Bug 22307 - Heap out of bounds read in _bfd_elf_parse_gnu_properties()
Summary: Heap out of bounds read in _bfd_elf_parse_gnu_properties()
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.30
: P2 normal
Target Milestone: 2.30
Assignee: Alan Modra
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-10-17 06:49 UTC by Mingi Cho
Modified: 2017-10-17 13:28 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Last reconfirmed: 2017-10-17 00:00:00

Attachments
POC to trigger heap out of bounds read (3.00 KB, application/x-executable)
2017-10-17 06:49 UTC, Mingi Cho 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mingi Cho 2017-10-17 06:49:42 UTC 
Created attachment 10535 [details]
POC to trigger heap out of bounds read

Triggered by "./objdump -x $POC"
Tested on Ubuntu 16.04 (x86)


The GDB debugging information is as follows:

(gdb) r -x $POC

Program received signal SIGSEGV, Segmentation fault.
bfd_getl32 (p=0x21edd94) at libbfd.c:557
557	  v = (unsigned long) addr[0];
(gdb) bt
#0  bfd_getl32 (p=0x21edd94) at libbfd.c:557
#1  0x080e6288 in _bfd_elf_parse_gnu_properties (abfd=<optimized out>, note=<optimized out>) at elf-properties.c:98
#2  0x080bfbfc in elfobj_grok_gnu_note (abfd=<optimized out>, note=<optimized out>) at elf.c:9815
#3  elf_parse_notes (abfd=<optimized out>, buf=<optimized out>, size=<optimized out>, offset=<optimized out>)
    at elf.c:11028
#4  0x080bf3f8 in _bfd_elf_make_section_from_shdr (abfd=<optimized out>, hdr=<optimized out>, name=<optimized out>, 
    shindex=<optimized out>) at elf.c:1092
#5  0x080c266f in bfd_section_from_shdr (abfd=<optimized out>, shindex=<optimized out>) at elf.c:2421
#6  0x080bbc65 in bfd_elf32_object_p (abfd=<optimized out>) at ./elfcode.h:805
#7  0x080a6eca in bfd_check_format_matches (abfd=<optimized out>, format=<optimized out>, matching=<optimized out>)
    at format.c:311
#8  0x0804a940 in display_object_bfd (abfd=0x81e9a08) at ./objdump.c:3609
#9  display_any_bfd (file=0x81e9a08, level=<optimized out>) at ./objdump.c:3700
#10 0x0804a4ea in display_file (filename=0xbffff305 "/tmp/objdump/libbfd_getl_crash", target=<optimized out>, 
    last_file=<optimized out>) at ./objdump.c:3721
#11 main (argc=<optimized out>, argv=<optimized out>) at ./objdump.c:4023


Credits:

This vulnerability was discovered by Mingi Cho and Taekyoung Kwon of the Information Security Lab, Yonsei University. Please contact mgcho.minic@gmail.com and taekyoung@yonsei.ac.kr if you need more information about the vulnerability and the lab.
Comment 1 Sourceware Commits 2017-10-17 11:43:37 UTC 
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cf54ebff3b7361989712fd9c0128a9b255578163

commit cf54ebff3b7361989712fd9c0128a9b255578163
Author: Alan Modra <amodra@gmail.com>
Date:   Tue Oct 17 21:57:29 2017 +1030

    PR22307, Heap out of bounds read in _bfd_elf_parse_gnu_properties
    
    When adding an unbounded increment to a pointer, you can't just check
    against the end of the buffer but also must check that overflow
    doesn't result in "negative" pointer movement.  Pointer comparisons
    are signed.  Better, check the increment against the space left using
    an unsigned comparison.
    
    	PR 22307
    	* elf-properties.c (_bfd_elf_parse_gnu_properties): Compare datasz
    	against size left rather than comparing pointers.  Reorganise loop.
Comment 2 Alan Modra 2017-10-17 13:28:28 UTC 
Fixed