI_ARRAY      00001eac 000eac 000004 00  WA  0   0  4
  [20] .jcr              PROGBITS        00001eb0 000eb0 000004 00  WA  0   0  4
  [21] .dynamic          DYNAMIC         00001eb4 000eb4 000100 08  WA  6   0  4
  [22] .got              PROGBITS        00001fb4 000fb4 00004c 04  WA  0   0  4
  [23] .data             PROGBITS        00002000 001000 000008 00  WA  0   0  4
  [24] .bss              NOBITS          00002008 001008 000004 00  WA  0   0  1
  [25] .gnu_debuglink    PROGBITS        00000000 001008 000010 00      0   0  1
  [26] .shstrtab         STRTAB          00000000 001018 0000f3 00      0   0  1
Key to Flags:
  W (write), A (alloc), X (execute), M (merge), S (strings)
  I (info), L (link order), G (group), T (TLS), E (exclude), x (unknown)
  O (extra OS processing required) o (OS specific), p (processor specific)

There are no section groups in this file.
readelf: Error: Out of memory reading 2147483648 program headers

Relocation section '.rel.dyn' at offset 0x4b4 contains 10 entries:
 Offset     Info    Type            Sym.Value  Sym. Name
00001ea8  00000008 R_386_RELATIVE   
00001eac  00000008 R_386_RELATIVE   
00001ff4  00000008 R_386_RELATIVE   
00002004  00000008 R_386_RELATIVE   
00001fe4  00000106 R_386_GLOB_DAT    00000000   _ITM_deregisterTMClone
00001fe8  00000206 R_386_GLOB_DAT    00000000   stderr
00001fec  00000406 R_386_GLOB_DAT    00000000   __cxa_finalize
00001ff0  00000706 R_386_GLOB_DAT    00000000   __gmon_start__
00001ff8  00000906 R_386_GLOB_DAT    00000000   _Jv_RegisterClasses
00001ffc  00000b06 R_386_GLOB_DAT    00000000   _ITM_registerTMCloneTa

Relocation section '.rel.plt' at offset 0x504 contains 9 entries:
 Offset     Info    Type            Sym.Value  Sym. Name
00001fc0  00000307 R_386_JUMP_SLOT   00000000   __stack_chk_fail
00001fc4  00000407 R_386_JUMP_SLOT   00000000   __cxa_finalize
00001fc8  00000507 R_386_JUMP_SLOT   00000000   perror
00001fcc  00000607 R_386_JUMP_SLOT   00000000   setgid
00001fd0  00000707 R_386_JUMP_SLOT   00000000   __gmon_start__
00001fd4  00000807 R_386_JUMP_SLOT   00000000   __libc_start_main
00001fd8  00000a07 R_386_JUMP_SLOT   00000000   __fprintf_chk
00001fdc  00000c07 R_386_JUMP_SLOT   00000000   strtol
00001fe0  00000d07 R_386_JUMP_SLOT   00000000   getgrnam

The decoding of unwind sections for machine type Intel 80386 is not currently supported.

Symbol table '.dynsym' contains 19 entries:
   Num:    Value  Size Type    Bind   Vis      Ndx Name
     0: 00000000     0 NOTYPE  LOCAL  DEFAULT  UND 
     1: 00000000     0 NOTYPE  WEAK   DEFAULT  UND _ITM_deregisterTMCloneTab
     2: 00000000     0 OBJECT  GLOBAL DEFAULT  UND stderr
     3: 00000000     0 FUNC    GLOBAL DEFAULT  UND __stack_chk_fail
     4: 00000000     0 FUNC    WEAK   DEFAULT  UND __cxa_finalize
     5: 00000000     0 FUNC    GLOBAL DEFAULT  UND perror
     6: 00000000     0 FUNC    GLOBAL DEFAULT  UND setgid
     7: 00000000     0 NOTYPE  WEAK   DEFAULT  UND __gmon_start__
     8: 00000000     0 FUNC    GLOBAL DEFAULT  UND __libc_start_main
     9: 00000000     0 NOTYPE  WEAK   DEFAULT  UND _Jv_RegisterClasses
    10: 00000000     0 FUNC    GLOBAL DEFAULT  UND __fprintf_chk
    11: 00000000     0 NOTYPE  WEAK   DEFAULT  UND _ITM_registerTMCloneTable
    12: 00000000     0 FUNC    GLOBAL DEFAULT  UND strtol
    13: 00000000     0 FUNC    GLOBAL DEFAULT  UND getgrnam
    14: 00002008     0 NOTYPE  GLOBAL DEFAULT   23 _edata
    15: 0000200c     0 NOTYPE  GLOBAL DEFAULT   24 _end
    16: 0000097c     4 OBJECT  GLOBAL DEFAULT   15 _IO_stdin_used
    17: 00002008     0 NOTYPE  GLOBAL DEFAULT   24 __bss_start
    18: 00000610   323 FUNC    GLOBAL DEFAULT   13 main

Version symbols section '.gnu.version' contains 19 entries:
 Addr: 000000000000043c  Offset: 0x00043c  Link: 5 (.dynsym)
readelf: Error: Out of memory reading 2147483648 program headers
readelf: Warning: Cannot interpret virtual addresses without program headers.
  000:457f              464c               101                 1 (*global*)   
  004:   0 (*local*)       0 (*local*)       0 (*local*)       0 (*local*)    
  008:   3                 3                 1 (*global*)      0 (*local*)    
  00c: 753                 0 (*local*)      34                 0 (*local*)    
  010:110c                 0 (*local*)       0 (*local*)    

Version needs section '.gnu.version_r' contains 1 entries:
 Addr: 0x0000000000000464  Offset: 0x000464  Link: 6 (.dynstr)
  000000: Version: 1  File: libc.so.6  Cnt: 4
  0x0010:   Name: GLIBC_2.3.4  Flags: none  Version: 5
  0x0020:   Name: GLIBC_2.1.3  Flags: none  Version: 4
  0x0030:   Name: GLIBC_2.4  Flags: none  Version: 3
  0x0040:   Name: GLIBC_2.0  Flags: none  Version: 2

Displaying notes found at file offset 0x00000168 with length 0x00000020:
  Owner                 Data size	Description
  GNU                  0x00000010	NT_GNU_ABI_TAG (ABI version tag)
    OS: Linux, ABI: 2.6.32

Displaying notes found at file offset 0x00000188 with length 0x00000024:
  Owner                 Data size	Description
  GNU                  0x00000014	NT_GNU_BUILD_ID (unique build ID bitstring)
    Build ID: 877dd3f1ef18a2dc8185514f69586d496a1b187e

##########----------ReadElf Output----------##########
Comment 3 Alan Modra 2015-12-04 03:43:59 UTC
objdump -s /tmp/pr19323 
objdump: /tmp/pr19323: Memory exhausted

Hmm, I suppose your binutils is 32-bit, in which case trying to allocate 0x1000000000 bytes is the same as allocating 0 bytes, which would explain why you see a buffer overrun.
Comment 4 Alan Modra 2015-12-07 12:46:15 UTC
Fixed with commit c20f6f63.
Comment 5 Kushal Shah 2015-12-09 03:07:20 UTC
Hi Alan, 

I wanted to ask if you will be requesting a CVE-ID for this vulnerability.

Also I wanted to request you, if you could add the following information in the Changelog.

---------------------------------------------------------------------------
The vulnerability was discovered by Fortinet’s FortiGuard Labs.
---------------------------------------------------------------------------

Eagerly awaiting your reply.

Thanking You,

Yours Sincerely,
Kushal Arvind Shah.
Fortinet's FortiGuard Labs.
Comment 6 cvs-commit@gcc.gnu.org 2015-12-10 13:51:28 UTC
The binutils-2_26-branch branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=aa8b89e8ae35f71a94a1eaee0da939396d2f61d4

commit aa8b89e8ae35f71a94a1eaee0da939396d2f61d4
Author: Alan Modra <amodra@gmail.com>
Date:   Mon Dec 7 13:41:36 2015 +1030

    PR19323 memory allocation greater than 4G
    
    On 32-bit targets, memory requested for program/section headers on a
    fuzzed binary can wrap to 0.  A bfd_alloc of zero bytes actually
    returns a one byte allocation rather than a NULL pointer.  This then
    leads to buffer overflows.
    
    Making this check unconditional triggers an extremely annoying gcc-5
    warning.
    
    	PR 19323
    	* elfcode.h (elf_object_p): Check for ridiculous e_shnum and
    	e_phnum values.
Comment 7 Kushal Shah 2016-03-18 18:51:17 UTC
Hi Alan, 

I wanted to request you, if you could add the following information in the Changelog to credit us for the discovery.

---------------------------------------------------------------------------
The vulnerability was discovered by Kushal Arvind Shah of Fortinet’s FortiGuard Labs.
---------------------------------------------------------------------------

Eagerly awaiting your reply.

Thanking You,

Yours Sincerely,
Kushal Arvind Shah.
Fortinet's FortiGuard Labs.
Comment 8 Alan Modra 2016-03-19 01:08:37 UTC
No, sorry.  Advertising doesn't go in ChangeLogs.  If you submitted a patch on the mailing list for a problem, then you could say how the problem was discovered.  Many more people read the mailing list than look at bugzilla.