Bug 22894 - integer overflow in parse_die
Summary: integer overflow in parse_die
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.31
: P2 normal
Target Milestone: ---
Assignee: Nick Clifton
Depends on:
Reported: 2018-02-26 03:38 UTC by skysider
Modified: 2018-03-31 12:34 UTC (History)
2 users (show)

See Also:
Last reconfirmed: 2018-02-27 00:00:00

Proposed patch (393 bytes, patch)
2018-02-27 14:23 UTC, Nick Clifton
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description skysider 2018-02-26 03:38:43 UTC
The command I test is "nm-new -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D $POC".

In function parse_die, I find a case which can lead to interger overflow of xptr. Below is part of function parse_die.

	  if (xptr + 4 <= aDiePtrEnd)
	    xptr += bfd_get_32 (abfd, xptr);
	  xptr += 4;

The result of bfd_get_32 can be large and when it's added to xptr, xptr overflow.
Backtrace of gdb 
(gdb) bt                                                                                                                                                                                                                    
#0  0x08056486 in bfd_getl16 (p=0x206da1) at /work/binutils-gdb/bfd/libbfd.c:583                                                                                                                     
#1  0x080a0c55 in parse_die (aDieInfo=aDieInfo@entry=0xffffd45c, aDiePtr=<optimized out>, aDiePtrEnd=0x8188026 "\r", abfd=<optimized out>) at /work/binutils-gdb/bfd/dwarf1.c:221                                                         
#2  0x080a123c in _bfd_dwarf1_find_nearest_line (abfd=0x817e058, symbols=0x8184de0, section=0x817faa0, offset=160, filename_ptr=0xffffd568, functionname_ptr=0xffffd56c, linenumber_ptr=0xffffd570) at /work/binutils-gdb/bfd/dwarf1.c:541            
#3  0x0807fda9 in _bfd_elf_find_nearest_line (abfd=0x817e058, symbols=0x8184de0, section=0x817faa0, offset=160, filename_ptr=0xffffd568, functionname_ptr=0xffffd56c, line_ptr=0xffffd570, discriminator_ptr=0x0) at /work/binutils-gdb/bfd/elf.c:8746
#4  0x0804b279 in print_symbol (abfd=abfd@entry=0x817e058, sym=<optimized out>, ssize=0, archive_bfd=0x0) at /work/binutils-gdb/binutils/nm.c:1009                                                                                 
#5  0x0804b55c in print_symbols (archive_bfd=<optimized out>, size=<optimized out>, symcount=<optimized out>, minisyms=<optimized out>, is_dynamic=<optimized out>, abfd=0x817e058) at /work/binutils-gdb/binutils/nm.c:1089
#6  display_rel_file (abfd=abfd@entry=0x817e058, archive_bfd=archive_bfd@entry=0x0) at /work/binutils-gdb/binutils/nm.c:1205                                                                         
#7  0x0804c67b in display_file (filename=<optimized out>) at /work/binutils-gdb/binutils/nm.c:1325                                                                                                                                                                  
#8  0x0804a505 in main (argc=11, argv=0xffffd744) at /work/binutils-gdb/binutils/nm.c:1799 
The poc file is https://github.com/skysider/FuzzVuln/blob/master/binutils_nm_integer_overflow_parse_die.elf
Comment 1 Nick Clifton 2018-02-27 14:23:03 UTC
Created attachment 10856 [details]
Proposed patch

Hi Skysider,

  Unfortunately I could not reproduce the failure that you reported,
  but I do agree that integer overflow could occur at that point in
  the code.  So please could you try out this patch and let me know
  if it solves the problem for you.

Comment 2 skysider 2018-02-27 14:44:59 UTC
 I test it in 32bit machine. I wonder if you compile in 32bit mode and it seems that it only crashes in 32 bit .
Comment 3 skysider 2018-02-28 03:04:00 UTC
The patch works.
Comment 4 Sourceware Commits 2018-02-28 10:15:21 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:


commit eef104664efb52965d85a28bc3fc7c77e52e48e2
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Feb 28 10:13:54 2018 +0000

    Fix potential integer overflow when reading corrupt dwarf1 debug information.
    	PR 22894
    	* dwarf1.c (parse_die): Check the length of form blocks before
    	advancing the data pointer.
Comment 5 Nick Clifton 2018-02-28 10:16:00 UTC
Patch applied.