Bug 22376 - Heap overflow in coff_slurp_line_table
Summary: Heap overflow in coff_slurp_line_table
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.30
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-10-31 15:06 UTC by Mingi Cho
Modified: 2017-11-01 15:25 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
poc of the crash (11.86 KB, application/x-msdownload)
2017-10-31 15:06 UTC, Mingi Cho
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Mingi Cho 2017-10-31 15:06:48 UTC
Created attachment 10562 [details]
poc of the crash

Triggered by "./objdump -x $POC"
Tested on Ubuntu 16.04 (x86)


There is no check on the number of tables when processing line table.


The GDB debugging information is as follows:

(gdb) r -x $POC

Program received signal SIGSEGV, Segmentation fault.
0x080c55f5 in bfd_getl32 (p=0x8276000) at libbfd.c:557
557	  v = (unsigned long) addr[0];
(gdb) bt
#0  0x080c55f5 in bfd_getl32 (p=0x8276000) at libbfd.c:557
#1  0x081544d5 in _bfd_pei_swap_lineno_in (abfd=0x8255a08, ext1=0x8276000, in1=0xbfffeac0) at peigen.c:446
#2  0x08151562 in coff_slurp_line_table (abfd=0x8255a08, asect=0x8256b9c) at ./coffcode.h:4606
#3  0x081510e9 in coff_slurp_symbol_table (abfd=0x8255a08) at ./coffcode.h:5122
#4  0x081505c7 in coff_slurp_reloc_table (abfd=0x8255a08, asect=0x8256db8, symbols=0x0) at ./coffcode.h:5291
#5  0x0814cd2a in coff_canonicalize_reloc (abfd=0x8255a08, section=0x8256db8, relptr=0x825c300, symbols=0x0)
    at ./coffcode.h:5435
#6  0x080be79b in bfd_canonicalize_reloc (abfd=0x8255a08, asect=0x8256db8, location=0x825c300, symbols=0x0)
    at bfd.c:1090
#7  0x0804e3a6 in dump_relocs_in_section (abfd=0x8255a08, section=0x8256db8, dummy=0x0) at ./objdump.c:3400
#8  0x080ca10c in bfd_map_over_sections (abfd=0x8255a08, operation=0x804e200 <dump_relocs_in_section>, 
    user_storage=0x0) at section.c:1395
#9  0x0804c9ee in dump_relocs (abfd=0x8255a08) at ./objdump.c:3422
#10 0x0804b9b8 in dump_bfd (abfd=0x8255a08) at ./objdump.c:3548
#11 0x0804b5d2 in display_object_bfd (abfd=0x8255a08) at ./objdump.c:3611
#12 0x0804b587 in display_any_bfd (file=0x8255a08, level=0) at ./objdump.c:3700
#13 0x0804b2b1 in display_file (filename=0xbffff2a0 "/home/min/Downloads/55_minimize", target=0x0, last_file=1)
    at ./objdump.c:3721
#14 0x0804ae80 in main (argc=3, argv=0xbffff094) at ./objdump.c:4023


Proposed patch:

--- a/bfd/coffcode.h
+++ b/bfd/coffcode.h
@@ -4578,6 +4578,9 @@ coff_slurp_line_table (bfd *abfd, asection *asect)
 
   BFD_ASSERT (asect->lineno == NULL);
 
+  if(asect->lineno_count > 0xffff)
+    return FALSE;
+
   amt = ((bfd_size_type) asect->lineno_count + 1) * sizeof (alent);
   lineno_cache = (alent *) bfd_alloc (abfd, amt);
   if (lineno_cache == NULL)


Credits:

This vulnerability was discovered by Mingi Cho and Taekyoung Kwon of the Information Security Lab, Yonsei University. Please contact mgcho.minic@gmail.com and taekyoung@yonsei.ac.kr if you need more information about the vulnerability and the lab.
Comment 1 cvs-commit@gcc.gnu.org 2017-11-01 15:23:31 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a67d66eb97e7613a38ffe6622d837303b3ecd31d

commit a67d66eb97e7613a38ffe6622d837303b3ecd31d
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Nov 1 15:21:46 2017 +0000

    Prevent illegal memory accesses when attempting to read excessively large COFF line number tables.
    
    	PR 22376
    	* coffcode.h (coff_slurp_line_table): Check for an excessively
    	large line number count.
Comment 2 Nick Clifton 2017-11-01 15:25:30 UTC
Hi Mingi,

  Thanks for the bug report and patch.  I have checked your patch in along
  with the addition of a warning message, reporting the excessively large
  line number table.

Cheers
  Nick