Bug 21432 - heap buffer overflow in objdump
Summary: heap buffer overflow in objdump
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.28
: P2 normal
Target Milestone: 2.29
Assignee: Alan Modra
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-04-26 11:04 UTC by Manh-Dung Nguyen
Modified: 2017-05-02 01:39 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed: 2017-04-29 00:00:00


Attachments
Input (1.26 KB, application/x-object)
2017-04-26 11:04 UTC, Manh-Dung Nguyen
Details
Another input (1.33 KB, application/x-object)
2017-04-26 11:04 UTC, Manh-Dung Nguyen
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Manh-Dung Nguyen 2017-04-26 11:04:01 UTC
Created attachment 10019 [details]
Input

Dear All,

This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks also to Marcel Böhme and Van-Thuan Pham.

This bug was found on Ubuntu 14.04 64-bit & binutils was checked out from main repository at git://sourceware.org/git/binutils-gdb.git. Its commit is a49abe0bb18e04d3a4b692995fcfae70cd470775 (Tue Apr 25 00:00:36 2017).

binutils was built with ASAN using gcc-6.2 and clang-3.4. The configure command was:

CC=clang CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=undefined,address -fno-omit-frame-pointer -g -Wno-error" ../configure --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim

To reproduce:
Download the attached file - bug_4
objdump -W bug_4

ASAN says:
==163720==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000009dbf at pc 0x000000799d7b bp 0x7ffebf6eced0 sp 0x7ffebf6ecec8
READ of size 1 at 0x611000009dbf thread T0
    #0 0x799d7a in bfd_getl64 /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/libbfd.c:615:8
    #1 0x1114dbd in bfd_perform_relocation /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/reloc.c:930:14
    #2 0x1120f83 in bfd_generic_get_relocated_section_contents /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/reloc.c:8170:10
    #3 0x763254 in bfd_get_relocated_section_contents /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/bfd.c:1624:10
    #4 0x7b8969 in bfd_simple_get_relocated_section_contents /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/simple.c:264:14
    #5 0x4f51b4 in load_specific_debug_section /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objdump.c:2482:13
    #6 0x508341 in dump_dwarf_section /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objdump.c:2620:6
    #7 0x7b437c in bfd_map_over_sections /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/section.c:1395:5
    #8 0x500415 in dump_dwarf /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objdump.c:2689:3
    #9 0x4fac4b in dump_bfd /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objdump.c:3527:5
    #10 0x4f9d41 in display_object_bfd /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objdump.c:3594:7
    #11 0x4f9c1a in display_any_bfd /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objdump.c:3683:5
    #12 0x4f91f7 in display_file /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objdump.c:3704:3
    #13 0x4f8344 in main /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objdump.c:4006:6
    #14 0x7f127f37df44 in __libc_start_main /build/eglibc-MjiXCM/eglibc-2.19/csu/libc-start.c:287
    #15 0x41b5f5 in _start (/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/objdump+0x41b5f5)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/libbfd.c:615:8 in bfd_getl64

VALGRIND says:
==185416== Invalid read of size 1
==185416==    at 0x44CE25: bfd_getl64 (libbfd.c:615)
==185416==    by 0x4D1C9D: bfd_perform_relocation (reloc.c:930)
==185416==    by 0x4D29AA: bfd_generic_get_relocated_section_contents (reloc.c:8170)
==185416==    by 0x44FDCB: bfd_simple_get_relocated_section_contents (simple.c:264)
==185416==    by 0x40AD53: load_specific_debug_section (objdump.c:2482)
==185416==    by 0x40AF58: dump_dwarf_section (objdump.c:2620)
==185416==    by 0x44F7FB: bfd_map_over_sections (section.c:1395)
==185416==    by 0x406E13: dump_dwarf (objdump.c:2689)
==185416==    by 0x40812D: dump_bfd (objdump.c:3527)
==185416==    by 0x4089BF: display_object_bfd (objdump.c:3594)
==185416==    by 0x4089BF: display_any_bfd (objdump.c:3683)
==185416==    by 0x40ABC3: display_file (objdump.c:3704)
==185416==    by 0x404CDD: main (objdump.c:4006)
==185416==  Address 0x5411bef is 1 bytes before a block of size 220 alloc'd
==185416==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==185416==    by 0x44C9FD: bfd_malloc (libbfd.c:184)
==185416==    by 0x44AD97: bfd_get_full_section_contents (compress.c:248)
==185416==    by 0x40AD15: load_specific_debug_section (objdump.c:2468)
==185416==    by 0x40AF58: dump_dwarf_section (objdump.c:2620)
==185416==    by 0x44F7FB: bfd_map_over_sections (section.c:1395)
==185416==    by 0x406E13: dump_dwarf (objdump.c:2689)
==185416==    by 0x40812D: dump_bfd (objdump.c:3527)
==185416==    by 0x4089BF: display_object_bfd (objdump.c:3594)
==185416==    by 0x4089BF: display_any_bfd (objdump.c:3683)
==185416==    by 0x40ABC3: display_file (objdump.c:3704)
==185416==    by 0x404CDD: main (objdump.c:4006)
Comment 1 Manh-Dung Nguyen 2017-04-26 11:04:43 UTC
Created attachment 10020 [details]
Another input
Comment 2 cvs-commit@gcc.gnu.org 2017-04-29 09:42:02 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a941291cab71b9ac356e1c03968c177c03e602ab

commit a941291cab71b9ac356e1c03968c177c03e602ab
Author: Alan Modra <amodra@gmail.com>
Date:   Sat Apr 29 14:48:16 2017 +0930

    PR21432, buffer overflow in perform_relocation
    
    The existing reloc offset range tests didn't catch small negative
    offsets less than the size of the reloc field.
    
    	PR 21432
    	* reloc.c (reloc_offset_in_range): New function.
    	(bfd_perform_relocation, bfd_install_relocation): Use it.
    	(_bfd_final_link_relocate): Likewise.
Comment 3 Alan Modra 2017-04-29 10:30:33 UTC
Fixed
Comment 4 Manh-Dung Nguyen 2017-05-02 01:39:35 UTC
Thanks Alan Modra. This is CVE-2017-8396.