Created attachment 10533 [details] poc for heap corruption Triggered by "./objdump -x $POC" The GDB debugging information is as follows: (gdb) r -x $POC (gdb) bt #0 0xb7fd9ce5 in __kernel_vsyscall () #1 0xb7e2bea9 in __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:54 #2 0xb7e2d407 in __GI_abort () at abort.c:89 #3 0xb7e6737c in __libc_message (do_abort=2, fmt=0xb7f5fdf4 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175 #4 0xb7e6d2f7 in malloc_printerr (action=<optimized out>, str=0xb7f5fef0 "free(): invalid next size (fast)", ptr=<optimized out>, ar_ptr=0xb7fb2780 <main_arena>) at malloc.c:5006 #5 0xb7e6dc31 in _int_free (av=0xb7fb2780 <main_arena>, p=<optimized out>, have_lock=0) at malloc.c:3867 #6 0x080f3f55 in aout_get_external_symbols (abfd=0x81e9a08) at ./aoutx.h:1370 #7 0x080f3d15 in aout_32_slurp_symbol_table (abfd=0x81e9a08) at ./aoutx.h:1757 #8 0x080f4e30 in aout_32_get_symtab_upper_bound (abfd=0x81e9a08) at ./aoutx.h:2522 #9 0x0804aea7 in slurp_symtab (abfd=0x81e9a08) at ./objdump.c:615 #10 dump_bfd (abfd=0x81e9a08) at ./objdump.c:3523 #11 0x0804aa6e in display_object_bfd (abfd=0x81e9a08) at ./objdump.c:3611 #12 display_any_bfd (file=0x81e9a08, level=<optimized out>) at ./objdump.c:3700 #13 0x0804a4ea in display_file (filename=0xbffff30f "/tmp/heap-corruption", target=<optimized out>, last_file=<optimized out>) at ./objdump.c:3721 #14 main (argc=<optimized out>, argv=<optimized out>) at ./objdump.c:4023 Credits: This vulnerability was discovered by Mingi Cho and Taekyoung Kwon of the Information Security Lab, Yonsei University. Please contact mgcho.minic@gmail.com and taekyoung@yonsei.ac.kr if you need more information about the vulnerability and the lab.
Reproduces on x86_64 with a CC="gcc -m32" build, and likely on 32-bit hosts.
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0301ce1486b1450f219202677f30d0fa97335419 commit 0301ce1486b1450f219202677f30d0fa97335419 Author: Alan Modra <amodra@gmail.com> Date: Tue Oct 17 16:43:47 2017 +1030 PR22306, Invalid free() in slurp_symtab() PR 22306 * aoutx.h (aout_get_external_symbols): Handle stringsize of zero, and error for any other size that doesn't cover the header word.
Fixed.
The master branch has been updated by Stephen Casner <slcasner@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=31af1e68af26f5cae209de3530d0455b8a944b2d commit 31af1e68af26f5cae209de3530d0455b8a944b2d Author: Stephen Casner <casner@acm.org> Date: Wed Jun 3 17:43:45 2020 -0700 Copy several years of fixes from bfd/aoutx.h to bfd/pdp11.c. * pdp11.c (some_aout_object_p): 4c1534c7a2a - Don't set EXEC_P for files with relocs. (aout_get_external_symbols): 6b8f0fd579d - Return if count is zero. 0301ce1486b PR 22306 - Handle stringsize of zero, and error for any other size that doesn't qcover the header word. bf82069dce1 PR 23056 - Allocate an extra byte at the end of the string table, and zero it. (translate_symbol_table): 0d329c0a83a PR 22887 - Print an error message and set bfd_error on finding an invalid name string offset. (add_to_stringtab): INLINE -> inline (pdp11_aout_swap_reloc_in): 116acb2c268 PR 22887 - Correct r_index bound check. (squirt_out_relocs): e2996cc315d PR 20921 - Check for and report any relocs that could not be recognised. 92744f05809 PR 20929 - Check for relocs without an associated symbol. (find_nearest_line): 808346fcfcf PR 23055 - Check that the symbol name exists and is long enough, before attempting to see if it is for a .o file. c3864421222 - Correct case for N_SO being the last symbol. 50455f1ab29 PR 20891 - Handle the case where the main file name and the directory name are both empty. e82ab856bb4 PR 20892 - Handle the case where function name is empty. (aout_link_add_symbols): e517df3dbf7 PR 19629 - Check for out of range string table offsets. 531336e3a0b PR 20909 - Fix off-by-one error in check for an illegal string offset. (aout_link_includes_newfunc): Add comment. (pdp11_aout_link_input_section): ad756e3f9e6 - Return with an error on unexpected relocation type rather than ASSERT.