Created attachment 11651 [details] Poc to trigger bug Triggered by "./objdump -x $POC" Tested on Ubuntu 16.04 (x86) An out-of-bounds read occurred when processing malformed PE file. ASAN output: ==173033==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4c03bff at pc 0x082e6896 bp 0xffa38b98 sp 0xffa38b8c READ of size 1 at 0xf4c03bff thread T0 #0 0x82e6895 in bfd_getl32 /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/bfd/libbfd.c:698:24 #1 0x871c088 in pex64_xdata_print_uwd_codes /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/bfd/pei-x86_64.c:299:10 #2 0x8717f8c in pex64_dump_xdata /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/bfd/pei-x86_64.c:441:5 #3 0x8709661 in pex64_bfd_print_pdata_section /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/bfd/pei-x86_64.c:758:8 #4 0x87050ee in pex64_bfd_print_pdata /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/bfd/pei-x86_64.c:794:12 #5 0x875d7e9 in _bfd_pex64_print_private_bfd_data_common /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/bfd/pex64igen.c:2911:5 #6 0x871488a in pe_print_private_bfd_data /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/bfd/./peicode.h:336:8 #7 0x8172403 in dump_bfd_private_header /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/binutils/./objdump.c:3181:3 #8 0x8170bc1 in dump_bfd /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/binutils/./objdump.c:3782:5 #9 0x8170346 in display_object_bfd /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/binutils/./objdump.c:3883:7 #10 0x817024d in display_any_bfd /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/binutils/./objdump.c:3973:5 #11 0x816f840 in display_file /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/binutils/./objdump.c:3994:3 #12 0x816ef52 in main /home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/binutils/./objdump.c:4304:6 #13 0xf74b7636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) #14 0x806c907 in _start (/home/seclab/fuzzing-experiment/fuzzing/program/x86/binutils-2.32/clang5-asan-debug/bin/objdump+0x806c907) Credits: Mingi Cho, Seoyoung Kim, and Taekyoung Kwon of the Information Security Lab, Yonsei University.
Hi Mingi, I am unable to reproduce this bug. :-( Do you have the fix for PR 24235 applied in the sources you are using ? (Commit 179f2db0d9c). Cheers Nick
Testing a fix
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b24cc4146e4de9f3b66e2e2fb8379db46eff89c9 commit b24cc4146e4de9f3b66e2e2fb8379db46eff89c9 Author: Alan Modra <amodra@gmail.com> Date: Fri Mar 1 09:28:47 2019 +1030 PR24272, out-of-bounds read in pex64_xdata_print_uwd_codes The fix here is to use an unsigned comparison for if (a->NumberOfRvaAndSizes > IMAGE_NUMBEROF_DIRECTORY_ENTRIES) include/ PR 24272 * coff/internal.h (struct internal_extra_pe_aouthdr): Change type of SizeOfCode, SizeOfInitializedData, and SizeOfUninitializedData to bfd_vma. Change type of SectionAlignment, FileAlignment, Reserved1, SizeOfImage, SizeOfHeaders, CheckSum, LoaderFlags, and NumberOfRvaAndSizes to uint32_t. bfd/ PR 24272 * peXXigen.c (_bfd_XXi_swap_aouthdr_in): Use unsigned index. (_bfd_XX_print_private_bfd_data_common): Adjust for type changes.
Fixed