Created attachment 11495 [details] nm -C POC I use 32bit binutils in 64bit Ubuntu 16.04.4 LTS. The trigger command is ./nm -C POC The source Code show as follow in cplus-dem.c >2246 work->tmpl_argvec = XNEWVEC (char *, r); //sizeof(char*) * r >2247 work->ntmpl_args = r; >2248 for (i = 0; i < r; i++) >2249 work->tmpl_argvec[i] = 0; Integer overflow when r > 0x40000000 in line 2246, that will trigger heap overflow in in line 2249. There are several similar problems in libiberty. The part of crash output show as follow. ================================================================= ==17964==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf44fea80 at pc 0x08837adf bp 0xffaceb68 sp 0xffaceb60 WRITE of size 4 at 0xf44fea80 thread T0 #0 0x8837ade (./nm-new+0x8837ade) #1 0x881916b (./nm-new+0x881916b) #2 0x880ad63 (./nm-new+0x880ad63) #3 0x88029fe (./nm-new+0x88029fe) #4 0x8185166 (./nm-new+0x8185166) #5 0x81472ea (./nm-new+0x81472ea) #6 0x815268b (./nm-new+0x815268b) #7 0x814d966 (./nm-new+0x814d966) #8 0x8146040 (./nm-new+0x8146040) #9 0x81441aa (./nm-new+0x81441aa) #10 0xf7c8e636 (/lib/i386-linux-gnu/libc.so.6+0x18636) #11 0x8069dfc (./nm-new+0x8069dfc) 0xf44fea80 is located 0 bytes to the right of 251581056-byte region [0xe5511800,0xf44fea80) allocated by thread T0 here: #0 0x8115823 (./nm-new+0x8115823) #1 0x89e6bd9 (./nm-new+0x89e6bd9) #2 0x881916b (./nm-new+0x881916b) #3 0x880ad63 (./nm-new+0x880ad63) #4 0x88029fe (./nm-new+0x88029fe) #5 0x8185166 (./nm-new+0x8185166) SUMMARY: AddressSanitizer: heap-buffer-overflow (./nm-new+0x8837ade) Shadow bytes around the buggy address: 0x3e89fd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e89fd10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e89fd20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e89fd30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e89fd40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x3e89fd50:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e89fd60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e89fd70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e89fd80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e89fd90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e89fda0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==17964==ABORTING 00000000 AAborted
I use latest binutils with debug info. crash output show as follow. binutils/nm-new -C POC ================================================================= ==9029==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf3bfea80 at pc 0x083ba887 bp 0xffabcac8 sp 0xffabcac0 WRITE of size 4 at 0xf3bfea80 thread T0 #0 0x83ba886 in demangle_template ./binutils-gdb/libiberty/./cplus-dem.c:2249:23 #1 0x83b8c2e in demangle_signature ./binutils-gdb/libiberty/./cplus-dem.c:1709:18 #2 0x83b62da in internal_cplus_demangle ./binutils-gdb/libiberty/./cplus-dem.c:1258:14 #3 0x83b5143 in cplus_demangle ./binutils-gdb/libiberty/./cplus-dem.c:919:9 #4 0x815d092 in bfd_demangle ./binutils-gdb/bfd/bfd.c:2254:9 #5 0x81460a0 in print_symname ./binutils-gdb/binutils/nm.c:423:19 #6 0x8145035 in print_symbol_info_bsd ./binutils-gdb/binutils/nm.c:1565:3 #7 0x8149d87 in print_symbol ./binutils-gdb/binutils/nm.c:903:3 #8 0x8148828 in print_symbols ./binutils-gdb/binutils/nm.c:1102:7 #9 0x8146fdb in display_rel_file ./binutils-gdb/binutils/nm.c:1215:5 #10 0x8144a11 in display_file ./binutils-gdb/binutils/nm.c:1335:7 #11 0x814424f in main ./binutils-gdb/binutils/nm.c:1816:12 #12 0xf7d3f636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) #13 0x806be08 in _start (./binutils-gdb/binutils/nm-new+0x806be08) 0xf3bfea80 is located 0 bytes to the right of 251581056-byte region [0xe4c11800,0xf3bfea80) allocated by thread T0 here: #0 0x8112215 in malloc asan_malloc_linux.cc:146:3 #1 0x83e6659 in xmalloc ./binutils-gdb/libiberty/./xmalloc.c:147:12 #2 0x83b8c2e in demangle_signature ./binutils-gdb/libiberty/./cplus-dem.c:1709:18 #3 0x83b62da in internal_cplus_demangle ./binutils-gdb/libiberty/./cplus-dem.c:1258:14 #4 0x83b5143 in cplus_demangle ./binutils-gdb/libiberty/./cplus-dem.c:919:9 #5 0x815d092 in bfd_demangle ./binutils-gdb/bfd/bfd.c:2254:9 SUMMARY: AddressSanitizer: heap-buffer-overflow ./binutils-gdb/libiberty/./cplus-dem.c:2249:23 in demangle_template Shadow bytes around the buggy address: 0x3e77fd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e77fd10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e77fd20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e77fd30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e77fd40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x3e77fd50:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e77fd60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e77fd70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e77fd80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e77fd90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e77fda0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==9029==ABORTING
Hi tfx, Thanks for reporting this problem. Unfortunately the cplus-dem.c source file is part of the libiberty library, which is maintained by gcc rather than the binutils. (It is used by the binutils, but not maintained by us). Please could you report this problem here: https://gcc.gnu.org/bugzilla/enter_bug.cgi?product=gcc Cheers Nick
New bug was created in gcc project: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88783
Created attachment 11991 [details] fix CVE-2018-20673 Add a check before using the variable r
Comment on attachment 11991 [details] fix CVE-2018-20673 the binutils version is 2.31.1