24236 – size: Heap buffer overflow in _bfd_archive_64_bit_slurp_armap

Bug 24236 - size: Heap buffer overflow in _bfd_archive_64_bit_slurp_armap

Summary: size: Heap buffer overflow in _bfd_archive_64_bit_slurp_armap

Status:	RESOLVED FIXED

Alias:	None

Product:	binutils
Classification:	Unclassified
Component:	binutils (show other bugs)
Version:	2.33

Importance:	P2 normal
Target Milestone:	2.33
Assignee:	Alan Modra

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-02-19 12:21 UTC by spinpx
Modified:	2019-09-29 16:25 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:	2019-02-19 00:00:00

Attachments
input triggers the bug (434 bytes, application/octet-stream) 2019-02-19 12:21 UTC, spinpx	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description spinpx 2019-02-19 12:21:21 UTC

- Intel Xeon Gold 5118 processors and 256 GB memory
- Linux n18-065-139 4.19.0-1-amd64 #1 SMP Debian 4.19.12-1 (2018-12-22) x86_64 GNU/Linux
- clang version 4.0.0 (tags/RELEASE_400/final)
- version: commit c72e75a64030b0f6535a80481f37968ad55c333a (Feb 19 2019)
- run: size input_file

- Exploitable:
Description: Heap error
Short description: HeapError (10/22)
Hash: 0ab5d0005e74fc041576aa73a2a94770.f78de5a987638de0bf17f6470949c81d
Exploitability Classification: EXPLOITABLE
Explanation: The target's backtrace indicates that libc has detected a heap error or that the target was executing a heap function when it stopped. This could be due to heap corruption, passing a bad pointer to a heap function such as free(), etc. Since heap errors might include buffer overflows, use-after-free situations, etc. they are generally considered exploitable.
Other tags: AbortSignal (20/22)

- stack:
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007fb7ebcef535 in __GI_abort () at abort.c:79
#2  0x00007fb7ebd46778 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7fb7ebe5128d \"%s\\n\") at ../sysdeps/posix/libc_fatal.c:181
#3  0x00007fb7ebd4ce6a in malloc_printerr (str=str@entry=0x7fb7ebe53018 \"double free or corruption (!prev)\") at malloc.c:5341
#4  0x00007fb7ebd4e98c in _int_free (av=0x7fb7ebe88c40 <main_arena>, p=0xc49ac0, have_lock=<optimized out>) at malloc.c:4309
#5  0x00000000005b6a64 in objalloc_free (o=0xc46780) at /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/objalloc.c:187
#6  0x00000000004227f9 in _bfd_delete_bfd (abfd=0xc46660) at /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/opncls.c:126
#7  bfd_close_all_done (abfd=0xc46660) at /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/opncls.c:773
#8  0x00000000004225e8 in bfd_close (abfd=0xc46660) at /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/opncls.c:735"
#9  0x00000000004043dd in display_file (filename=0x7ffceb73e23b \"/mnt/raid/user/chenpeng/FuzzingBench/size/crashes_matryoshka_cmin_crash/id:000000-crash_2\") at /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:409
#10 0x0000000000403cc5 in main (argc=<optimized out>, argv=0x7fb7ebd048bb <__GI_raise+267>) at /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:241"

- asan report:
==1423785==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000004e78 at pc 0x0000007f787c bp 0x7ffff511d170 sp 0x7ffff511d168
WRITE of size 1 at 0x621000004e78 thread T0
    #0 0x7f787b in _bfd_archive_64_bit_slurp_armap /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/archive64.c:126:15
    #1 0x4fcfd6 in bfd_slurp_armap /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/archive.c:1152:14
    #2 0x4fc895 in bfd_generic_archive_p /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/archive.c:875:8
    #3 0x5207e5 in bfd_check_format_matches /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/format.c:315:14
    #4 0x51f82e in bfd_check_format /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/format.c:94:10
    #5 0x4f1eb5 in display_file /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:431:7
    #6 0x4f1aa5 in main /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:260:7
    #7 0x7f0399a5209a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #8 0x41d5e9 in _start (/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size+0x41d5e9)

0x621000004e78 is located 0 bytes to the right of 4472-byte region [0x621000003d00,0x621000004e78)
allocated by thread T0 here:
    #0 0x4c42dc in malloc /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66:3
    #1 0x8affb0 in _objalloc_alloc /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/objalloc.c:143:22
    #2 0x52e450 in bfd_alloc /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/opncls.c:949:9
    #3 0x52c5cc in bfd_zalloc /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/opncls.c:998:9
    #4 0x7f74c7 in _bfd_archive_64_bit_slurp_armap /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/archive64.c:98:39
    #5 0x4fcfd6 in bfd_slurp_armap /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/archive.c:1152:14
    #6 0x4fc895 in bfd_generic_archive_p /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/archive.c:875:8
    #7 0x5207e5 in bfd_check_format_matches /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/format.c:315:14
    #8 0x51f82e in bfd_check_format /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/format.c:94:10
    #9 0x4f1eb5 in display_file /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:431:7
    #10 0x4f1aa5 in main /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:260:7
    #11 0x7f0399a5209a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

SUMMARY: AddressSanitizer: heap-buffer-overflow /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/archive64.c:126:15 in _bfd_archive_64_bit_slurp_armap
Shadow bytes around the buggy address:
  0x0c427fff8970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff89a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff89b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fff89c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
  0x0c427fff89d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff89e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff89f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1423785==ABORTING

Comment 1 spinpx 2019-02-19 12:21:53 UTC

Created attachment 11618 [details]
input triggers the bug

Comment 2 Sourceware Commits 2019-02-20 01:20:59 UTC

The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8abac8031ed369a2734b1cdb7df28a39a54b4b49

commit 8abac8031ed369a2734b1cdb7df28a39a54b4b49
Author: Alan Modra <amodra@gmail.com>
Date:   Wed Feb 20 08:21:24 2019 +1030

    PR24236, Heap buffer overflow in _bfd_archive_64_bit_slurp_armap
    
    	PR 24236
    	* archive64.c (_bfd_archive_64_bit_slurp_armap): Move code adding
    	sentinel NUL to string buffer nearer to loop where it is used.
    	Don't go past sentinel when scanning strings, and don't write
    	NUL again.
    	* archive.c (do_slurp_coff_armap): Simplify string handling to
    	archive64.c style.

Comment 3 Alan Modra 2019-02-20 01:22:15 UTC

Fixed

Comment 4 spinpx 2019-03-01 07:16:23 UTC

CVE-2019-9075

Comment 5 promask 2019-09-29 16:25:29 UTC

))