Created attachment 11473 [details] POC3 I use 32bit objdump in 64bit Ubuntu 16.04.4 LTS. The source Code show as follow in objdump.c. >2528 bfd_size_type amt; >2543 amt = section->size + 1; >2544 section->start = contents = malloc (amt); >2545 section->user_data = sec; >2546 if (amt == 0 >2547 || section->start == NULL >2548 || !bfd_get_full_section_contents (abfd, sec, &contents)) >2549 { >2550 free_debug_section (debug); Integer overflow when section->size is 0xFFFFFFFF in line 2543, it will trigger heap overflow in bfd_get_full_section_contents in line 2548. Finally crash in line 2550. The part of crash output show as follow. ./objdump -g POC3 *** Error in `./objdump': free(): invalid next size (fast): 0x0a0d06b8 *** ======= Backtrace: ========= /lib/i386-linux-gnu/libc.so.6(+0x67377)[0xf7d8a377] /lib/i386-linux-gnu/libc.so.6(+0x6d2f7)[0xf7d902f7] /lib/i386-linux-gnu/libc.so.6(+0x6dc31)[0xf7d90c31] ./binutils/objdump[0x804f2c9] ./binutils/objdump[0x804efb9] ./binutils/objdump[0x804f463] ./binutils/objdump[0x80a69f5] ./binutils/objdump[0x804f60f] ./binutils/objdump[0x805174f] ./binutils/objdump[0x805182f] ./binutils/objdump[0x8051a7e] ./binutils/objdump[0x8051aeb] ./binutils/objdump[0x8052458] /lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf7)[0xf7d3b637] ./binutils/objdump[0x8049b51] ======= Memory map: ======== 08048000-08246000 r-xp 00000000 08:22 438569 /e/vul/testcase/binutils/binutils-gdb/binutils/objdump 08246000-08247000 r--p 001fd000 08:22 438569 /e/vul/testcase/binutils/binutils-gdb/binutils/objdump 08247000-0824c000 rw-p 001fe000 08:22 438569 /e/vul/testcase/binutils/binutils-gdb/binutils/objdump 0824c000-08253000 rw-p 00000000 00:00 0 0a0c6000-0a0e7000 rw-p 00000000 00:00 0 [heap] f7900000-f7921000 rw-p 00000000 00:00 0 f7921000-f7a00000 ---p 00000000 00:00 0 f7adf000-f7afb000 r-xp 00000000 08:06 3802106 /lib/i386-linux-gnu/libgcc_s.so.1 f7afb000-f7afc000 r--p 0001b000 08:06 3802106 /lib/i386-linux-gnu/libgcc_s.so.1 f7afc000-f7afd000 rw-p 0001c000 08:06 3802106 /lib/i386-linux-gnu/libgcc_s.so.1 f7b22000-f7d22000 r--p 00000000 08:06 527047 /usr/lib/locale/locale-archive f7d22000-f7d23000 rw-p 00000000 00:00 0 f7d23000-f7ed3000 r-xp 00000000 08:06 3805752 /lib/i386-linux-gnu/libc-2.23.so f7ed3000-f7ed5000 r--p 001af000 08:06 3805752 /lib/i386-linux-gnu/libc-2.23.so f7ed5000-f7ed6000 rw-p 001b1000 08:06 3805752 /lib/i386-linux-gnu/libc-2.23.so f7ed6000-f7ed9000 rw-p 00000000 00:00 0 f7ed9000-f7edc000 r-xp 00000000 08:06 3805774 /lib/i386-linux-gnu/libdl-2.23.so f7edc000-f7edd000 r--p 00002000 08:06 3805774 /lib/i386-linux-gnu/libdl-2.23.so f7edd000-f7ede000 rw-p 00003000 08:06 3805774 /lib/i386-linux-gnu/libdl-2.23.so f7efa000-f7efb000 rw-p 00000000 00:00 0 f7efb000-f7f02000 r--s 00000000 08:06 676504 /usr/lib/i386-linux-gnu/gconv/gconv-modules.cache f7f02000-f7f03000 r--p 002d4000 08:06 527047 /usr/lib/locale/locale-archive f7f03000-f7f04000 rw-p 00000000 00:00 0 f7f04000-f7f07000 r--p 00000000 00:00 0 [vvar] f7f07000-f7f09000 r-xp 00000000 00:00 0 [vdso] f7f09000-f7f2c000 r-xp 00000000 08:06 3805748 /lib/i386-linux-gnu/ld-2.23.so f7f2c000-f7f2d000 r--p 00022000 08:06 3805748 /lib/i386-linux-gnu/ld-2.23.so f7f2d000-f7f2e000 rw-p 00023000 08:06 3805748 /lib/i386-linux-gnu/ld-2.23.so ffd91000-ffdb2000 rw-p 00000000 00:00 0 [stack] Aborted
Created attachment 11474 [details] patch
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=11fa9f134fd658075c6f74499c780df045d9e9ca commit 11fa9f134fd658075c6f74499c780df045d9e9ca Author: Nick Clifton <nickc@redhat.com> Date: Fri Jan 4 13:44:34 2019 +0000 Fix a possible integer overflow problem when examining corrupt binaries using a 32-bit binutil. PR 24005 * objdump.c (load_specific_debug_section): Check for integer overflow before attempting to allocate contents.
Hi mhsec, Thanks for reporting this problem. Unfortunately your proposed patch will not work as it will prevent the tools from handling 64-bit binaries with very large section sizes. Instead I have checked in an alternative patch which checks for integer overflow before attempting to allocate any memory, which prevents the heap corruption from happening. Cheers Nick
(In reply to Nick Clifton from comment #3) > Hi mhsec, > > Thanks for reporting this problem. Unfortunately your proposed patch > will not work as it will prevent the tools from handling 64-bit binaries > with very large section sizes. > > Instead I have checked in an alternative patch which checks for integer > overflow before attempting to allocate any memory, which prevents the > heap corruption from happening. > > Cheers > Nick Hi Nick I think the problem still exist if file size more than 0x100000000. `amt > bfd_get_file_size (abfd)`
(In reply to mhsec from comment #4) > I think the problem still exist if file size more than 0x100000000. A file bigger than 100 gigabytes ? Yes that probably would cause problems for lots of tools, not just objdump.
It's 4GB, not 100GB. Of course I also think that this situation does not have to be considered. So my patch might work.