Created attachment 10535 [details]
POC to trigger heap out of bounds read
Triggered by "./objdump -x $POC"
Tested on Ubuntu 16.04 (x86)
The GDB debugging information is as follows:
(gdb) r -x $POC
Program received signal SIGSEGV, Segmentation fault.
bfd_getl32 (p=0x21edd94) at libbfd.c:557
557 v = (unsigned long) addr;
#0 bfd_getl32 (p=0x21edd94) at libbfd.c:557
#1 0x080e6288 in _bfd_elf_parse_gnu_properties (abfd=<optimized out>, note=<optimized out>) at elf-properties.c:98
#2 0x080bfbfc in elfobj_grok_gnu_note (abfd=<optimized out>, note=<optimized out>) at elf.c:9815
#3 elf_parse_notes (abfd=<optimized out>, buf=<optimized out>, size=<optimized out>, offset=<optimized out>)
#4 0x080bf3f8 in _bfd_elf_make_section_from_shdr (abfd=<optimized out>, hdr=<optimized out>, name=<optimized out>,
shindex=<optimized out>) at elf.c:1092
#5 0x080c266f in bfd_section_from_shdr (abfd=<optimized out>, shindex=<optimized out>) at elf.c:2421
#6 0x080bbc65 in bfd_elf32_object_p (abfd=<optimized out>) at ./elfcode.h:805
#7 0x080a6eca in bfd_check_format_matches (abfd=<optimized out>, format=<optimized out>, matching=<optimized out>)
#8 0x0804a940 in display_object_bfd (abfd=0x81e9a08) at ./objdump.c:3609
#9 display_any_bfd (file=0x81e9a08, level=<optimized out>) at ./objdump.c:3700
#10 0x0804a4ea in display_file (filename=0xbffff305 "/tmp/objdump/libbfd_getl_crash", target=<optimized out>,
last_file=<optimized out>) at ./objdump.c:3721
#11 main (argc=<optimized out>, argv=<optimized out>) at ./objdump.c:4023
This vulnerability was discovered by Mingi Cho and Taekyoung Kwon of the Information Security Lab, Yonsei University. Please contact firstname.lastname@example.org and email@example.com if you need more information about the vulnerability and the lab.
The master branch has been updated by Alan Modra <firstname.lastname@example.org>:
Author: Alan Modra <email@example.com>
Date: Tue Oct 17 21:57:29 2017 +1030
PR22307, Heap out of bounds read in _bfd_elf_parse_gnu_properties
When adding an unbounded increment to a pointer, you can't just check
against the end of the buffer but also must check that overflow
doesn't result in "negative" pointer movement. Pointer comparisons
are signed. Better, check the increment against the space left using
an unsigned comparison.
* elf-properties.c (_bfd_elf_parse_gnu_properties): Compare datasz
against size left rather than comparing pointers. Reorganise loop.