Bug 23685 - heap based buffer overflow vulnerability in bfd_getl32 in libbfd.c in binutils-2.31.1
Summary: heap based buffer overflow vulnerability in bfd_getl32 in libbfd.c in binutil...
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.31
: P2 normal
Target Milestone: 2.32
Assignee: Alan Modra
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-09-19 13:47 UTC by rookie
Modified: 2018-09-20 12:38 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed: 2018-09-20 00:00:00

Attachments
poc file to reproduce the crash (206 bytes, application/x-ms-dos-executable)
2018-09-19 13:47 UTC, rookie 		Details
Proposed patch (276 bytes, patch)
2018-09-19 15:34 UTC, Nick Clifton 		Details | Diff
fix (759 bytes, patch)
2018-09-20 09:05 UTC, Alan Modra 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description rookie 2018-09-19 13:47:13 UTC 
Created attachment 11261 [details]
poc file to reproduce the crash

There exists one heap based buffer overflow vulnerability in bfd_getl32 in libbfd.c in binutils-2.31.1, which allows an attacker to cause a denial of service through a crafted PE file. This vulnerability can be triggered by the executable objdump.

$uname -a
Linux ubuntu 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 i686 i686 GNU/Linux


$ASAN_OPTIONS=halt_on_error=false:allow_addr2line=true ./objdump --dwarf-check -C -g -f -dwarf -x $poc

ASan:
==21442==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb37033f8 at pc 0x840b006 bp 0xbfcc6a78 sp 0xbfcc6a70
READ of size 1 at 0xb37033f8 thread T0
    #0 0x840b005 in bfd_getl32 /home/rookie/asan/binutils-2.31.1/bfd/libbfd.c:656
    #1 0x881e876 in pe_print_edata /home/rookie/asan/binutils-2.31.1/bfd/peigen.c:1791
    #2 0x881e876 in _bfd_pe_print_private_bfd_data_common /home/rookie/asan/binutils-2.31.1/bfd/peigen.c:2907
    #3 0x87df6af in pe_print_private_bfd_data /home/rookie/asan/binutils-2.31.1/bfd/./peicode.h:336
    #4 0x80e3f94 in dump_bfd_private_header /home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:2996
    #5 0x80e3f94 in dump_bfd /home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:3589
    #6 0x80e10b9 in display_object_bfd /home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:3688
    #7 0x80e10b9 in display_any_bfd /home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:3777
    #8 0x80ddea0 in display_file /home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:3798
    #9 0x80ddea0 in main /home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:4100
    #10 0xb74a3af2 (/lib/i386-linux-gnu/libc.so.6+0x19af2)
    #11 0x80d6324 in _start (/home/rookie/asan/binutils-2.31.1/tmp/bin/objdump+0x80d6324)

0xb37033f8 is located 0 bytes to the right of 136-byte region [0xb3703370,0xb37033f8)
allocated by thread T0 here:
    #0 0x80bef51 in malloc (/home/rookie/asan/binutils-2.31.1/tmp/bin/objdump+0x80bef51)
    #1 0x8406e09 in bfd_malloc /home/rookie/asan/binutils-2.31.1/bfd/libbfd.c:271
    #2 0x87df6af in pe_print_private_bfd_data /home/rookie/asan/binutils-2.31.1/bfd/./peicode.h:336
    #3 0x80e10b9 in display_object_bfd /home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:3688
    #4 0x80e10b9 in display_any_bfd /home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:3777
    #5 0x80ddea0 in display_file /home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:3798
    #6 0x80ddea0 in main /home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:4100
    #7 0xb74a3af2 (/lib/i386-linux-gnu/libc.so.6+0x19af2)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/rookie/asan/binutils-2.31.1/bfd/libbfd.c:656 bfd_getl32
Shadow bytes around the buggy address:
  0x366e0620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x366e0630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x366e0640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x366e0650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x366e0660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 00
=>0x366e0670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
  0x366e0680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x366e0690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x366e06a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x366e06b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x366e06c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==21442==ABORTING
Comment 1 Nick Clifton 2018-09-19 15:34:12 UTC 
Created attachment 11263 [details]
Proposed patch

Hi rookie,

  Thanks for reporting this bug.

  Unfortunately I am unable to reproduce the problem, but I suspect 
  that this is because I am running the tests on a 64-bit target.

  I have however generated a patch that I think might fix the problem.
  Please could you try it out and let me know if it works ?

Cheers
  Nick
Comment 2 Alan Modra 2018-09-20 08:34:02 UTC 
Nick, these 32-bit only bugs reproduce for me on an x86_64 ubuntu system with binutils configured using:
CC="gcc -m32" CXX="g++ -m32" \
~/src/binutils-gdb/configure --build=i686-linux --enable-targets=all --enable-gold --enable-threads --disable-gdb --disable-sim --disable-readline --disable-libdecnumber --enable-plugins

The bad news is that your patch doesn't fix the problem.
Comment 3 Alan Modra 2018-09-20 09:04:11 UTC 
testing another patch
Comment 4 Alan Modra 2018-09-20 09:05:22 UTC 
Created attachment 11265 [details]
fix
Comment 5 Nick Clifton 2018-09-20 09:33:59 UTC 
(In reply to Alan Modra from comment #2)
Hi Alan,

  [Thanks for fixing the problem].

> Nick, these 32-bit only bugs reproduce for me on an x86_64 ubuntu system
> with binutils configured using:
> CC="gcc -m32" CXX="g++ -m32" \
> ~/src/binutils-gdb/configure --build=i686-linux --enable-targets=all
> --enable-gold --enable-threads --disable-gdb --disable-sim
> --disable-readline --disable-libdecnumber --enable-plugins

Yes, I just discovered that.  I also found that I cannot build a 32-bit
toolchain with address sanitization enabled, as there appears to be a
problem with memory layout.  (The libasan library is unable to map its
shadow memory).  Apparently this is a kernel problem, and not something
that I can fix. :-(

Cheers
  Nick
Comment 6 Sourceware Commits 2018-09-20 11:47:39 UTC 
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cf93e9c2cf8f8b2566f8fc86e961592b51b5980d

commit cf93e9c2cf8f8b2566f8fc86e961592b51b5980d
Author: Alan Modra <amodra@gmail.com>
Date:   Thu Sep 20 18:23:17 2018 +0930

    PR23685, buffer overflow
    
    	PR 23685
    	* peXXigen.c (pe_print_edata): Correct export address table
    	overflow checks.  Check dataoff against section size too.
Comment 7 Alan Modra 2018-09-20 12:38:44 UTC 
Patch applied.