Bug 22018 - Heap out of bounds read in elf_i386_get_synthetic_symtab()
Summary: Heap out of bounds read in elf_i386_get_synthetic_symtab()
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.29
: P2 normal
Target Milestone: 2.30
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-28 07:48 UTC by Kamil Frankowicz
Modified: 2017-09-09 11:39 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
POC to trigger heap out of bounds read (objdump) (152 bytes, application/x-executable)
2017-08-28 07:48 UTC, Kamil Frankowicz
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Kamil Frankowicz 2017-08-28 07:48:31 UTC
Created attachment 10374 [details]
POC to trigger heap out of bounds read (objdump)

After some fuzz testing I found a crashing test case.

Version: 2.29

Command: objdump -x -Wl -R -SD objdump_hoobr_elf_i386_get_synthetic_symtab

ASAN Context:

==12394==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000f1 at pc 0x000000433332 bp 0x7ffda722aff0 sp 0x7ffda722a780
READ of size 2 at 0x6020000000f1 thread T0
    #0 0x433331 in __interceptor_memcmp /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:690:7
    #1 0x7d6af6 in elf_i386_get_synthetic_symtab XYZ/binutils-2.29/bfd/elf32-i386.c:6393:8
    #2 0x4f2875 in dump_bfd XYZ/binutils-2.29/binutils/./objdump.c:3525:20
    #3 0x4f0fc0 in display_any_bfd XYZ/binutils-2.29/binutils/./objdump.c
    #4 0x4f012a in display_file XYZ/binutils-2.29/binutils/./objdump.c:3713:3
    #5 0x4f012a in main XYZ/binutils-2.29/binutils/./objdump.c:4015
    #6 0x7fb6d9c3482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #7 0x41a518 in _start (XYZ/binutils-2.29/binutils/objdump+0x41a518)

0x6020000000f1 is located 0 bytes to the right of 1-byte region [0x6020000000f0,0x6020000000f1)
allocated by thread T0 here:
    #0 0x4c121c in malloc /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66:3
    #1 0x662bb3 in bfd_malloc XYZ/binutils-2.29/bfd/libbfd.c:193:9
    #2 0x4f2875 in dump_bfd XYZ/binutils-2.29/binutils/./objdump.c:3525:20
    #3 0x4f0fc0 in display_any_bfd XYZ/binutils-2.29/binutils/./objdump.c
    #4 0x4f012a in display_file XYZ/binutils-2.29/binutils/./objdump.c:3713:3
    #5 0x4f012a in main XYZ/binutils-2.29/binutils/./objdump.c:4015
    #6 0x7fb6d9c3482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:690:7 in __interceptor_memcmp
Shadow bytes around the buggy address:
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa fd fa fa fa 00 04 fa fa 00 04 fa fa 00 04
=>0x0c047fff8010: fa fa 00 01 fa fa 00 fa fa fa 00 fa fa fa[01]fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12394==ABORTING
Comment 1 cvs-commit@gcc.gnu.org 2017-08-28 18:29:38 UTC
The master branch has been updated by H.J. Lu <hjl@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=90efb6422939ca031804266fba669f77c22a274a

commit 90efb6422939ca031804266fba669f77c22a274a
Author: H.J. Lu <hjl.tools@gmail.com>
Date:   Mon Aug 28 11:25:58 2017 -0700

    x86: Check for valid PLT section size
    
    Update x86 get_synthetic_symtab to check for valid PLT section size
    before examining PLT section contents.
    
    	PR binutils/22018
    	* elf32-i386.c (elf_i386_get_synthetic_symtab): Check for valid
    	PLT section size.
    	* elf64-x86-64.c (elf_x86_64_get_synthetic_symtab): Likewise.
Comment 2 H.J. Lu 2017-08-28 18:29:52 UTC
Fixed for 2.30.
Comment 3 cvs-commit@gcc.gnu.org 2017-09-09 11:39:18 UTC
The binutils-2_29-branch branch has been updated by H.J. Lu <hjl@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=bb0216e26681531bf967a6a3f1800789ade3693d

commit bb0216e26681531bf967a6a3f1800789ade3693d
Author: H.J. Lu <hjl.tools@gmail.com>
Date:   Mon Aug 28 11:25:58 2017 -0700

    x86: Check for valid PLT section size
    
    Update x86 get_synthetic_symtab to check for valid PLT section size
    before examining PLT section contents.
    
    	PR binutils/22018
    	* elf32-i386.c (elf_i386_get_synthetic_symtab): Check for valid
    	PLT section size.
    	* elf64-x86-64.c (elf_x86_64_get_synthetic_symtab): Likewise.
    
    (cherry picked from commit 90efb6422939ca031804266fba669f77c22a274a)