Bug 22306 - Invalid free() in slurp_symtab() [Heap corruption]
Summary: Invalid free() in slurp_symtab() [Heap corruption]
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.30
: P2 normal
Target Milestone: 2.30
Assignee: Alan Modra
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-10-17 02:55 UTC by Mingi Cho
Modified: 2017-10-17 06:45 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Last reconfirmed: 2017-10-17 00:00:00


Attachments
poc for heap corruption (24 bytes, application/octet-stream)
2017-10-17 02:55 UTC, Mingi Cho
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Mingi Cho 2017-10-17 02:55:29 UTC
Created attachment 10533 [details]
poc for heap corruption

Triggered by "./objdump -x $POC"


The GDB debugging information is as follows:

(gdb) r -x $POC

(gdb) bt
#0  0xb7fd9ce5 in __kernel_vsyscall ()
#1  0xb7e2bea9 in __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#2  0xb7e2d407 in __GI_abort () at abort.c:89
#3  0xb7e6737c in __libc_message (do_abort=2, fmt=0xb7f5fdf4 "*** Error in `%s': %s: 0x%s ***\n")
    at ../sysdeps/posix/libc_fatal.c:175
#4  0xb7e6d2f7 in malloc_printerr (action=<optimized out>, 
    str=0xb7f5fef0 "free(): invalid next size (fast)", ptr=<optimized out>, 
    ar_ptr=0xb7fb2780 <main_arena>) at malloc.c:5006
#5  0xb7e6dc31 in _int_free (av=0xb7fb2780 <main_arena>, p=<optimized out>, have_lock=0)
    at malloc.c:3867
#6  0x080f3f55 in aout_get_external_symbols (abfd=0x81e9a08) at ./aoutx.h:1370
#7  0x080f3d15 in aout_32_slurp_symbol_table (abfd=0x81e9a08) at ./aoutx.h:1757
#8  0x080f4e30 in aout_32_get_symtab_upper_bound (abfd=0x81e9a08) at ./aoutx.h:2522
#9  0x0804aea7 in slurp_symtab (abfd=0x81e9a08) at ./objdump.c:615
#10 dump_bfd (abfd=0x81e9a08) at ./objdump.c:3523
#11 0x0804aa6e in display_object_bfd (abfd=0x81e9a08) at ./objdump.c:3611
#12 display_any_bfd (file=0x81e9a08, level=<optimized out>) at ./objdump.c:3700
#13 0x0804a4ea in display_file (filename=0xbffff30f "/tmp/heap-corruption", 
    target=<optimized out>, last_file=<optimized out>) at ./objdump.c:3721
#14 main (argc=<optimized out>, argv=<optimized out>) at ./objdump.c:4023


Credits:

This vulnerability was discovered by Mingi Cho and Taekyoung Kwon of the Information Security Lab, Yonsei University. Please contact mgcho.minic@gmail.com and taekyoung@yonsei.ac.kr if you need more information about the vulnerability and the lab.
Comment 1 Alan Modra 2017-10-17 05:20:08 UTC
Reproduces on x86_64 with a CC="gcc -m32" build, and likely on 32-bit hosts.
Comment 2 cvs-commit@gcc.gnu.org 2017-10-17 06:20:55 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0301ce1486b1450f219202677f30d0fa97335419

commit 0301ce1486b1450f219202677f30d0fa97335419
Author: Alan Modra <amodra@gmail.com>
Date:   Tue Oct 17 16:43:47 2017 +1030

    PR22306, Invalid free() in slurp_symtab()
    
    	PR 22306
    	* aoutx.h (aout_get_external_symbols): Handle stringsize of zero,
    	and error for any other size that doesn't cover the header word.
Comment 3 Alan Modra 2017-10-17 06:45:54 UTC
Fixed.