Bug 22306 - Invalid free() in slurp_symtab() [Heap corruption]
Summary: Invalid free() in slurp_symtab() [Heap corruption]
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.30
: P2 normal
Target Milestone: 2.30
Assignee: Alan Modra
Depends on:
Reported: 2017-10-17 02:55 UTC by Mingi Cho
Modified: 2020-06-04 00:44 UTC (History)
0 users

See Also:
Last reconfirmed: 2017-10-17 00:00:00

poc for heap corruption (24 bytes, application/octet-stream)
2017-10-17 02:55 UTC, Mingi Cho

Note You need to log in before you can comment on or make changes to this bug.
Description Mingi Cho 2017-10-17 02:55:29 UTC
Created attachment 10533 [details]
poc for heap corruption

Triggered by "./objdump -x $POC"

The GDB debugging information is as follows:

(gdb) r -x $POC

(gdb) bt
#0  0xb7fd9ce5 in __kernel_vsyscall ()
#1  0xb7e2bea9 in __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#2  0xb7e2d407 in __GI_abort () at abort.c:89
#3  0xb7e6737c in __libc_message (do_abort=2, fmt=0xb7f5fdf4 "*** Error in `%s': %s: 0x%s ***\n")
    at ../sysdeps/posix/libc_fatal.c:175
#4  0xb7e6d2f7 in malloc_printerr (action=<optimized out>, 
    str=0xb7f5fef0 "free(): invalid next size (fast)", ptr=<optimized out>, 
    ar_ptr=0xb7fb2780 <main_arena>) at malloc.c:5006
#5  0xb7e6dc31 in _int_free (av=0xb7fb2780 <main_arena>, p=<optimized out>, have_lock=0)
    at malloc.c:3867
#6  0x080f3f55 in aout_get_external_symbols (abfd=0x81e9a08) at ./aoutx.h:1370
#7  0x080f3d15 in aout_32_slurp_symbol_table (abfd=0x81e9a08) at ./aoutx.h:1757
#8  0x080f4e30 in aout_32_get_symtab_upper_bound (abfd=0x81e9a08) at ./aoutx.h:2522
#9  0x0804aea7 in slurp_symtab (abfd=0x81e9a08) at ./objdump.c:615
#10 dump_bfd (abfd=0x81e9a08) at ./objdump.c:3523
#11 0x0804aa6e in display_object_bfd (abfd=0x81e9a08) at ./objdump.c:3611
#12 display_any_bfd (file=0x81e9a08, level=<optimized out>) at ./objdump.c:3700
#13 0x0804a4ea in display_file (filename=0xbffff30f "/tmp/heap-corruption", 
    target=<optimized out>, last_file=<optimized out>) at ./objdump.c:3721
#14 main (argc=<optimized out>, argv=<optimized out>) at ./objdump.c:4023


This vulnerability was discovered by Mingi Cho and Taekyoung Kwon of the Information Security Lab, Yonsei University. Please contact mgcho.minic@gmail.com and taekyoung@yonsei.ac.kr if you need more information about the vulnerability and the lab.
Comment 1 Alan Modra 2017-10-17 05:20:08 UTC
Reproduces on x86_64 with a CC="gcc -m32" build, and likely on 32-bit hosts.
Comment 2 Sourceware Commits 2017-10-17 06:20:55 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:


commit 0301ce1486b1450f219202677f30d0fa97335419
Author: Alan Modra <amodra@gmail.com>
Date:   Tue Oct 17 16:43:47 2017 +1030

    PR22306, Invalid free() in slurp_symtab()
    	PR 22306
    	* aoutx.h (aout_get_external_symbols): Handle stringsize of zero,
    	and error for any other size that doesn't cover the header word.
Comment 3 Alan Modra 2017-10-17 06:45:54 UTC
Comment 4 Sourceware Commits 2020-06-04 00:44:14 UTC
The master branch has been updated by Stephen Casner <slcasner@sourceware.org>:


commit 31af1e68af26f5cae209de3530d0455b8a944b2d
Author: Stephen Casner <casner@acm.org>
Date:   Wed Jun 3 17:43:45 2020 -0700

    Copy several years of fixes from bfd/aoutx.h to bfd/pdp11.c.
    * pdp11.c (some_aout_object_p): 4c1534c7a2a - Don't set EXEC_P for
    files with relocs.
    (aout_get_external_symbols): 6b8f0fd579d - Return if count is zero.
    0301ce1486b PR 22306 - Handle stringsize of zero, and error for any
    other size that doesn't qcover the header word.
    bf82069dce1 PR 23056 - Allocate an extra byte at the end of the
    string table, and zero it.
    (translate_symbol_table): 0d329c0a83a PR 22887 - Print an error
    message and set bfd_error on finding an invalid name string offset.
    (add_to_stringtab): INLINE -> inline
    (pdp11_aout_swap_reloc_in): 116acb2c268 PR 22887 - Correct r_index
    bound check.
    (squirt_out_relocs): e2996cc315d PR 20921 - Check for and report
    any relocs that could not be recognised.
    92744f05809 PR 20929 - Check for relocs without an associated symbol.
    (find_nearest_line):  808346fcfcf PR 23055 - Check that the symbol
    name exists and is long enough, before attempting to see if it is
    for a .o file.
    c3864421222 - Correct case for N_SO being the last symbol.
    50455f1ab29 PR 20891 - Handle the case where the main file name
    and the directory name are both empty.
    e82ab856bb4 PR 20892 - Handle the case where function name is empty.
    (aout_link_add_symbols): e517df3dbf7 PR 19629 - Check for out of
    range string table offsets.
    531336e3a0b PR 20909 - Fix off-by-one error in check for an
    illegal string offset.
    (aout_link_includes_newfunc): Add comment.
    (pdp11_aout_link_input_section): ad756e3f9e6 - Return with an error
    on unexpected relocation type rather than ASSERT.