Created attachment 10561 [details] POC of the crash Triggered by "./objdump -x $POC" Tested on Ubuntu 16.04 (x86) Integer overflow is occurring when checking size of debug directory of the PE format binary file. The GDB debugging information is as follows: (gdb) r -x $POC Program received signal SIGSEGV, Segmentation fault. 0x080c55f5 in bfd_getl32 (p=0x8276000) at libbfd.c:557 557 v = (unsigned long) addr[0]; (gdb) bt #0 0x080c55f5 in bfd_getl32 (p=0x8276000) at libbfd.c:557 #1 0x08155ff6 in _bfd_pei_swap_debugdir_in (abfd=0x8255a08, ext1=0x8276000, in1=0xbfffe168) at peigen.c:1119 #2 0x0814d8e6 in pe_bfd_read_buildid (abfd=0x8255a08) at ./peicode.h:1353 #3 0x0814b813 in pe_bfd_object_p (abfd=0x8255a08) at ./peicode.h:1497 #4 0x080c323c in bfd_check_format_matches (abfd=0x8255a08, format=bfd_object, matching=0xbfffedb0) at format.c:311 #5 0x0804b5be in display_object_bfd (abfd=0x8255a08) at ./objdump.c:3609 #6 0x0804b587 in display_any_bfd (file=0x8255a08, level=0) at ./objdump.c:3700 #7 0x0804b2b1 in display_file ( filename=0xbffff257 "/home/min/fuzzing/result/binutils/objdump_x_D_s_pe_1/crashes/id:000015,sig:06,src:000270,op:havoc,rep:64", target=0x0, last_file=1) at ./objdump.c:3721 #8 0x0804ae80 in main (argc=3, argv=0xbffff044) at ./objdump.c:4023 Proposed patch: --- a/bfd/peicode.h +++ b/bfd/peicode.h @@ -1328,7 +1328,7 @@ pe_bfd_read_buildid (bfd *abfd) dataoff = addr - section->vma; /* PR 20605: Make sure that the data is really there. */ - if (dataoff + size > section->size) + if (size > section->size - dataoff) { _bfd_error_handler (_("%B: Error: Debug Data ends beyond end of debug directory."), abfd); Credits: This vulnerability was discovered by Mingi Cho and Taekyoung Kwon of the Information Security Lab, Yonsei University. Please contact mgcho.minic@gmail.com and taekyoung@yonsei.ac.kr if you need more information about the vulnerability and the lab.
Already fixed *** This bug has been marked as a duplicate of bug 22373 ***