Created attachment 10024 [details] Input with objdump Dear All, This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks also to Marcel Böhme and Van-Thuan Pham. This bug was found on Ubuntu 14.04 64-bit & binutils was checked out from main repository at git://sourceware.org/git/binutils-gdb.git. Its commit is a49abe0bb18e04d3a4b692995fcfae70cd470775 (Tue Apr 25 00:00:36 2017). binutils was built with ASAN using gcc-6.2 and clang-3.4. The configure command was: CC=clang CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=undefined,address -fno-omit-frame-pointer -g -Wno-error" ../configure --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim To reproduce: Download the attached file - bug_3 objdump -W bug_3 ASAN says: ==4884==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800000befd at pc 0x000000491c12 bp 0x7ffc7763a5e0 sp 0x7ffc77639d90 READ of size 1 at 0x60800000befd thread T0 #0 0x491c11 in printf_common(void*, char const*, __va_list_tag*) (/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/objdump+0x491c11) #1 0x4919d0 in printf_common(void*, char const*, __va_list_tag*) (/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/objdump+0x4919d0) #2 0x4927da in __interceptor_vprintf (/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/objdump+0x4927da) #3 0x492897 in __interceptor_printf (/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/objdump+0x492897) #4 0x59dacc in process_extended_line_op /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/dwarf.c:483:7 #5 0x58d39c in display_debug_lines_raw /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/dwarf.c:3324:18 #6 0x55692e in display_debug_lines /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/dwarf.c:4190:17 #7 0x50844f in dump_dwarf_section /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objdump.c:2623:6 #8 0x7b437c in bfd_map_over_sections /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/section.c:1395:5 #9 0x500415 in dump_dwarf /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objdump.c:2689:3 #10 0x4fac4b in dump_bfd /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objdump.c:3527:5 #11 0x4f9d41 in display_object_bfd /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objdump.c:3594:7 #12 0x4f9c1a in display_any_bfd /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objdump.c:3683:5 #13 0x4f91f7 in display_file /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objdump.c:3704:3 #14 0x4f8344 in main /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objdump.c:4006:6 #15 0x7f34db2b8f44 in __libc_start_main /build/eglibc-MjiXCM/eglibc-2.19/csu/libc-start.c:287 #16 0x41b5f5 in _start (/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/objdump+0x41b5f5) SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/objdump+0x491c11) in printf_common(void*, char const*, __va_list_tag*) VALGRIND says: ==152201== Invalid read of size 1 ==152201== at 0x5086943: vfprintf (vfprintf.c:1661) ==152201== by 0x5147B27: __printf_chk (printf_chk.c:35) ==152201== by 0x417DB1: printf (stdio2.h:104) ==152201== by 0x417DB1: process_extended_line_op (dwarf.c:483) ==152201== by 0x417DB1: display_debug_lines_raw (dwarf.c:3324) ==152201== by 0x417DB1: display_debug_lines (dwarf.c:4190) ==152201== by 0x40AF71: dump_dwarf_section (objdump.c:2623) ==152201== by 0x44F7FB: bfd_map_over_sections (section.c:1395) ==152201== by 0x406E13: dump_dwarf (objdump.c:2689) ==152201== by 0x40812D: dump_bfd (objdump.c:3527) ==152201== by 0x4089BF: display_object_bfd (objdump.c:3594) ==152201== by 0x4089BF: display_any_bfd (objdump.c:3683) ==152201== by 0x40ABC3: display_file (objdump.c:3704) ==152201== by 0x404CDD: main (objdump.c:4006) ==152201== Address 0x5410edd is 0 bytes after a block of size 93 alloc'd ==152201== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==152201== by 0x44C9FD: bfd_malloc (libbfd.c:184) ==152201== by 0x44AD97: bfd_get_full_section_contents (compress.c:248) ==152201== by 0x40AD15: load_specific_debug_section (objdump.c:2468) ==152201== by 0x40AF58: dump_dwarf_section (objdump.c:2620) ==152201== by 0x44F7FB: bfd_map_over_sections (section.c:1395) ==152201== by 0x406E13: dump_dwarf (objdump.c:2689) ==152201== by 0x40812D: dump_bfd (objdump.c:3527) ==152201== by 0x4089BF: display_object_bfd (objdump.c:3594) ==152201== by 0x4089BF: display_any_bfd (objdump.c:3683) ==152201== by 0x40ABC3: display_file (objdump.c:3704) ==152201== by 0x404CDD: main (objdump.c:4006)
Created attachment 10025 [details] Another input with objdump
Created attachment 10026 [details] Another input with objdump
Created attachment 10027 [details] Another input with readelf. To reproduce: readelf -w bug_9
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d949ff5607b9f595e0eed2ff15fbe5eb84eb3a34 commit d949ff5607b9f595e0eed2ff15fbe5eb84eb3a34 Author: Nick Clifton <nickc@redhat.com> Date: Fri Apr 28 10:28:04 2017 +0100 Fix heap-buffer overflow bugs caused when dumping debug information from a corrupt binary. PR binutils/21438 * dwarf.c (process_extended_line_op): Do not assume that the string extracted from the section is NUL terminated. (fetch_indirect_string): If the string retrieved from the section is not NUL terminated, return an error message. (fetch_indirect_line_string): Likewise. (fetch_indexed_string): Likewise.
Hi Mahn-Dung, Thanks for reporting these bugs. I have checked in a patch to the dwarf library used by both readelf and objdump that should fix all of these problems. Cheers Nick
Thanks Nick. This is CVE-2017-8398.