Created attachment 10560 [details] POC of the crash Triggered by "./objdump -x $POC" Tested on Ubuntu 16.04 (x86) Integer overflow is occurring when checking size of debug directory of the PE format binary file. The GDB debugging information is as follows: (gdb) r -x $POC Program received signal SIGSEGV, Segmentation fault. 0x080c55f5 in bfd_getl32 (p=0x8276000) at libbfd.c:557 557 v = (unsigned long) addr[0]; (gdb) bt #0 0x080c55f5 in bfd_getl32 (p=0x8276000) at libbfd.c:557 #1 0x08155ff6 in _bfd_pei_swap_debugdir_in (abfd=0x8255a08, ext1=0x8276000, in1=0xbfffe168) at peigen.c:1119 #2 0x0814d8e6 in pe_bfd_read_buildid (abfd=0x8255a08) at ./peicode.h:1353 #3 0x0814b813 in pe_bfd_object_p (abfd=0x8255a08) at ./peicode.h:1497 #4 0x080c323c in bfd_check_format_matches (abfd=0x8255a08, format=bfd_object, matching=0xbfffedb0) at format.c:311 #5 0x0804b5be in display_object_bfd (abfd=0x8255a08) at ./objdump.c:3609 #6 0x0804b587 in display_any_bfd (file=0x8255a08, level=0) at ./objdump.c:3700 #7 0x0804b2b1 in display_file ( filename=0xbffff257 "/home/min/fuzzing/result/binutils/objdump_x_D_s_pe_1/crashes/id:000015,sig:06,src:000270,op:havoc,rep:64", target=0x0, last_file=1) at ./objdump.c:3721 #8 0x0804ae80 in main (argc=3, argv=0xbffff044) at ./objdump.c:4023 Proposed patch: --- a/bfd/peicode.h +++ b/bfd/peicode.h @@ -1328,7 +1328,7 @@ pe_bfd_read_buildid (bfd *abfd) dataoff = addr - section->vma; /* PR 20605: Make sure that the data is really there. */ - if (dataoff + size > section->size) + if (size > section->size - dataoff) { _bfd_error_handler (_("%B: Error: Debug Data ends beyond end of debug directory."), abfd); Credits: This vulnerability was discovered by Mingi Cho and Taekyoung Kwon of the Information Security Lab, Yonsei University. Please contact mgcho.minic@gmail.com and taekyoung@yonsei.ac.kr if you need more information about the vulnerability and the lab.
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0bb6961f18b8e832d88b490d421ca56cea16c45b commit 0bb6961f18b8e832d88b490d421ca56cea16c45b Author: Nick Clifton <nickc@redhat.com> Date: Tue Oct 31 14:29:40 2017 +0000 Fix illegal memory access triggered when parsing a PE binary with a corrupt data dictionary. PR 22373 * peicode.h (pe_bfd_read_buildid): Check for invalid size and data offset values.
Hi Mingi, Thank you for reporting this bug, and for providing a patch as well. I have checked in a variant of your patch, since it occurred to me that the dataoff value might also be excessively large, and this would not have been caught by either the original code or your patch. Cheers Nick
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e0115a844607b280449986e661f551dff49a9031 commit e0115a844607b280449986e661f551dff49a9031 Author: Nick Clifton <nickc@redhat.com> Date: Wed Nov 1 12:37:33 2017 +0000 Update check for invalid values in pe_bfd_read_buildid function. PR 22373 * peicode.h (pe_bfd_read_buildid): Revise check for invalid size and offset in light of further possible bogus values.
*** Bug 22372 has been marked as a duplicate of this bug. ***