Created attachment 10330 [details] heapbuffuerflow-objdimp ================================================================= ==26165==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5e006cf at pc 0x83c5e28 bp 0xbfd91768 sp 0xbfd9175c WRITE of size 1 at 0xb5e006cf thread T0 #0 0x83c5e27 in elf_read_notes /home/hjy/Desktop/binutils-2.29/bfd/elf.c:10991 #1 0x83c5e27 in bfd_section_from_phdr /home/hjy/Desktop/binutils-2.29/bfd/elf.c:2983 #2 0x838d742 in bfd_elf32_core_file_p /home/hjy/Desktop/binutils-2.29/bfd/elfcore.h:277 #3 0x82bd375 in bfd_check_format_matches /home/hjy/Desktop/binutils-2.29/bfd/format.c:311 #4 0x806e19b in display_object_bfd objdump.c:3621 #5 0x806e19b in display_any_bfd objdump.c:3692 #6 0x805837d in display_file objdump.c:3713 #7 0x805837d in main objdump.c:4015 #8 0xb712da82 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19a82) #9 0x805af8f (/usr/local/bin/objdump+0x805af8f) 0xb5e006cf is located 1 bytes to the left of 1-byte region [0xb5e006d0,0xb5e006d1) allocated by thread T0 here: #0 0xb731788a in __interceptor_malloc (/usr/lib/i386-linux-gnu/libasan.so.1+0x4e88a) #1 0x82c87c6 in bfd_malloc /home/hjy/Desktop/binutils-2.29/bfd/libbfd.c:193 #2 0x83c5d0b in elf_read_notes /home/hjy/Desktop/binutils-2.29/bfd/elf.c:10985 #3 0x83c5d0b in bfd_section_from_phdr /home/hjy/Desktop/binutils-2.29/bfd/elf.c:2983 #4 0x838d742 in bfd_elf32_core_file_p /home/hjy/Desktop/binutils-2.29/bfd/elfcore.h:277 #5 0x82bd375 in bfd_check_format_matches /home/hjy/Desktop/binutils-2.29/bfd/format.c:311 #6 0x806e19b in display_object_bfd objdump.c:3621 #7 0x806e19b in display_any_bfd objdump.c:3692 #8 0x805837d in display_file objdump.c:3713 #9 0x805837d in main objdump.c:4015 #10 0xb712da82 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19a82) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hjy/Desktop/binutils-2.29/bfd/elf.c:10991 elf_read_notes Shadow bytes around the buggy address: 0x36bc0080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36bc0090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36bc00a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36bc00b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36bc00c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x36bc00d0: fa fa fa fa fa fa fa fa fa[fa]01 fa fa fa 00 04 0x36bc00e0: fa fa 00 04 fa fa 00 00 fa fa 00 01 fa fa 00 04 0x36bc00f0: fa fa 00 04 fa fa 00 04 fa fa 00 00 fa fa fd fa 0x36bc0100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36bc0110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36bc0120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==26165==ABORTING
Hi Zhihua, I am sorry, but I am unable to reproduce this failure. Please could you tell us: 1. The command line used when you configured the binutils. 2. The objdump command line used to trigger the failure. 3. Which binutils sources were you using ? Specifically were you using the 2.29 branch sources or the 2.29 release sources in the tarball or the mainline developments sources ? Thanks very much. Cheers Nick
my configure: CC="afl-gcc" CFLAGS="-g -ggdb -fno-omit-frame-pointer -fsanitize=address" ./configure --disable-shared The command to trigger the vulnerability is "objdump -S heapbufferflow-objdump" My binutils is downloaded from here: http://ftp.gnu.org/gnu/binutils/binutils-2.29.tar.xz The most important thing is that my palform is ubuntu x86.
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=957e1fc1c5d0262e4b2f764cf031ad1458446498 commit 957e1fc1c5d0262e4b2f764cf031ad1458446498 Author: Nick Clifton <nickc@redhat.com> Date: Thu Aug 10 09:37:36 2017 +0100 Fix out of bounds memory access when trying to allocate space for a note of size -1. PR 21933 * elf.c (elf_read_notes): Check for a note size of -1.
Hi Zhihua, Thanks for the extra information - with that I was able to reproduce the bug and I have now checked in a fix. Cheers Nick
This vulnerability has been applied for CVE-2017-10799, discovered by zhihua.yao@dbappsecurity.com.cn
The binutils-2_29-branch branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=30326b094b8fc2594c76cf4beab70965afa7a111 commit 30326b094b8fc2594c76cf4beab70965afa7a111 Author: Nick Clifton <nickc@redhat.com> Date: Fri Sep 1 10:17:00 2017 +0100 Check for an invalid note size when parsing ELF notes. PR 21933 PR 22060 * elf.c (elf_read_notes): Check for a note size of -1.