Created attachment 10643 [details] poc of the crash Triggered by "./objdump -W $POC" Tested on Ubuntu 16.04 (x86) Heap overflow occurred when processing malformed PE file. The GDB debugging information is as follows: (gdb) r -W $POC Program received signal SIGABRT, Aborted. 0xb7fd9ce5 in __kernel_vsyscall () (gdb) bt #0 0xb7fd9ce5 in __kernel_vsyscall () #1 0xb7e2aea9 in __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:54 #2 0xb7e2c407 in __GI_abort () at abort.c:89 #3 0xb7e6637c in __libc_message (do_abort=2, fmt=0xb7f5edf4 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175 #4 0xb7e6c2f7 in malloc_printerr (action=<optimized out>, str=0xb7f5eef0 "free(): invalid next size (fast)", ptr=<optimized out>, ar_ptr=0xb7fb1780 <main_arena>) at malloc.c:5006 #5 0xb7e6cc31 in _int_free (av=0xb7fb1780 <main_arena>, p=<optimized out>, have_lock=0) at malloc.c:3867 #6 0x0816a700 in _bfd_coff_read_string_table (abfd=0x825ca08) at coffgen.c:1743 #7 0x0816d3c9 in coff_get_normalized_symtab (abfd=0x825ca08) at coffgen.c:1956 #8 0x08153f38 in coff_slurp_symbol_table (abfd=0x825ca08) at ./coffcode.h:4783 #9 0x0816a2e6 in coff_get_symtab_upper_bound (abfd=0x825ca08) at coffgen.c:419 #10 0x0804c347 in slurp_symtab (abfd=0x825ca08) at ./objdump.c:615 #11 0x0804b99c in dump_bfd (abfd=0x825ca08) at ./objdump.c:3561 #12 0x0804b742 in display_object_bfd (abfd=0x825ca08) at ./objdump.c:3649 #13 0x0804b6f7 in display_any_bfd (file=0x825ca08, level=0) at ./objdump.c:3738 #14 0x0804b421 in display_file (filename=0xbffff2b0 "/home/min/Downloads/bfd_coff_read_string_table", target=0x0, last_file=1) at ./objdump.c:3759 #15 0x0804aff0 in main (argc=3, argv=0xbffff094) at ./objdump.c:4061 ASAN output: ==7711==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb61006b1 at pc 0x080f9f75 bp 0xbfe82888 sp 0xbfe82460 WRITE of size 4 at 0xb61006b1 thread T0 #0 0x80f9f74 in __asan_memset (/home/min/fuzzing/program/binutils-master-patch/bin/objdump+0x80f9f74) #1 0x85ed97d in _bfd_coff_read_string_table /home/min/fuzzing/src/binutils/binutils-gdb/bfd/coffgen.c:1738:3 #2 0x85fdab1 in coff_get_normalized_symtab /home/min/fuzzing/src/binutils/binutils-gdb/bfd/coffgen.c:1956:20 #3 0x8578d09 in coff_slurp_symbol_table /home/min/fuzzing/src/binutils/binutils-gdb/bfd/./coffcode.h:4783:25 #4 0x85ec86c in coff_get_symtab_upper_bound /home/min/fuzzing/src/binutils/binutils-gdb/bfd/coffgen.c:419:8 #5 0x81476cb in slurp_symtab /home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:615:13 #6 0x8145950 in dump_bfd /home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:3561:12 #7 0x81450ef in display_object_bfd /home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:3649:7 #8 0x8144ffb in display_any_bfd /home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:3738:5 #9 0x8144aa0 in display_file /home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:3759:3 #10 0x814421e in main /home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:4061:6 #11 0xb7498636 in __libc_start_main /build/glibc-KM3i_a/glibc-2.23/csu/../csu/libc-start.c:291 #12 0x806c7c7 in _start (/home/min/fuzzing/program/binutils-master-patch/bin/objdump+0x806c7c7) 0xb61006b1 is located 0 bytes to the right of 1-byte region [0xb61006b0,0xb61006b1) allocated by thread T0 here: #0 0x8110b04 in malloc (/home/min/fuzzing/program/binutils-master-patch/bin/objdump+0x8110b04) #1 0x82cc0d2 in bfd_malloc /home/min/fuzzing/src/binutils/binutils-gdb/bfd/libbfd.c:193:9 #2 0x85ed92a in _bfd_coff_read_string_table /home/min/fuzzing/src/binutils/binutils-gdb/bfd/coffgen.c:1730:22 #3 0x85fdab1 in coff_get_normalized_symtab /home/min/fuzzing/src/binutils/binutils-gdb/bfd/coffgen.c:1956:20 #4 0x8578d09 in coff_slurp_symbol_table /home/min/fuzzing/src/binutils/binutils-gdb/bfd/./coffcode.h:4783:25 #5 0x85ec86c in coff_get_symtab_upper_bound /home/min/fuzzing/src/binutils/binutils-gdb/bfd/coffgen.c:419:8 #6 0x81476cb in slurp_symtab /home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:615:13 #7 0x8145950 in dump_bfd /home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:3561:12 #8 0x81450ef in display_object_bfd /home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:3649:7 #9 0x8144ffb in display_any_bfd /home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:3738:5 #10 0x8144aa0 in display_file /home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:3759:3 #11 0x814421e in main /home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:4061:6 #12 0xb7498636 in __libc_start_main /build/glibc-KM3i_a/glibc-2.23/csu/../csu/libc-start.c:291 Credits: Mingi Cho and Taekyoung Kwon of the Information Security Lab, Yonsei University.
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b0029dce6867de1a2828293177b0e030d2f0f03c commit b0029dce6867de1a2828293177b0e030d2f0f03c Author: Nick Clifton <nickc@redhat.com> Date: Tue Nov 28 18:00:29 2017 +0000 Prevent a memory exhaustion problem when trying to read in strings from a COFF binary with a corrupt string table size. PR 22507 * coffgen.c (_bfd_coff_read_string_table): Check for an excessive size of the external string table.
Hi Mingi, Thanks for reporting this problem. I have added a check to the code that should stop any attempts to allocate an excessively large amount of mrmory when parsing a COFF string table. Cheers Nick