Bug 23361 - OOM-Bug in bfd_malloc in libbfd.c
Summary: OOM-Bug in bfd_malloc in libbfd.c
Status: RESOLVED WORKSFORME
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.30
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-07-01 13:13 UTC by rookie
Modified: 2018-07-06 14:42 UTC (History)
3 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
poc to reproduce the crash (2.07 MB, application/x-rar)
2018-07-01 13:13 UTC, rookie
Details
patch (1.07 KB, patch)
2018-07-06 14:42 UTC, Nick Clifton
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description rookie 2018-07-01 13:13:43 UTC
Created attachment 11114 [details]
poc to reproduce the crash

in bfd_malloc in binutils-2.30/bfd/libbfd.c, as distributed in GNU Binutils 2.30, allows attackers to trigger excessive memory consumption (aka OOM). This can occur during execution of nm.

To reproduce:
#CC=clang CXX=clang++ CFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" CXXFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" LDFLAGS="-fsanitize=address" ./configure
#ASAN_OPTIONS=halt_on_error=false:allow_addr2line=true  ./nm-new $poc

ASan:
==90210==AddressSanitizer CHECK failed: /build/llvm-toolchain-3.8-_PD09B/llvm-toolchain-3.8-3.8/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183 "((0 && "unable to mmap")) != (0)" (0x0, 0x0)
    #0 0x4c2a9d in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) asan_rtl.cc.o
    #1 0x4c96c3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/s2e/asan/binutils-2.30/binutils/nm-new+0x4c96c3)
    #2 0x4c98b1 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) (/home/s2e/asan/binutils-2.30/binutils/nm-new+0x4c98b1)
    #3 0x4d2822 in __sanitizer::MmapOrDie(unsigned long, char const*, bool) (/home/s2e/asan/binutils-2.30/binutils/nm-new+0x4d2822)
    #4 0x41f4af in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (/home/s2e/asan/binutils-2.30/binutils/nm-new+0x41f4af)
    #5 0x4b9471 in malloc (/home/s2e/asan/binutils-2.30/binutils/nm-new+0x4b9471)
    #6 0x52405c in bfd_malloc /home/s2e/asan/binutils-2.30/bfd/libbfd.c:193
    #7 0x6a5118 in _bfd_elf_parse_attributes /home/s2e/asan/binutils-2.30/bfd/elf-attrs.c:441
    #8 0x5ce586 in bfd_section_from_shdr /home/s2e/asan/binutils-2.30/bfd/elf.c:2465
    #9 0x71a003 in bfd_elf32_object_p /home/s2e/asan/binutils-2.30/bfd/./elfcode.h:805
    #10 0x51dd2c in bfd_check_format_matches /home/s2e/asan/binutils-2.30/bfd/format.c:311
    #11 0x4ec122 in display_file /home/s2e/asan/binutils-2.30/binutils/nm.c:1321
    #12 0x4eb893 in main /home/s2e/asan/binutils-2.30/binutils/nm.c:1799
    #13 0x7f154296e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #14 0x419368 in _start (/home/s2e/asan/binutils-2.30/binutils/nm-new+0x419368)
Comment 1 Alan Modra 2018-07-04 13:41:43 UTC
Already fixed on master.
Comment 2 Pedro Yóssis Silva Barbosa 2018-07-05 21:26:59 UTC
Hi,

Where is the code piece and what is the bug? Could you please inform the commit? I couldn't find changes in bfd_malloc in bfd/libbfd.c.
Comment 3 Nick Clifton 2018-07-06 14:42:25 UTC
Created attachment 11118 [details]
patch

Hi Pedro,

  Here is the patch.  It is from commit 95a6d235661.

Cheers
  Nick