Bug 24922 - An out-of-bounds read in pex64_xdata_print_uwd_codes
Summary: An out-of-bounds read in pex64_xdata_print_uwd_codes
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.33
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-08-20 21:03 UTC by Mingi Cho
Modified: 2019-08-22 13:38 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
Poc to trigger bug (10.73 KB, application/x-ms-dos-executable)
2019-08-20 21:03 UTC, Mingi Cho 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mingi Cho 2019-08-20 21:03:55 UTC 
Created attachment 11956 [details]
Poc to trigger bug

Triggered by "./objdump -x $POC"
Tested on Ubuntu 16.04

An out-of-bounds read occurred when processing malformed input.

configuration: 

CC=clang-5.0 CFLAGS="-m32 -Wextra -Wno-missing-field-initializers -fsanitize=address -fno-omit-frame-pointer -g" CXX=clang++-5.0 CXXFLAGS="-m32" ./configure --disable-gdb --disable-gold --disable-gas --disable-gprof


ASAN output:

==108913==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf2a028af at pc 0x0832aa07 bp 0xffd22f58 sp 0xffd22f4c
READ of size 1 at 0xf2a028af thread T0
    #0 0x832aa06 in bfd_getl32 /home/seclab/binutils-gdb/bfd/libbfd.c:698:24
    #1 0x873c1a5 in pex64_xdata_print_uwd_codes /home/seclab/binutils-gdb/bfd/pei-x86_64.c:244:14
    #2 0x8738e6e in pex64_dump_xdata /home/seclab/binutils-gdb/bfd/pei-x86_64.c:441:5
    #3 0x872ad92 in pex64_bfd_print_pdata_section /home/seclab/binutils-gdb/bfd/pei-x86_64.c:757:8
    #4 0x8726c5e in pex64_bfd_print_pdata /home/seclab/binutils-gdb/bfd/pei-x86_64.c:793:12
    #5 0x877ba9d in _bfd_pex64_print_private_bfd_data_common /home/seclab/binutils-gdb/bfd/pex64igen.c:2917:5
    #6 0x873595a in pe_print_private_bfd_data /home/seclab/binutils-gdb/bfd/./peicode.h:336:8
    #7 0x8174bd4 in dump_bfd_private_header /home/seclab/binutils-gdb/binutils/./objdump.c:3352:8
    #8 0x817312f in dump_bfd /home/seclab/binutils-gdb/binutils/./objdump.c:3992:5
    #9 0x8171f56 in display_object_bfd /home/seclab/binutils-gdb/binutils/./objdump.c:4132:7
    #10 0x8171e54 in display_any_bfd /home/seclab/binutils-gdb/binutils/./objdump.c:4222:5
    #11 0x81714a0 in display_file /home/seclab/binutils-gdb/binutils/./objdump.c:4243:3
    #12 0x8170bed in main /home/seclab/binutils-gdb/binutils/./objdump.c:4561:6
    #13 0xf74bf636 in __libc_start_main /build/glibc-GoSbp4/glibc-2.23/csu/../csu/libc-start.c:291
    #14 0x806e677 in _start (/home/seclab/fuzzing-experiment/fuzzing/program/x86/binutils-triage-clang/master/bin/objdump+0x806e677)

Credits:

Mingi Cho, Seoyoung Kim, and Taekyoung Kwon of the Information Security Lab, Yonsei University.
Comment 1 Sourceware Commits 2019-08-22 13:38:17 UTC 
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=03da31c6764c1bca9b0b0529344a8ea933c825ea

commit 03da31c6764c1bca9b0b0529344a8ea933c825ea
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Aug 22 14:37:03 2019 +0100

    Fix an illegal memory access when dumping corrupt x86_64 PE unwind data.
    
    	PR 24922
    	* pei-x86_64.c (pex64_xdata_print_uwd_codes): Add checks before
    	reading data from extra records.
Comment 2 Nick Clifton 2019-08-22 13:38:57 UTC 
    Hi Mingi,

      Thanks for reporting this problem.  I have checked in a patch to
      add extra checks to catch this kind of buffer overflow.

    Cheers
      Nick