Created attachment 11114 [details] poc to reproduce the crash in bfd_malloc in binutils-2.30/bfd/libbfd.c, as distributed in GNU Binutils 2.30, allows attackers to trigger excessive memory consumption (aka OOM). This can occur during execution of nm. To reproduce: #CC=clang CXX=clang++ CFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" CXXFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" LDFLAGS="-fsanitize=address" ./configure #ASAN_OPTIONS=halt_on_error=false:allow_addr2line=true ./nm-new $poc ASan: ==90210==AddressSanitizer CHECK failed: /build/llvm-toolchain-3.8-_PD09B/llvm-toolchain-3.8-3.8/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183 "((0 && "unable to mmap")) != (0)" (0x0, 0x0) #0 0x4c2a9d in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) asan_rtl.cc.o #1 0x4c96c3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/s2e/asan/binutils-2.30/binutils/nm-new+0x4c96c3) #2 0x4c98b1 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) (/home/s2e/asan/binutils-2.30/binutils/nm-new+0x4c98b1) #3 0x4d2822 in __sanitizer::MmapOrDie(unsigned long, char const*, bool) (/home/s2e/asan/binutils-2.30/binutils/nm-new+0x4d2822) #4 0x41f4af in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (/home/s2e/asan/binutils-2.30/binutils/nm-new+0x41f4af) #5 0x4b9471 in malloc (/home/s2e/asan/binutils-2.30/binutils/nm-new+0x4b9471) #6 0x52405c in bfd_malloc /home/s2e/asan/binutils-2.30/bfd/libbfd.c:193 #7 0x6a5118 in _bfd_elf_parse_attributes /home/s2e/asan/binutils-2.30/bfd/elf-attrs.c:441 #8 0x5ce586 in bfd_section_from_shdr /home/s2e/asan/binutils-2.30/bfd/elf.c:2465 #9 0x71a003 in bfd_elf32_object_p /home/s2e/asan/binutils-2.30/bfd/./elfcode.h:805 #10 0x51dd2c in bfd_check_format_matches /home/s2e/asan/binutils-2.30/bfd/format.c:311 #11 0x4ec122 in display_file /home/s2e/asan/binutils-2.30/binutils/nm.c:1321 #12 0x4eb893 in main /home/s2e/asan/binutils-2.30/binutils/nm.c:1799 #13 0x7f154296e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #14 0x419368 in _start (/home/s2e/asan/binutils-2.30/binutils/nm-new+0x419368)
Already fixed on master.
Hi, Where is the code piece and what is the bug? Could you please inform the commit? I couldn't find changes in bfd_malloc in bfd/libbfd.c.
Created attachment 11118 [details] patch Hi Pedro, Here is the patch. It is from commit 95a6d235661. Cheers Nick