Bug 22059 - Heap out of bounds read in read_1_byte()
Summary: Heap out of bounds read in read_1_byte()
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.29
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-01 07:31 UTC by Kamil Frankowicz
Modified: 2017-09-01 10:25 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
POC to trigger heap out of bounds read (objdump) (246 bytes, application/octet-stream)
2017-09-01 07:31 UTC, Kamil Frankowicz
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Kamil Frankowicz 2017-09-01 07:31:43 UTC
Created attachment 10384 [details]
POC to trigger heap out of bounds read (objdump)

After some fuzz testing I found a crashing test case.

Version: 2.29

Command: objdump -x -Wl -R -SD objdump_hoobr_read_1_byte

ASAN:

==3698==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61200000bb49 at pc 0x0000007c0edd bp 0x7ffc76683070 sp 0x7ffc76683068
READ of size 1 at 0x61200000bb49 thread T0
    #0 0x7c0edc in read_1_byte XYZ/binutils-2.29/bfd/./dwarf2.c:593:10
    #1 0x7c0edc in decode_line_info XYZ/binutils-2.29/bfd/./dwarf2.c:2178
    #2 0x7cafca in comp_unit_find_nearest_line XYZ/binutils-2.29/bfd/./dwarf2.c:3538:26
    #3 0x7c7c69 in _bfd_dwarf2_find_nearest_line XYZ/binutils-2.29/bfd/./dwarf2.c:4738:11
    #4 0x7148fb in _bfd_elf_find_nearest_line XYZ/binutils-2.29/bfd/elf.c:8636:7
    #5 0x4f6709 in show_line XYZ/binutils-2.29/binutils/./objdump.c:1486:9
    #6 0x4f6709 in disassemble_bytes XYZ/binutils-2.29/binutils/./objdump.c:1791
    #7 0x4f6709 in disassemble_section XYZ/binutils-2.29/binutils/./objdump.c:2313
    #8 0x66e1d9 in bfd_map_over_sections XYZ/binutils-2.29/bfd/section.c:1395:5
    #9 0x4ebd50 in disassemble_data XYZ/binutils-2.29/binutils/./objdump.c:2449:3
    #10 0x4ebd50 in dump_bfd XYZ/binutils-2.29/binutils/./objdump.c:3546
    #11 0x4e8be1 in display_object_bfd XYZ/binutils-2.29/binutils/./objdump.c:3603:7
    #12 0x4e8be1 in display_any_bfd XYZ/binutils-2.29/binutils/./objdump.c:3692
    #13 0x4e7d5a in display_file XYZ/binutils-2.29/binutils/./objdump.c:3713:3
    #14 0x4e7d5a in main XYZ/binutils-2.29/binutils/./objdump.c:4015
    #15 0x7f5b4937a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #16 0x419d98 in _start (XYZ/binutils-2.29/binutils/objdump+0x419d98)

0x61200000bb49 is located 0 bytes to the right of 265-byte region [0x61200000ba40,0x61200000bb49)
allocated by thread T0 here:
    #0 0x4b85ac in malloc /home/llvm/clang-3.9/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
    #1 0x6618b3 in bfd_malloc XYZ/binutils-2.29/bfd/libbfd.c:193:9
    #2 0x66f01b in bfd_simple_get_relocated_section_contents XYZ/binutils-2.29/bfd/simple.c:193:12
    #3 0x7bba33 in read_section XYZ/binutils-2.29/bfd/./dwarf2.c:556:8

SUMMARY: AddressSanitizer: heap-buffer-overflow XYZ/binutils-2.29/bfd/./dwarf2.c:593:10 in read_1_byte
Shadow bytes around the buggy address:
  0x0c247fff9710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff9720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff9730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff9740: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fff9750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c247fff9760: 00 00 00 00 00 00 00 00 00[01]fa fa fa fa fa fa
  0x0c247fff9770: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fff9780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff9790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff97a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fff97b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3698==ABORTING
Comment 1 cvs-commit@gcc.gnu.org 2017-09-01 10:22:24 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7e8b60085eb3e6f2c41bc0c00c0d759fa7f72780

commit 7e8b60085eb3e6f2c41bc0c00c0d759fa7f72780
Author: Nick Clifton <nickc@redhat.com>
Date:   Fri Sep 1 11:20:51 2017 +0100

    Prevent an address violation parsing corrupt DWARF information by fixing the test for an overlong debug line info structure.
    
    	PR 22059
    	* dwarf2.c (decode_line_info): Fix test for an overlong line info
    	structure.
Comment 2 cvs-commit@gcc.gnu.org 2017-09-01 10:23:34 UTC
The binutils-2_29-branch branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6bdd6269844b3dd73dd57f9d361c0bebe7f2778a

commit 6bdd6269844b3dd73dd57f9d361c0bebe7f2778a
Author: Nick Clifton <nickc@redhat.com>
Date:   Fri Sep 1 11:22:43 2017 +0100

    Prevent an address violation parsing corrupt DWARF information by fixing the test for an overlong debug line info structure.
    
            PR 22059
            * dwarf2.c (decode_line_info): Fix test for an overlong line info
            structure.
Comment 3 Nick Clifton 2017-09-01 10:25:09 UTC
Hi Kamil,

  Thanks for reporting this bug.

  There actually was code in the BFD library that was supposed to catch
  this particular kind of fuzzed object, but the test was wrong.  So I
  have fixed it, and applied the patch to the mainline and 2.29 branch
  sources.

Cheers
  Nick