Bug 23942 - Heap overflow bug in bfd_elf32_swap_phdr_in
Summary: Heap overflow bug in bfd_elf32_swap_phdr_in
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.30
: P2 normal
Target Milestone: ---
Assignee: Nick Clifton
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-11-30 17:38 UTC by Dongdong She
Modified: 2018-11-30 17:49 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed: 2018-11-30 00:00:00


Attachments
malicious input that trigger the heap overflow (2.44 KB, application/x-sharedlib)
2018-11-30 17:38 UTC, Dongdong She
Details
Proposed patch (729 bytes, patch)
2018-11-30 17:48 UTC, Nick Clifton
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Dongdong She 2018-11-30 17:38:15 UTC
Created attachment 11423 [details]
malicious input that trigger the heap overflow

A heap overflow bug in 32bit version nm-new.
=================================================================
==12375==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf3c038e3 at pc 0x083308a6 bp 0xffe81b48 sp 0xffe81b3c
WRITE of size 8 at 0xf3c038e3 thread T0
    #0 0x83308a5 in bfd_elf32_swap_phdr_in /home/dongdong/binutils_exp/binutils-2.30/bfd/./elfcode.h:367:20
    #1 0x83308a5 in bfd_elf32_object_p /home/dongdong/binutils_exp/binutils-2.30/bfd/./elfcode.h:792
    #2 0x81a4d64 in bfd_check_format_matches /home/dongdong/binutils_exp/binutils-2.30/bfd/format.c:311:14
    #3 0x8182def in display_file /home/dongdong/binutils_exp/binutils-2.30/binutils/nm.c:1321:12
    #4 0x8182140 in main /home/dongdong/binutils_exp/binutils-2.30/binutils/nm.c:1799:12
    #5 0xf758f636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #6 0x806d480 in _start (/home/dongdong/binutils_exp/binutils-2.30_32/binutils/nm-new+0x806d480)

0xf3c038e3 is located 3 bytes to the right of 4064-byte region [0xf3c02900,0xf3c038e0)
allocated by thread T0 here:
    #0 0x813dfbf in malloc /local/dongdong/llvm/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146
    #1 0x85246a9 in objalloc_create /home/dongdong/binutils_exp/binutils-2.30/libiberty/./objalloc.c:95:23
    #2 0x8182140 in main /home/dongdong/binutils_exp/binutils-2.30/binutils/nm.c:1799:12
    #3 0xf758f636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/dongdong/binutils_exp/binutils-2.30/bfd/./elfcode.h:367:20 in bfd_elf32_swap_phdr_in
Shadow bytes around the buggy address:
  0x3e7806c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e7806d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e7806e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e7806f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e780700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x3e780710: 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa
  0x3e780720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e780730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e780740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e780750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e780760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==12375==ABORTING
Comment 1 Nick Clifton 2018-11-30 17:48:55 UTC
Created attachment 11424 [details]
Proposed patch
Comment 2 Nick Clifton 2018-11-30 17:49:40 UTC
I have checked in the attached patch (as commit 5f60af5d24d) to fix this bug.