Created attachment 10562 [details] poc of the crash Triggered by "./objdump -x $POC" Tested on Ubuntu 16.04 (x86) There is no check on the number of tables when processing line table. The GDB debugging information is as follows: (gdb) r -x $POC Program received signal SIGSEGV, Segmentation fault. 0x080c55f5 in bfd_getl32 (p=0x8276000) at libbfd.c:557 557 v = (unsigned long) addr[0]; (gdb) bt #0 0x080c55f5 in bfd_getl32 (p=0x8276000) at libbfd.c:557 #1 0x081544d5 in _bfd_pei_swap_lineno_in (abfd=0x8255a08, ext1=0x8276000, in1=0xbfffeac0) at peigen.c:446 #2 0x08151562 in coff_slurp_line_table (abfd=0x8255a08, asect=0x8256b9c) at ./coffcode.h:4606 #3 0x081510e9 in coff_slurp_symbol_table (abfd=0x8255a08) at ./coffcode.h:5122 #4 0x081505c7 in coff_slurp_reloc_table (abfd=0x8255a08, asect=0x8256db8, symbols=0x0) at ./coffcode.h:5291 #5 0x0814cd2a in coff_canonicalize_reloc (abfd=0x8255a08, section=0x8256db8, relptr=0x825c300, symbols=0x0) at ./coffcode.h:5435 #6 0x080be79b in bfd_canonicalize_reloc (abfd=0x8255a08, asect=0x8256db8, location=0x825c300, symbols=0x0) at bfd.c:1090 #7 0x0804e3a6 in dump_relocs_in_section (abfd=0x8255a08, section=0x8256db8, dummy=0x0) at ./objdump.c:3400 #8 0x080ca10c in bfd_map_over_sections (abfd=0x8255a08, operation=0x804e200 <dump_relocs_in_section>, user_storage=0x0) at section.c:1395 #9 0x0804c9ee in dump_relocs (abfd=0x8255a08) at ./objdump.c:3422 #10 0x0804b9b8 in dump_bfd (abfd=0x8255a08) at ./objdump.c:3548 #11 0x0804b5d2 in display_object_bfd (abfd=0x8255a08) at ./objdump.c:3611 #12 0x0804b587 in display_any_bfd (file=0x8255a08, level=0) at ./objdump.c:3700 #13 0x0804b2b1 in display_file (filename=0xbffff2a0 "/home/min/Downloads/55_minimize", target=0x0, last_file=1) at ./objdump.c:3721 #14 0x0804ae80 in main (argc=3, argv=0xbffff094) at ./objdump.c:4023 Proposed patch: --- a/bfd/coffcode.h +++ b/bfd/coffcode.h @@ -4578,6 +4578,9 @@ coff_slurp_line_table (bfd *abfd, asection *asect) BFD_ASSERT (asect->lineno == NULL); + if(asect->lineno_count > 0xffff) + return FALSE; + amt = ((bfd_size_type) asect->lineno_count + 1) * sizeof (alent); lineno_cache = (alent *) bfd_alloc (abfd, amt); if (lineno_cache == NULL) Credits: This vulnerability was discovered by Mingi Cho and Taekyoung Kwon of the Information Security Lab, Yonsei University. Please contact mgcho.minic@gmail.com and taekyoung@yonsei.ac.kr if you need more information about the vulnerability and the lab.
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a67d66eb97e7613a38ffe6622d837303b3ecd31d commit a67d66eb97e7613a38ffe6622d837303b3ecd31d Author: Nick Clifton <nickc@redhat.com> Date: Wed Nov 1 15:21:46 2017 +0000 Prevent illegal memory accesses when attempting to read excessively large COFF line number tables. PR 22376 * coffcode.h (coff_slurp_line_table): Check for an excessively large line number count.
Hi Mingi, Thanks for the bug report and patch. I have checked your patch in along with the addition of a warning message, reporting the excessively large line number table. Cheers Nick