Bug 21438 - heap buffer overflow in printf_common
Summary: heap buffer overflow in printf_common
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.28
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-04-27 02:26 UTC by Manh-Dung Nguyen
Modified: 2017-05-02 01:41 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
Input with objdump (711 bytes, application/x-object)
2017-04-27 02:26 UTC, Manh-Dung Nguyen
Details
Another input with objdump (1.30 KB, application/x-object)
2017-04-27 02:28 UTC, Manh-Dung Nguyen
Details
Another input with objdump (561 bytes, application/x-archive)
2017-04-27 02:28 UTC, Manh-Dung Nguyen
Details
Another input with readelf. To reproduce: readelf -w bug_9 (857 bytes, application/x-object)
2017-04-27 02:30 UTC, Manh-Dung Nguyen
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Manh-Dung Nguyen 2017-04-27 02:26:42 UTC
Created attachment 10024 [details]
Input with objdump

Dear All,

This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks also to Marcel Böhme and Van-Thuan Pham.

This bug was found on Ubuntu 14.04 64-bit & binutils was checked out from main repository at git://sourceware.org/git/binutils-gdb.git. Its commit is a49abe0bb18e04d3a4b692995fcfae70cd470775 (Tue Apr 25 00:00:36 2017).

binutils was built with ASAN using gcc-6.2 and clang-3.4. The configure command was:

CC=clang CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=undefined,address -fno-omit-frame-pointer -g -Wno-error" ../configure --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim

To reproduce:
Download the attached file - bug_3
objdump -W bug_3

ASAN says:
==4884==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800000befd at pc 0x000000491c12 bp 0x7ffc7763a5e0 sp 0x7ffc77639d90
READ of size 1 at 0x60800000befd thread T0
    #0 0x491c11 in printf_common(void*, char const*, __va_list_tag*) (/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/objdump+0x491c11)
    #1 0x4919d0 in printf_common(void*, char const*, __va_list_tag*) (/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/objdump+0x4919d0)
    #2 0x4927da in __interceptor_vprintf (/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/objdump+0x4927da)
    #3 0x492897 in __interceptor_printf (/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/objdump+0x492897)
    #4 0x59dacc in process_extended_line_op /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/dwarf.c:483:7
    #5 0x58d39c in display_debug_lines_raw /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/dwarf.c:3324:18
    #6 0x55692e in display_debug_lines /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/dwarf.c:4190:17
    #7 0x50844f in dump_dwarf_section /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objdump.c:2623:6
    #8 0x7b437c in bfd_map_over_sections /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/section.c:1395:5
    #9 0x500415 in dump_dwarf /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objdump.c:2689:3
    #10 0x4fac4b in dump_bfd /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objdump.c:3527:5
    #11 0x4f9d41 in display_object_bfd /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objdump.c:3594:7
    #12 0x4f9c1a in display_any_bfd /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objdump.c:3683:5
    #13 0x4f91f7 in display_file /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objdump.c:3704:3
    #14 0x4f8344 in main /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objdump.c:4006:6
    #15 0x7f34db2b8f44 in __libc_start_main /build/eglibc-MjiXCM/eglibc-2.19/csu/libc-start.c:287
    #16 0x41b5f5 in _start (/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/objdump+0x41b5f5)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/objdump+0x491c11) in printf_common(void*, char const*, __va_list_tag*)

VALGRIND says:
==152201== Invalid read of size 1
==152201==    at 0x5086943: vfprintf (vfprintf.c:1661)
==152201==    by 0x5147B27: __printf_chk (printf_chk.c:35)
==152201==    by 0x417DB1: printf (stdio2.h:104)
==152201==    by 0x417DB1: process_extended_line_op (dwarf.c:483)
==152201==    by 0x417DB1: display_debug_lines_raw (dwarf.c:3324)
==152201==    by 0x417DB1: display_debug_lines (dwarf.c:4190)
==152201==    by 0x40AF71: dump_dwarf_section (objdump.c:2623)
==152201==    by 0x44F7FB: bfd_map_over_sections (section.c:1395)
==152201==    by 0x406E13: dump_dwarf (objdump.c:2689)
==152201==    by 0x40812D: dump_bfd (objdump.c:3527)
==152201==    by 0x4089BF: display_object_bfd (objdump.c:3594)
==152201==    by 0x4089BF: display_any_bfd (objdump.c:3683)
==152201==    by 0x40ABC3: display_file (objdump.c:3704)
==152201==    by 0x404CDD: main (objdump.c:4006)
==152201==  Address 0x5410edd is 0 bytes after a block of size 93 alloc'd
==152201==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==152201==    by 0x44C9FD: bfd_malloc (libbfd.c:184)
==152201==    by 0x44AD97: bfd_get_full_section_contents (compress.c:248)
==152201==    by 0x40AD15: load_specific_debug_section (objdump.c:2468)
==152201==    by 0x40AF58: dump_dwarf_section (objdump.c:2620)
==152201==    by 0x44F7FB: bfd_map_over_sections (section.c:1395)
==152201==    by 0x406E13: dump_dwarf (objdump.c:2689)
==152201==    by 0x40812D: dump_bfd (objdump.c:3527)
==152201==    by 0x4089BF: display_object_bfd (objdump.c:3594)
==152201==    by 0x4089BF: display_any_bfd (objdump.c:3683)
==152201==    by 0x40ABC3: display_file (objdump.c:3704)
==152201==    by 0x404CDD: main (objdump.c:4006)
Comment 1 Manh-Dung Nguyen 2017-04-27 02:28:05 UTC
Created attachment 10025 [details]
Another input with objdump
Comment 2 Manh-Dung Nguyen 2017-04-27 02:28:51 UTC
Created attachment 10026 [details]
Another input with objdump
Comment 3 Manh-Dung Nguyen 2017-04-27 02:30:20 UTC
Created attachment 10027 [details]
Another input with readelf. To reproduce: readelf -w bug_9
Comment 4 Sourceware Commits 2017-04-28 09:29:21 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d949ff5607b9f595e0eed2ff15fbe5eb84eb3a34

commit d949ff5607b9f595e0eed2ff15fbe5eb84eb3a34
Author: Nick Clifton <nickc@redhat.com>
Date:   Fri Apr 28 10:28:04 2017 +0100

    Fix heap-buffer overflow bugs caused when dumping debug information from a corrupt binary.
    
    	PR binutils/21438
    	* dwarf.c (process_extended_line_op): Do not assume that the
    	string extracted from the section is NUL terminated.
    	(fetch_indirect_string): If the string retrieved from the section
    	is not NUL terminated, return an error message.
    	(fetch_indirect_line_string): Likewise.
    	(fetch_indexed_string): Likewise.
Comment 5 Nick Clifton 2017-04-28 09:49:50 UTC
Hi Mahn-Dung,

  Thanks for reporting these bugs.  I have checked in a patch to the dwarf library used by both readelf and objdump that should fix all of these problems.

Cheers
  Nick
Comment 6 Manh-Dung Nguyen 2017-05-02 01:41:15 UTC
Thanks Nick. This is CVE-2017-8398.