Bug 24235 - objdump: Read memory violation in libbfd.c
Summary: objdump: Read memory violation in libbfd.c
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.33
: P2 normal
Target Milestone: ---
Assignee: Alan Modra
URL:
Keywords:
: 24266 24278 (view as bug list)
Depends on:
Blocks:
 
Reported: 2019-02-19 10:07 UTC by spinpx
Modified: 2019-03-01 07:15 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
the input triggers the bug (414 bytes, application/x-ms-dos-executable)
2019-02-19 10:07 UTC, spinpx
Details

Note You need to log in before you can comment on or make changes to this bug.
Description spinpx 2019-02-19 10:07:21 UTC
Created attachment 11617 [details]
the input triggers the bug

- Intel Xeon Gold 5118 processors and 256 GB memory
- Linux n18-065-139 4.19.0-1-amd64 #1 SMP Debian 4.19.12-1 (2018-12-22) x86_64 GNU/Linux
- clang version 4.0.0 (tags/RELEASE_400/final)
- version: commit c72e75a64030b0f6535a80481f37968ad55c333a (Feb 19 2019)
- run objdump -x input_file

- asan report
==1161627==ERROR: AddressSanitizer: SEGV on unknown address 0x613000bbe0fe (pc 0x000000607197 bp 0x7ffcfa7de560 sp 0x7ffcfa7de500 T0)
==1161627==The signal is caused by a READ memory access.
    #0 0x607196 in bfd_getl32 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/libbfd.c:695:7
    #1 0x896b30 in pex64_get_runtime_function /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/pei-x86_64.c:94:26
    #2 0x88f222 in pex64_bfd_print_pdata_section /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/pei-x86_64.c:730:5
    #3 0x88d555 in pex64_bfd_print_pdata /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/pei-x86_64.c:794:12
    #4 0x8c3894 in _bfd_pex64_print_private_bfd_data_common /mnt/raid/user/chenpeng/FuzzingBench/build/asan/binutils-gdb/bfd/pex64igen.c:2911:5
    #5 0x895d94 in pe_print_private_bfd_data /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/peicode.h:336:8
    #6 0x4f65d5 in dump_bfd_private_header /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/objdump.c:3181:3
    #7 0x4f51f9 in dump_bfd /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/objdump.c:3782:5
    #8 0x4f4c71 in display_object_bfd /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/objdump.c:3883:7
    #9 0x4f4b67 in display_any_bfd /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/objdump.c:3973:5
    #10 0x4f424a in display_file /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/objdump.c:3994:3
    #11 0x4f3ab0 in main /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/objdump.c:4304:6
    #12 0x7f659f6c409a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #13 0x41d639 in _start (/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/objdump+0x41d639)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/libbfd.c:695:7 in bfd_getl32
==1161627==ABORTING


- Exploitable
Description: Access violation on source operand
Short description: SourceAv (19/22)
Hash: bafff732c614888210a0d11ed0439a22.5360e10ba1488dec3bada789cf815760
Exploitability Classification: UNKNOWN
"Explanation: The target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read access violation.
Other tags: AccessViolation (21/22)
Comment 1 Sourceware Commits 2019-02-19 12:23:47 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=179f2db0d9c397d7dd8a59907b84208b79f7f48c

commit 179f2db0d9c397d7dd8a59907b84208b79f7f48c
Author: Alan Modra <amodra@gmail.com>
Date:   Tue Feb 19 22:48:44 2019 +1030

    PR24235, Read memory violation in pei-x86_64.c
    
    	PR 24235
    	* pei-x86_64.c (pex64_bfd_print_pdata_section): Correct checks
    	attempting to prevent read past end of section.
Comment 2 Alan Modra 2019-02-19 12:37:21 UTC
Fixed.
Comment 3 Nick Clifton 2019-02-25 13:54:47 UTC
*** Bug 24266 has been marked as a duplicate of this bug. ***
Comment 4 Alan Modra 2019-03-01 04:11:40 UTC
*** Bug 24278 has been marked as a duplicate of this bug. ***
Comment 5 spinpx 2019-03-01 07:15:46 UTC
CVE-2019-9074