Bug 21438 - heap buffer overflow in printf_common
Summary: heap buffer overflow in printf_common
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.28
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-04-27 02:26 UTC by Manh-Dung Nguyen
Modified: 2017-05-02 01:41 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
Input with objdump (711 bytes, application/x-object)
2017-04-27 02:26 UTC, Manh-Dung Nguyen 		Details
Another input with objdump (1.30 KB, application/x-object)
2017-04-27 02:28 UTC, Manh-Dung Nguyen 		Details
Another input with objdump (561 bytes, application/x-archive)
2017-04-27 02:28 UTC, Manh-Dung Nguyen 		Details
Another input with readelf. To reproduce: readelf -w bug_9 (857 bytes, application/x-object)
2017-04-27 02:30 UTC, Manh-Dung Nguyen 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Manh-Dung Nguyen 2017-04-27 02:26:42 UTC 
Created attachment 10024 [details]
Input with objdump

Dear All,

This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks also to Marcel Böhme and Van-Thuan Pham.

This bug was found on Ubuntu 14.04 64-bit & binutils was checked out from main repository at git://sourceware.org/git/binutils-gdb.git. Its commit is a49abe0bb18e04d3a4b692995fcfae70cd470775 (Tue Apr 25 00:00:36 2017).

binutils was built with ASAN using gcc-6.2 and clang-3.4. The configure command was:

CC=clang CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=undefined,address -fno-omit-frame-pointer -g -Wno-error" ../configure --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim

To reproduce:
Download the attached file - bug_3
objdump -W bug_3

ASAN says:
==4884==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800000befd at pc 0x000000491c12 bp 0x7ffc7763a5e0 sp 0x7ffc77639d90
READ of size 1 at 0x60800000befd thread T0
    #0 0x491c11 in printf_common(void*, char const*, __va_list_tag*) (/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/objdump+0x491c11)
    #1 0x4919d0 in printf_common(void*, char const*, __va_list_tag*) (/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/objdump+0x4919d0)
    #2 0x4927da in __interceptor_vprintf (/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/objdump+0x4927da)
    #3 0x492897 in __interceptor_printf (/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/objdump+0x492897)
    #4 0x59dacc in process_extended_line_op /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/dwarf.c:483:7
    #5 0x58d39c in display_debug_lines_raw /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/dwarf.c:3324:18
    #6 0x55692e in display_debug_lines /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/dwarf.c:4190:17
    #7 0x50844f in dump_dwarf_section /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objdump.c:2623:6
    #8 0x7b437c in bfd_map_over_sections /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/section.c:1395:5
    #9 0x500415 in dump_dwarf /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objdump.c:2689:3
    #10 0x4fac4b in dump_bfd /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objdump.c:3527:5
    #11 0x4f9d41 in display_object_bfd /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objdump.c:3594:7
    #12 0x4f9c1a in display_any_bfd /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objdump.c:3683:5
    #13 0x4f91f7 in display_file /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objdump.c:3704:3
    #14 0x4f8344 in main /home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objdump.c:4006:6
    #15 0x7f34db2b8f44 in __libc_start_main /build/eglibc-MjiXCM/eglibc-2.19/csu/libc-start.c:287
    #16 0x41b5f5 in _start (/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/objdump+0x41b5f5)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/objdump+0x491c11) in printf_common(void*, char const*, __va_list_tag*)

VALGRIND says:
==152201== Invalid read of size 1
==152201==    at 0x5086943: vfprintf (vfprintf.c:1661)
==152201==    by 0x5147B27: __printf_chk (printf_chk.c:35)
==152201==    by 0x417DB1: printf (stdio2.h:104)
==152201==    by 0x417DB1: process_extended_line_op (dwarf.c:483)
==152201==    by 0x417DB1: display_debug_lines_raw (dwarf.c:3324)
==152201==    by 0x417DB1: display_debug_lines (dwarf.c:4190)
==152201==    by 0x40AF71: dump_dwarf_section (objdump.c:2623)
==152201==    by 0x44F7FB: bfd_map_over_sections (section.c:1395)
==152201==    by 0x406E13: dump_dwarf (objdump.c:2689)
==152201==    by 0x40812D: dump_bfd (objdump.c:3527)
==152201==    by 0x4089BF: display_object_bfd (objdump.c:3594)
==152201==    by 0x4089BF: display_any_bfd (objdump.c:3683)
==152201==    by 0x40ABC3: display_file (objdump.c:3704)
==152201==    by 0x404CDD: main (objdump.c:4006)
==152201==  Address 0x5410edd is 0 bytes after a block of size 93 alloc'd
==152201==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==152201==    by 0x44C9FD: bfd_malloc (libbfd.c:184)
==152201==    by 0x44AD97: bfd_get_full_section_contents (compress.c:248)
==152201==    by 0x40AD15: load_specific_debug_section (objdump.c:2468)
==152201==    by 0x40AF58: dump_dwarf_section (objdump.c:2620)
==152201==    by 0x44F7FB: bfd_map_over_sections (section.c:1395)
==152201==    by 0x406E13: dump_dwarf (objdump.c:2689)
==152201==    by 0x40812D: dump_bfd (objdump.c:3527)
==152201==    by 0x4089BF: display_object_bfd (objdump.c:3594)
==152201==    by 0x4089BF: display_any_bfd (objdump.c:3683)
==152201==    by 0x40ABC3: display_file (objdump.c:3704)
==152201==    by 0x404CDD: main (objdump.c:4006)
Comment 1 Manh-Dung Nguyen 2017-04-27 02:28:05 UTC 
Created attachment 10025 [details]
Another input with objdump
Comment 2 Manh-Dung Nguyen 2017-04-27 02:28:51 UTC 
Created attachment 10026 [details]
Another input with objdump
Comment 3 Manh-Dung Nguyen 2017-04-27 02:30:20 UTC 
Created attachment 10027 [details]
Another input with readelf. To reproduce: readelf -w bug_9
Comment 4 Sourceware Commits 2017-04-28 09:29:21 UTC 
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d949ff5607b9f595e0eed2ff15fbe5eb84eb3a34

commit d949ff5607b9f595e0eed2ff15fbe5eb84eb3a34
Author: Nick Clifton <nickc@redhat.com>
Date:   Fri Apr 28 10:28:04 2017 +0100

    Fix heap-buffer overflow bugs caused when dumping debug information from a corrupt binary.
    
    	PR binutils/21438
    	* dwarf.c (process_extended_line_op): Do not assume that the
    	string extracted from the section is NUL terminated.
    	(fetch_indirect_string): If the string retrieved from the section
    	is not NUL terminated, return an error message.
    	(fetch_indirect_line_string): Likewise.
    	(fetch_indexed_string): Likewise.
Comment 5 Nick Clifton 2017-04-28 09:49:50 UTC 
Hi Mahn-Dung,

  Thanks for reporting these bugs.  I have checked in a patch to the dwarf library used by both readelf and objdump that should fix all of these problems.

Cheers
  Nick
Comment 6 Manh-Dung Nguyen 2017-05-02 01:41:15 UTC 
Thanks Nick. This is CVE-2017-8398.