Bug 22507 - Heap buffer overflow on _bfd_coff_read_string_table
Summary: Heap buffer overflow on _bfd_coff_read_string_table
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.30
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-11-28 05:26 UTC by Mingi Cho
Modified: 2017-11-28 18:03 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
poc of the crash (12.04 KB, application/x-ms-dos-executable)
2017-11-28 05:26 UTC, Mingi Cho
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Mingi Cho 2017-11-28 05:26:29 UTC
Created attachment 10643 [details]
poc of the crash

Triggered by "./objdump -W $POC"
Tested on Ubuntu 16.04 (x86)

Heap overflow occurred when processing malformed PE file.


The GDB debugging information is as follows:

(gdb) r -W $POC

Program received signal SIGABRT, Aborted.
0xb7fd9ce5 in __kernel_vsyscall ()
(gdb) bt
#0  0xb7fd9ce5 in __kernel_vsyscall ()
#1  0xb7e2aea9 in __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#2  0xb7e2c407 in __GI_abort () at abort.c:89
#3  0xb7e6637c in __libc_message (do_abort=2, fmt=0xb7f5edf4 "*** Error in `%s': %s: 0x%s ***\n")
    at ../sysdeps/posix/libc_fatal.c:175
#4  0xb7e6c2f7 in malloc_printerr (action=<optimized out>, str=0xb7f5eef0 "free(): invalid next size (fast)", 
    ptr=<optimized out>, ar_ptr=0xb7fb1780 <main_arena>) at malloc.c:5006
#5  0xb7e6cc31 in _int_free (av=0xb7fb1780 <main_arena>, p=<optimized out>, have_lock=0) at malloc.c:3867
#6  0x0816a700 in _bfd_coff_read_string_table (abfd=0x825ca08) at coffgen.c:1743
#7  0x0816d3c9 in coff_get_normalized_symtab (abfd=0x825ca08) at coffgen.c:1956
#8  0x08153f38 in coff_slurp_symbol_table (abfd=0x825ca08) at ./coffcode.h:4783
#9  0x0816a2e6 in coff_get_symtab_upper_bound (abfd=0x825ca08) at coffgen.c:419
#10 0x0804c347 in slurp_symtab (abfd=0x825ca08) at ./objdump.c:615
#11 0x0804b99c in dump_bfd (abfd=0x825ca08) at ./objdump.c:3561
#12 0x0804b742 in display_object_bfd (abfd=0x825ca08) at ./objdump.c:3649
#13 0x0804b6f7 in display_any_bfd (file=0x825ca08, level=0) at ./objdump.c:3738
#14 0x0804b421 in display_file (filename=0xbffff2b0 "/home/min/Downloads/bfd_coff_read_string_table", target=0x0, 
    last_file=1) at ./objdump.c:3759
#15 0x0804aff0 in main (argc=3, argv=0xbffff094) at ./objdump.c:4061


ASAN output:

==7711==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb61006b1 at pc 0x080f9f75 bp 0xbfe82888 sp 0xbfe82460
WRITE of size 4 at 0xb61006b1 thread T0
    #0 0x80f9f74 in __asan_memset (/home/min/fuzzing/program/binutils-master-patch/bin/objdump+0x80f9f74)
    #1 0x85ed97d in _bfd_coff_read_string_table /home/min/fuzzing/src/binutils/binutils-gdb/bfd/coffgen.c:1738:3
    #2 0x85fdab1 in coff_get_normalized_symtab /home/min/fuzzing/src/binutils/binutils-gdb/bfd/coffgen.c:1956:20
    #3 0x8578d09 in coff_slurp_symbol_table /home/min/fuzzing/src/binutils/binutils-gdb/bfd/./coffcode.h:4783:25
    #4 0x85ec86c in coff_get_symtab_upper_bound /home/min/fuzzing/src/binutils/binutils-gdb/bfd/coffgen.c:419:8
    #5 0x81476cb in slurp_symtab /home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:615:13
    #6 0x8145950 in dump_bfd /home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:3561:12
    #7 0x81450ef in display_object_bfd /home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:3649:7
    #8 0x8144ffb in display_any_bfd /home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:3738:5
    #9 0x8144aa0 in display_file /home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:3759:3
    #10 0x814421e in main /home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:4061:6
    #11 0xb7498636 in __libc_start_main /build/glibc-KM3i_a/glibc-2.23/csu/../csu/libc-start.c:291
    #12 0x806c7c7 in _start (/home/min/fuzzing/program/binutils-master-patch/bin/objdump+0x806c7c7)

0xb61006b1 is located 0 bytes to the right of 1-byte region [0xb61006b0,0xb61006b1)
allocated by thread T0 here:
    #0 0x8110b04 in malloc (/home/min/fuzzing/program/binutils-master-patch/bin/objdump+0x8110b04)
    #1 0x82cc0d2 in bfd_malloc /home/min/fuzzing/src/binutils/binutils-gdb/bfd/libbfd.c:193:9
    #2 0x85ed92a in _bfd_coff_read_string_table /home/min/fuzzing/src/binutils/binutils-gdb/bfd/coffgen.c:1730:22
    #3 0x85fdab1 in coff_get_normalized_symtab /home/min/fuzzing/src/binutils/binutils-gdb/bfd/coffgen.c:1956:20
    #4 0x8578d09 in coff_slurp_symbol_table /home/min/fuzzing/src/binutils/binutils-gdb/bfd/./coffcode.h:4783:25
    #5 0x85ec86c in coff_get_symtab_upper_bound /home/min/fuzzing/src/binutils/binutils-gdb/bfd/coffgen.c:419:8
    #6 0x81476cb in slurp_symtab /home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:615:13
    #7 0x8145950 in dump_bfd /home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:3561:12
    #8 0x81450ef in display_object_bfd /home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:3649:7
    #9 0x8144ffb in display_any_bfd /home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:3738:5
    #10 0x8144aa0 in display_file /home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:3759:3
    #11 0x814421e in main /home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:4061:6
    #12 0xb7498636 in __libc_start_main /build/glibc-KM3i_a/glibc-2.23/csu/../csu/libc-start.c:291


Credits:

Mingi Cho and Taekyoung Kwon of the Information Security Lab, Yonsei University.
Comment 1 Sourceware Commits 2017-11-28 18:01:48 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b0029dce6867de1a2828293177b0e030d2f0f03c

commit b0029dce6867de1a2828293177b0e030d2f0f03c
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Nov 28 18:00:29 2017 +0000

    Prevent a memory exhaustion problem when trying to read in strings from a COFF binary with a corrupt string table size.
    
    	PR 22507
    	* coffgen.c (_bfd_coff_read_string_table): Check for an excessive
    	size of the external string table.
Comment 2 Nick Clifton 2017-11-28 18:03:03 UTC
Hi Mingi,

  Thanks for reporting this problem.  I have added a check to the code
  that should stop any attempts to allocate an excessively large amount
  of mrmory when parsing a COFF string table.

Cheers
  Nick