Created attachment 11261 [details] poc file to reproduce the crash There exists one heap based buffer overflow vulnerability in bfd_getl32 in libbfd.c in binutils-2.31.1, which allows an attacker to cause a denial of service through a crafted PE file. This vulnerability can be triggered by the executable objdump. $uname -a Linux ubuntu 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 i686 i686 GNU/Linux $ASAN_OPTIONS=halt_on_error=false:allow_addr2line=true ./objdump --dwarf-check -C -g -f -dwarf -x $poc ASan: ==21442==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb37033f8 at pc 0x840b006 bp 0xbfcc6a78 sp 0xbfcc6a70 READ of size 1 at 0xb37033f8 thread T0 #0 0x840b005 in bfd_getl32 /home/rookie/asan/binutils-2.31.1/bfd/libbfd.c:656 #1 0x881e876 in pe_print_edata /home/rookie/asan/binutils-2.31.1/bfd/peigen.c:1791 #2 0x881e876 in _bfd_pe_print_private_bfd_data_common /home/rookie/asan/binutils-2.31.1/bfd/peigen.c:2907 #3 0x87df6af in pe_print_private_bfd_data /home/rookie/asan/binutils-2.31.1/bfd/./peicode.h:336 #4 0x80e3f94 in dump_bfd_private_header /home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:2996 #5 0x80e3f94 in dump_bfd /home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:3589 #6 0x80e10b9 in display_object_bfd /home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:3688 #7 0x80e10b9 in display_any_bfd /home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:3777 #8 0x80ddea0 in display_file /home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:3798 #9 0x80ddea0 in main /home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:4100 #10 0xb74a3af2 (/lib/i386-linux-gnu/libc.so.6+0x19af2) #11 0x80d6324 in _start (/home/rookie/asan/binutils-2.31.1/tmp/bin/objdump+0x80d6324) 0xb37033f8 is located 0 bytes to the right of 136-byte region [0xb3703370,0xb37033f8) allocated by thread T0 here: #0 0x80bef51 in malloc (/home/rookie/asan/binutils-2.31.1/tmp/bin/objdump+0x80bef51) #1 0x8406e09 in bfd_malloc /home/rookie/asan/binutils-2.31.1/bfd/libbfd.c:271 #2 0x87df6af in pe_print_private_bfd_data /home/rookie/asan/binutils-2.31.1/bfd/./peicode.h:336 #3 0x80e10b9 in display_object_bfd /home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:3688 #4 0x80e10b9 in display_any_bfd /home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:3777 #5 0x80ddea0 in display_file /home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:3798 #6 0x80ddea0 in main /home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:4100 #7 0xb74a3af2 (/lib/i386-linux-gnu/libc.so.6+0x19af2) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/rookie/asan/binutils-2.31.1/bfd/libbfd.c:656 bfd_getl32 Shadow bytes around the buggy address: 0x366e0620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x366e0630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x366e0640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x366e0650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x366e0660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 00 =>0x366e0670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa] 0x366e0680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x366e0690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x366e06a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x366e06b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x366e06c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==21442==ABORTING
Created attachment 11263 [details] Proposed patch Hi rookie, Thanks for reporting this bug. Unfortunately I am unable to reproduce the problem, but I suspect that this is because I am running the tests on a 64-bit target. I have however generated a patch that I think might fix the problem. Please could you try it out and let me know if it works ? Cheers Nick
Nick, these 32-bit only bugs reproduce for me on an x86_64 ubuntu system with binutils configured using: CC="gcc -m32" CXX="g++ -m32" \ ~/src/binutils-gdb/configure --build=i686-linux --enable-targets=all --enable-gold --enable-threads --disable-gdb --disable-sim --disable-readline --disable-libdecnumber --enable-plugins The bad news is that your patch doesn't fix the problem.
testing another patch
Created attachment 11265 [details] fix
(In reply to Alan Modra from comment #2) Hi Alan, [Thanks for fixing the problem]. > Nick, these 32-bit only bugs reproduce for me on an x86_64 ubuntu system > with binutils configured using: > CC="gcc -m32" CXX="g++ -m32" \ > ~/src/binutils-gdb/configure --build=i686-linux --enable-targets=all > --enable-gold --enable-threads --disable-gdb --disable-sim > --disable-readline --disable-libdecnumber --enable-plugins Yes, I just discovered that. I also found that I cannot build a 32-bit toolchain with address sanitization enabled, as there appears to be a problem with memory layout. (The libasan library is unable to map its shadow memory). Apparently this is a kernel problem, and not something that I can fix. :-( Cheers Nick
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cf93e9c2cf8f8b2566f8fc86e961592b51b5980d commit cf93e9c2cf8f8b2566f8fc86e961592b51b5980d Author: Alan Modra <amodra@gmail.com> Date: Thu Sep 20 18:23:17 2018 +0930 PR23685, buffer overflow PR 23685 * peXXigen.c (pe_print_edata): Correct export address table overflow checks. Check dataoff against section size too.
Patch applied.