Bug 22385 - Integer overflow in coff_get_normalized_symtab
Summary: Integer overflow in coff_get_normalized_symtab
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.30
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-11-02 06:00 UTC by Mingi Cho
Modified: 2017-11-03 11:58 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
poc of the crash (11.86 KB, application/x-ms-dos-executable)
2017-11-02 06:00 UTC, Mingi Cho 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mingi Cho 2017-11-02 06:00:49 UTC 
Created attachment 10568 [details]
poc of the crash

Triggered by "./objdump -r $POC"
Tested on Ubuntu 16.04 (x86)

An integer overflow is occurred when numbers of symbols are too large.


ASAN output:

./objdump -r $POC

==30813==ERROR: AddressSanitizer: SEGV on unknown address 0xbebebebe (pc 0x08127bc6 bp 0xbfe51da8 sp 0xbfe5191c T0)
    #0 0x8127bc5 in __sanitizer::internal_strlen(char const*) (/home/min/fuzzing/program/binutils-master-asan/bin/objdump+0x8127bc5)
    #1 0x80b4121 in printf_common(void*, char const*, char*) (/home/min/fuzzing/program/binutils-master-asan/bin/objdump+0x80b4121)
    #2 0x80b45fc in __interceptor_vfprintf (/home/min/fuzzing/program/binutils-master-asan/bin/objdump+0x80b45fc)
    #3 0x80b464b in __interceptor_fprintf (/home/min/fuzzing/program/binutils-master-asan/bin/objdump+0x80b464b)
    #4 0x82b1b47 in _bfd_doprnt /home/min/fuzzing/src/binutils/binutils-gdb/bfd/bfd.c:805:8
    #5 0x82b016c in error_handler_internal /home/min/fuzzing/src/binutils/binutils-gdb/bfd/bfd.c:887:3
    #6 0x82a8e5e in _bfd_error_handler /home/min/fuzzing/src/binutils/binutils-gdb/bfd/bfd.c:909:3
    #7 0x851deae in coff_slurp_symbol_table /home/min/fuzzing/src/binutils/binutils-gdb/bfd/./coffcode.h:5085:8


The GDB debugging information is as follows:

(gdb) r -r $POC

Program received signal SIGSEGV, Segmentation fault.
0xb7e43383 in _IO_vfprintf_internal (s=0xbfffc4b8, format=<optimized out>, 
    ap=0xbfffea9c "\306\350\"\b\214\342\365\267\200!\373\267@\353\377\277\242`ⷀ!\373\267\214\342\365\267\022")
    at vfprintf.c:1632
1632  vfprintf.c: No such file or directory.
(gdb) bt
#0  0xb7e43383 in _IO_vfprintf_internal (s=0xbfffc4b8, format=<optimized out>, 
    ap=0xbfffea9c "\306\350\"\b\214\342\365\267\200!\373\267@\353\377\277\242`ⷀ!\373\267\214\342\365\267\022")
    at vfprintf.c:1632
#1  0xb7e43671 in buffered_vfprintf (s=s@entry=0xb7fb1cc0 <_IO_2_1_stderr_>, format=format@entry=0xbfffeb8c "%s", 
    args=args@entry=0xbfffea98 "\001") at vfprintf.c:2320
#2  0xb7e412d1 in _IO_vfprintf_internal (s=0xb7fb1cc0 <_IO_2_1_stderr_>, format=0xbfffeb8c "%s", 
    ap=0xbfffea98 "\001") at vfprintf.c:1293
#3  0xb7e48668 in __fprintf (stream=0xb7fb1cc0 <_IO_2_1_stderr_>, format=0xbfffeb8c "%s") at fprintf.c:32
#4  0x080c08c2 in _bfd_doprnt (stream=0xb7fb1cc0 <_IO_2_1_stderr_>, 
    format=0x822e89e "%B: Unrecognized storage class %d for %s symbol `%s'", ap=0xbfffeca4 "\340\276%\b\001")
    at bfd.c:805
#5  0x080c006f in error_handler_internal (fmt=0x822e89e "%B: Unrecognized storage class %d for %s symbol `%s'", 
    ap=0xbfffec94 "\bZ%\b") at bfd.c:887
#6  0x080be625 in _bfd_error_handler (fmt=0x822e89e "%B: Unrecognized storage class %d for %s symbol `%s'")
    at bfd.c:909
#7  0x08151029 in coff_slurp_symbol_table (abfd=0x8255a08) at ./coffcode.h:5085
#8  0x08166d06 in coff_get_symtab_upper_bound (abfd=0x8255a08) at coffgen.c:419
#9  0x0804c1d7 in slurp_symtab (abfd=0x8255a08) at ./objdump.c:615
#10 0x0804b82c in dump_bfd (abfd=0x8255a08) at ./objdump.c:3523
#11 0x0804b5d2 in display_object_bfd (abfd=0x8255a08) at ./objdump.c:3611
#12 0x0804b587 in display_any_bfd (file=0x8255a08, level=0) at ./objdump.c:3700
#13 0x0804b2b1 in display_file (filename=0xbffff2b7 "/tmp/poc", target=0x0, last_file=1) at ./objdump.c:3721
#14 0x0804ae80 in main (argc=3, argv=0xbffff0a4) at ./objdump.c:4023


Proposed patch:

Check whether integer overflow occurs in coff_get_normalized_symtab ()

--- a/bfd/coffgen.c
+++ b/bfd/coffgen.c
@@ -1790,6 +1790,8 @@ coff_get_normalized_symtab (bfd *abfd)
     return NULL;
 
   size = obj_raw_syment_count (abfd) * sizeof (combined_entry_type);
+  if (obj_raw_syment_count (abfd) > size)
+    return NULL;
   internal = (combined_entry_type *) bfd_zalloc (abfd, size);
   if (internal == NULL && size != 0)
     return NULL;


Credits:

This vulnerability was discovered by Mingi Cho and Taekyoung Kwon of the Information Security Lab, Yonsei University. Please contact mgcho.minic@gmail.com and taekyoung@yonsei.ac.kr if you need more information about the vulnerability and the lab.
Comment 1 Sourceware Commits 2017-11-03 11:57:17 UTC 
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6cee897971d4d7cd37d2a686bb6d2aa3e759c8ca

commit 6cee897971d4d7cd37d2a686bb6d2aa3e759c8ca
Author: Nick Clifton <nickc@redhat.com>
Date:   Fri Nov 3 11:55:21 2017 +0000

    Fix excessive memory allocation attempts and possible integer overfloaws when attempting to read a COFF binary with a corrupt symbol count.
    
    	PR 22385
    	* coffgen.c (_bfd_coff_get_external_symbols): Check for an
    	overlarge raw syment count.
    	(coff_get_normalized_symtab): Likewise.
Comment 2 Nick Clifton 2017-11-03 11:58:57 UTC 
Hi Mingi,

  Thanks for another bug report and patch!  I have applied the patch, but
  I also decided that a second check, in _bfd_coff_get_external_symbols,
  was also a good idea, so I have added that as well.

Cheers
  Nick