Bug 22018 - Heap out of bounds read in elf_i386_get_synthetic_symtab()
Summary: Heap out of bounds read in elf_i386_get_synthetic_symtab()
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.29
: P2 normal
Target Milestone: 2.30
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-28 07:48 UTC by Kamil Frankowicz
Modified: 2017-09-09 11:39 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
POC to trigger heap out of bounds read (objdump) (152 bytes, application/x-executable)
2017-08-28 07:48 UTC, Kamil Frankowicz 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kamil Frankowicz 2017-08-28 07:48:31 UTC 
Created attachment 10374 [details]
POC to trigger heap out of bounds read (objdump)

After some fuzz testing I found a crashing test case.

Version: 2.29

Command: objdump -x -Wl -R -SD objdump_hoobr_elf_i386_get_synthetic_symtab

ASAN Context:

==12394==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000f1 at pc 0x000000433332 bp 0x7ffda722aff0 sp 0x7ffda722a780
READ of size 2 at 0x6020000000f1 thread T0
    #0 0x433331 in __interceptor_memcmp /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:690:7
    #1 0x7d6af6 in elf_i386_get_synthetic_symtab XYZ/binutils-2.29/bfd/elf32-i386.c:6393:8
    #2 0x4f2875 in dump_bfd XYZ/binutils-2.29/binutils/./objdump.c:3525:20
    #3 0x4f0fc0 in display_any_bfd XYZ/binutils-2.29/binutils/./objdump.c
    #4 0x4f012a in display_file XYZ/binutils-2.29/binutils/./objdump.c:3713:3
    #5 0x4f012a in main XYZ/binutils-2.29/binutils/./objdump.c:4015
    #6 0x7fb6d9c3482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #7 0x41a518 in _start (XYZ/binutils-2.29/binutils/objdump+0x41a518)

0x6020000000f1 is located 0 bytes to the right of 1-byte region [0x6020000000f0,0x6020000000f1)
allocated by thread T0 here:
    #0 0x4c121c in malloc /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66:3
    #1 0x662bb3 in bfd_malloc XYZ/binutils-2.29/bfd/libbfd.c:193:9
    #2 0x4f2875 in dump_bfd XYZ/binutils-2.29/binutils/./objdump.c:3525:20
    #3 0x4f0fc0 in display_any_bfd XYZ/binutils-2.29/binutils/./objdump.c
    #4 0x4f012a in display_file XYZ/binutils-2.29/binutils/./objdump.c:3713:3
    #5 0x4f012a in main XYZ/binutils-2.29/binutils/./objdump.c:4015
    #6 0x7fb6d9c3482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:690:7 in __interceptor_memcmp
Shadow bytes around the buggy address:
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa fd fa fa fa 00 04 fa fa 00 04 fa fa 00 04
=>0x0c047fff8010: fa fa 00 01 fa fa 00 fa fa fa 00 fa fa fa[01]fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12394==ABORTING
Comment 1 Sourceware Commits 2017-08-28 18:29:38 UTC 
The master branch has been updated by H.J. Lu <hjl@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=90efb6422939ca031804266fba669f77c22a274a

commit 90efb6422939ca031804266fba669f77c22a274a
Author: H.J. Lu <hjl.tools@gmail.com>
Date:   Mon Aug 28 11:25:58 2017 -0700

    x86: Check for valid PLT section size
    
    Update x86 get_synthetic_symtab to check for valid PLT section size
    before examining PLT section contents.
    
    	PR binutils/22018
    	* elf32-i386.c (elf_i386_get_synthetic_symtab): Check for valid
    	PLT section size.
    	* elf64-x86-64.c (elf_x86_64_get_synthetic_symtab): Likewise.
Comment 2 H.J. Lu 2017-08-28 18:29:52 UTC 
Fixed for 2.30.
Comment 3 Sourceware Commits 2017-09-09 11:39:18 UTC 
The binutils-2_29-branch branch has been updated by H.J. Lu <hjl@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=bb0216e26681531bf967a6a3f1800789ade3693d

commit bb0216e26681531bf967a6a3f1800789ade3693d
Author: H.J. Lu <hjl.tools@gmail.com>
Date:   Mon Aug 28 11:25:58 2017 -0700

    x86: Check for valid PLT section size
    
    Update x86 get_synthetic_symtab to check for valid PLT section size
    before examining PLT section contents.
    
    	PR binutils/22018
    	* elf32-i386.c (elf_i386_get_synthetic_symtab): Check for valid
    	PLT section size.
    	* elf64-x86-64.c (elf_x86_64_get_synthetic_symtab): Likewise.
    
    (cherry picked from commit 90efb6422939ca031804266fba669f77c22a274a)