Bug 22376 - Heap overflow in coff_slurp_line_table
Summary: Heap overflow in coff_slurp_line_table
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.30
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-10-31 15:06 UTC by Mingi Cho
Modified: 2017-11-01 15:25 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
poc of the crash (11.86 KB, application/x-msdownload)
2017-10-31 15:06 UTC, Mingi Cho 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mingi Cho 2017-10-31 15:06:48 UTC 
Created attachment 10562 [details]
poc of the crash

Triggered by "./objdump -x $POC"
Tested on Ubuntu 16.04 (x86)


There is no check on the number of tables when processing line table.


The GDB debugging information is as follows:

(gdb) r -x $POC

Program received signal SIGSEGV, Segmentation fault.
0x080c55f5 in bfd_getl32 (p=0x8276000) at libbfd.c:557
557	  v = (unsigned long) addr[0];
(gdb) bt
#0  0x080c55f5 in bfd_getl32 (p=0x8276000) at libbfd.c:557
#1  0x081544d5 in _bfd_pei_swap_lineno_in (abfd=0x8255a08, ext1=0x8276000, in1=0xbfffeac0) at peigen.c:446
#2  0x08151562 in coff_slurp_line_table (abfd=0x8255a08, asect=0x8256b9c) at ./coffcode.h:4606
#3  0x081510e9 in coff_slurp_symbol_table (abfd=0x8255a08) at ./coffcode.h:5122
#4  0x081505c7 in coff_slurp_reloc_table (abfd=0x8255a08, asect=0x8256db8, symbols=0x0) at ./coffcode.h:5291
#5  0x0814cd2a in coff_canonicalize_reloc (abfd=0x8255a08, section=0x8256db8, relptr=0x825c300, symbols=0x0)
    at ./coffcode.h:5435
#6  0x080be79b in bfd_canonicalize_reloc (abfd=0x8255a08, asect=0x8256db8, location=0x825c300, symbols=0x0)
    at bfd.c:1090
#7  0x0804e3a6 in dump_relocs_in_section (abfd=0x8255a08, section=0x8256db8, dummy=0x0) at ./objdump.c:3400
#8  0x080ca10c in bfd_map_over_sections (abfd=0x8255a08, operation=0x804e200 <dump_relocs_in_section>, 
    user_storage=0x0) at section.c:1395
#9  0x0804c9ee in dump_relocs (abfd=0x8255a08) at ./objdump.c:3422
#10 0x0804b9b8 in dump_bfd (abfd=0x8255a08) at ./objdump.c:3548
#11 0x0804b5d2 in display_object_bfd (abfd=0x8255a08) at ./objdump.c:3611
#12 0x0804b587 in display_any_bfd (file=0x8255a08, level=0) at ./objdump.c:3700
#13 0x0804b2b1 in display_file (filename=0xbffff2a0 "/home/min/Downloads/55_minimize", target=0x0, last_file=1)
    at ./objdump.c:3721
#14 0x0804ae80 in main (argc=3, argv=0xbffff094) at ./objdump.c:4023


Proposed patch:

--- a/bfd/coffcode.h
+++ b/bfd/coffcode.h
@@ -4578,6 +4578,9 @@ coff_slurp_line_table (bfd *abfd, asection *asect)
 
   BFD_ASSERT (asect->lineno == NULL);
 
+  if(asect->lineno_count > 0xffff)
+    return FALSE;
+
   amt = ((bfd_size_type) asect->lineno_count + 1) * sizeof (alent);
   lineno_cache = (alent *) bfd_alloc (abfd, amt);
   if (lineno_cache == NULL)


Credits:

This vulnerability was discovered by Mingi Cho and Taekyoung Kwon of the Information Security Lab, Yonsei University. Please contact mgcho.minic@gmail.com and taekyoung@yonsei.ac.kr if you need more information about the vulnerability and the lab.
Comment 1 cvs-commit@gcc.gnu.org 2017-11-01 15:23:31 UTC 
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a67d66eb97e7613a38ffe6622d837303b3ecd31d

commit a67d66eb97e7613a38ffe6622d837303b3ecd31d
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Nov 1 15:21:46 2017 +0000

    Prevent illegal memory accesses when attempting to read excessively large COFF line number tables.
    
    	PR 22376
    	* coffcode.h (coff_slurp_line_table): Check for an excessively
    	large line number count.
Comment 2 Nick Clifton 2017-11-01 15:25:30 UTC 
Hi Mingi,

  Thanks for the bug report and patch.  I have checked your patch in along
  with the addition of a warning message, reporting the excessively large
  line number table.

Cheers
  Nick