Bug 22306 - Invalid free() in slurp_symtab() [Heap corruption]
Summary: Invalid free() in slurp_symtab() [Heap corruption]
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.30
: P2 normal
Target Milestone: 2.30
Assignee: Alan Modra
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-10-17 02:55 UTC by Mingi Cho
Modified: 2020-06-04 00:44 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Last reconfirmed: 2017-10-17 00:00:00

Attachments
poc for heap corruption (24 bytes, application/octet-stream)
2017-10-17 02:55 UTC, Mingi Cho 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mingi Cho 2017-10-17 02:55:29 UTC 
Created attachment 10533 [details]
poc for heap corruption

Triggered by "./objdump -x $POC"


The GDB debugging information is as follows:

(gdb) r -x $POC

(gdb) bt
#0  0xb7fd9ce5 in __kernel_vsyscall ()
#1  0xb7e2bea9 in __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#2  0xb7e2d407 in __GI_abort () at abort.c:89
#3  0xb7e6737c in __libc_message (do_abort=2, fmt=0xb7f5fdf4 "*** Error in `%s': %s: 0x%s ***\n")
    at ../sysdeps/posix/libc_fatal.c:175
#4  0xb7e6d2f7 in malloc_printerr (action=<optimized out>, 
    str=0xb7f5fef0 "free(): invalid next size (fast)", ptr=<optimized out>, 
    ar_ptr=0xb7fb2780 <main_arena>) at malloc.c:5006
#5  0xb7e6dc31 in _int_free (av=0xb7fb2780 <main_arena>, p=<optimized out>, have_lock=0)
    at malloc.c:3867
#6  0x080f3f55 in aout_get_external_symbols (abfd=0x81e9a08) at ./aoutx.h:1370
#7  0x080f3d15 in aout_32_slurp_symbol_table (abfd=0x81e9a08) at ./aoutx.h:1757
#8  0x080f4e30 in aout_32_get_symtab_upper_bound (abfd=0x81e9a08) at ./aoutx.h:2522
#9  0x0804aea7 in slurp_symtab (abfd=0x81e9a08) at ./objdump.c:615
#10 dump_bfd (abfd=0x81e9a08) at ./objdump.c:3523
#11 0x0804aa6e in display_object_bfd (abfd=0x81e9a08) at ./objdump.c:3611
#12 display_any_bfd (file=0x81e9a08, level=<optimized out>) at ./objdump.c:3700
#13 0x0804a4ea in display_file (filename=0xbffff30f "/tmp/heap-corruption", 
    target=<optimized out>, last_file=<optimized out>) at ./objdump.c:3721
#14 main (argc=<optimized out>, argv=<optimized out>) at ./objdump.c:4023


Credits:

This vulnerability was discovered by Mingi Cho and Taekyoung Kwon of the Information Security Lab, Yonsei University. Please contact mgcho.minic@gmail.com and taekyoung@yonsei.ac.kr if you need more information about the vulnerability and the lab.
Comment 1 Alan Modra 2017-10-17 05:20:08 UTC 
Reproduces on x86_64 with a CC="gcc -m32" build, and likely on 32-bit hosts.
Comment 2 Sourceware Commits 2017-10-17 06:20:55 UTC 
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0301ce1486b1450f219202677f30d0fa97335419

commit 0301ce1486b1450f219202677f30d0fa97335419
Author: Alan Modra <amodra@gmail.com>
Date:   Tue Oct 17 16:43:47 2017 +1030

    PR22306, Invalid free() in slurp_symtab()
    
    	PR 22306
    	* aoutx.h (aout_get_external_symbols): Handle stringsize of zero,
    	and error for any other size that doesn't cover the header word.
Comment 3 Alan Modra 2017-10-17 06:45:54 UTC 
Fixed.
Comment 4 Sourceware Commits 2020-06-04 00:44:14 UTC 
The master branch has been updated by Stephen Casner <slcasner@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=31af1e68af26f5cae209de3530d0455b8a944b2d

commit 31af1e68af26f5cae209de3530d0455b8a944b2d
Author: Stephen Casner <casner@acm.org>
Date:   Wed Jun 3 17:43:45 2020 -0700

    Copy several years of fixes from bfd/aoutx.h to bfd/pdp11.c.
    
    * pdp11.c (some_aout_object_p): 4c1534c7a2a - Don't set EXEC_P for
    files with relocs.
    (aout_get_external_symbols): 6b8f0fd579d - Return if count is zero.
    0301ce1486b PR 22306 - Handle stringsize of zero, and error for any
    other size that doesn't qcover the header word.
    bf82069dce1 PR 23056 - Allocate an extra byte at the end of the
    string table, and zero it.
    (translate_symbol_table): 0d329c0a83a PR 22887 - Print an error
    message and set bfd_error on finding an invalid name string offset.
    (add_to_stringtab): INLINE -> inline
    (pdp11_aout_swap_reloc_in): 116acb2c268 PR 22887 - Correct r_index
    bound check.
    (squirt_out_relocs): e2996cc315d PR 20921 - Check for and report
    any relocs that could not be recognised.
    92744f05809 PR 20929 - Check for relocs without an associated symbol.
    (find_nearest_line):  808346fcfcf PR 23055 - Check that the symbol
    name exists and is long enough, before attempting to see if it is
    for a .o file.
    c3864421222 - Correct case for N_SO being the last symbol.
    50455f1ab29 PR 20891 - Handle the case where the main file name
    and the directory name are both empty.
    e82ab856bb4 PR 20892 - Handle the case where function name is empty.
    (aout_link_add_symbols): e517df3dbf7 PR 19629 - Check for out of
    range string table offsets.
    531336e3a0b PR 20909 - Fix off-by-one error in check for an
    illegal string offset.
    (aout_link_includes_newfunc): Add comment.
    (pdp11_aout_link_input_section): ad756e3f9e6 - Return with an error
    on unexpected relocation type rather than ASSERT.