Bug 24266 - Heap out-of-bound read in pex64_bfd_print_pdata_section
Summary: Heap out-of-bound read in pex64_bfd_print_pdata_section
Status: RESOLVED DUPLICATE of bug 24235
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.32
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
Depends on:
Reported: 2019-02-25 10:45 UTC by Mingi Cho
Modified: 2019-02-25 13:54 UTC (History)
1 user (show)

See Also:
Last reconfirmed:

Poc to trigger bug (10.90 KB, application/x-ms-dos-executable)
2019-02-25 10:45 UTC, Mingi Cho

Note You need to log in before you can comment on or make changes to this bug.
Description Mingi Cho 2019-02-25 10:45:29 UTC
Created attachment 11644 [details]
Poc to trigger bug

Triggered by "./objdump -x $POC"
Tested on Ubuntu 16.04 (x86)

Heap out-of-bound read occurred when processing malformed PE file.

There are no checks of raw size of pdata section in pex64_bfd_print_pdata_section().

    if (altent >= pdata_vma
      && (altent + PDATA_ROW_SIZE <= pdata_vma
      + pei_section_data (abfd, pdata_section)->virt_size))

ASAN output:

==196912==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf3f1758c at pc 0x0835a8bd bp 0xffee2188 sp 0xffee217c
READ of size 1 at 0xf3f1758c thread T0
    #0 0x835a8bc in bfd_getl32 /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/bfd/libbfd.c:695:23
    #1 0x87e1da5 in pex64_get_runtime_function /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/bfd/pei-x86_64.c:94:26
    #2 0x87e1da5 in pex64_bfd_print_pdata_section /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/bfd/pei-x86_64.c:730
    #3 0x87de95c in pex64_bfd_print_pdata /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/bfd/pei-x86_64.c:794:12
    #4 0x883c1cd in _bfd_pex64_print_private_bfd_data_common /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/bfd/pex64igen.c:2911:5
    #5 0x87fb7d2 in pe_print_private_bfd_data /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/bfd/./peicode.h:336:8
    #6 0x8172853 in dump_bfd_private_header /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/binutils/./objdump.c:3181:3
    #7 0x8172853 in dump_bfd /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/binutils/./objdump.c:3782
    #8 0x81711a3 in display_any_bfd /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/binutils/./objdump.c:3881:7
    #9 0x816f747 in display_file /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/binutils/./objdump.c:3994:3
    #10 0x816f747 in main /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/binutils/./objdump.c:4304
    #11 0xf7584636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #12 0x806c9d7 in _start (/home/seclab/fuzzing-experiment/fuzzing/program/x86/binutils-2.32/aflclang5-asan/bin/objdump+0x806c9d7)

Address 0xf3f1758c is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/bfd/libbfd.c:695:23 in bfd_getl32


Mingi Cho, Seoyoung Kim, and Taekyoung Kwon of the Information Security Lab, Yonsei University.
Comment 1 Nick Clifton 2019-02-25 13:54:47 UTC
Hi Mingi,

  Thanks for reporting this bug.  Fortunately it has already been fixed. :-)


*** This bug has been marked as a duplicate of bug 24235 ***