Bug 24266 - Heap out-of-bound read in pex64_bfd_print_pdata_section
Summary: Heap out-of-bound read in pex64_bfd_print_pdata_section
Status: RESOLVED DUPLICATE of bug 24235
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.32
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-02-25 10:45 UTC by Mingi Cho
Modified: 2019-02-25 13:54 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
Poc to trigger bug (10.90 KB, application/x-ms-dos-executable)
2019-02-25 10:45 UTC, Mingi Cho 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mingi Cho 2019-02-25 10:45:29 UTC 
Created attachment 11644 [details]
Poc to trigger bug

Triggered by "./objdump -x $POC"
Tested on Ubuntu 16.04 (x86)

Heap out-of-bound read occurred when processing malformed PE file.

There are no checks of raw size of pdata section in pex64_bfd_print_pdata_section().

bfd/pei-x86_64.c:
    if (altent >= pdata_vma
      && (altent + PDATA_ROW_SIZE <= pdata_vma
      + pei_section_data (abfd, pdata_section)->virt_size))


ASAN output:

==196912==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf3f1758c at pc 0x0835a8bd bp 0xffee2188 sp 0xffee217c
READ of size 1 at 0xf3f1758c thread T0
    #0 0x835a8bc in bfd_getl32 /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/bfd/libbfd.c:695:23
    #1 0x87e1da5 in pex64_get_runtime_function /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/bfd/pei-x86_64.c:94:26
    #2 0x87e1da5 in pex64_bfd_print_pdata_section /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/bfd/pei-x86_64.c:730
    #3 0x87de95c in pex64_bfd_print_pdata /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/bfd/pei-x86_64.c:794:12
    #4 0x883c1cd in _bfd_pex64_print_private_bfd_data_common /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/bfd/pex64igen.c:2911:5
    #5 0x87fb7d2 in pe_print_private_bfd_data /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/bfd/./peicode.h:336:8
    #6 0x8172853 in dump_bfd_private_header /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/binutils/./objdump.c:3181:3
    #7 0x8172853 in dump_bfd /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/binutils/./objdump.c:3782
    #8 0x81711a3 in display_any_bfd /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/binutils/./objdump.c:3881:7
    #9 0x816f747 in display_file /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/binutils/./objdump.c:3994:3
    #10 0x816f747 in main /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/binutils/./objdump.c:4304
    #11 0xf7584636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #12 0x806c9d7 in _start (/home/seclab/fuzzing-experiment/fuzzing/program/x86/binutils-2.32/aflclang5-asan/bin/objdump+0x806c9d7)

Address 0xf3f1758c is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/bfd/libbfd.c:695:23 in bfd_getl32


Credits:

Mingi Cho, Seoyoung Kim, and Taekyoung Kwon of the Information Security Lab, Yonsei University.
Comment 1 Nick Clifton 2019-02-25 13:54:47 UTC 
Hi Mingi,

  Thanks for reporting this bug.  Fortunately it has already been fixed. :-)

Cheers
  Nick

*** This bug has been marked as a duplicate of bug 24235 ***