Created attachment 11644 [details] Poc to trigger bug Triggered by "./objdump -x $POC" Tested on Ubuntu 16.04 (x86) Heap out-of-bound read occurred when processing malformed PE file. There are no checks of raw size of pdata section in pex64_bfd_print_pdata_section(). bfd/pei-x86_64.c: if (altent >= pdata_vma && (altent + PDATA_ROW_SIZE <= pdata_vma + pei_section_data (abfd, pdata_section)->virt_size)) ASAN output: ==196912==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf3f1758c at pc 0x0835a8bd bp 0xffee2188 sp 0xffee217c READ of size 1 at 0xf3f1758c thread T0 #0 0x835a8bc in bfd_getl32 /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/bfd/libbfd.c:695:23 #1 0x87e1da5 in pex64_get_runtime_function /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/bfd/pei-x86_64.c:94:26 #2 0x87e1da5 in pex64_bfd_print_pdata_section /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/bfd/pei-x86_64.c:730 #3 0x87de95c in pex64_bfd_print_pdata /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/bfd/pei-x86_64.c:794:12 #4 0x883c1cd in _bfd_pex64_print_private_bfd_data_common /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/bfd/pex64igen.c:2911:5 #5 0x87fb7d2 in pe_print_private_bfd_data /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/bfd/./peicode.h:336:8 #6 0x8172853 in dump_bfd_private_header /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/binutils/./objdump.c:3181:3 #7 0x8172853 in dump_bfd /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/binutils/./objdump.c:3782 #8 0x81711a3 in display_any_bfd /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/binutils/./objdump.c:3881:7 #9 0x816f747 in display_file /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/binutils/./objdump.c:3994:3 #10 0x816f747 in main /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/binutils/./objdump.c:4304 #11 0xf7584636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) #12 0x806c9d7 in _start (/home/seclab/fuzzing-experiment/fuzzing/program/x86/binutils-2.32/aflclang5-asan/bin/objdump+0x806c9d7) Address 0xf3f1758c is a wild pointer. SUMMARY: AddressSanitizer: heap-buffer-overflow /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/bfd/libbfd.c:695:23 in bfd_getl32 Credits: Mingi Cho, Seoyoung Kim, and Taekyoung Kwon of the Information Security Lab, Yonsei University.
Hi Mingi, Thanks for reporting this bug. Fortunately it has already been fixed. :-) Cheers Nick *** This bug has been marked as a duplicate of bug 24235 ***