Bug 28753 - Heap-based Buffer Overflow in bfd_getl32
Summary: Heap-based Buffer Overflow in bfd_getl32
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.38
: P2 normal
Target Milestone: 2.38
Assignee: Alan Modra
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-01-08 07:57 UTC by AiDai
Modified: 2022-02-09 11:12 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Last reconfirmed: 2022-01-20 00:00:00


Attachments
poc (298 bytes, application/x-object)
2022-01-08 07:57 UTC, AiDai
Details

Note You need to log in before you can comment on or make changes to this bug.
Description AiDai 2022-01-08 07:57:50 UTC
Created attachment 13895 [details]
poc

```
./objdump -g poc

poc:     file format elf64-x86-64

./objdump: poc: invalid string offset 16711680 >= 6 for section `.strtab'
=================================================================
==3170153==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000011a at pc 0x0000006b2bba bp 0x7ffca4f16920 sp 0x7ffca4f16918
READ of size 1 at 0x60300000011a thread T0
    #0 0x6b2bb9 in bfd_getl32 /home/aidai/fuzzing/binutils/binutils-gdb/bfd/libbfd.c:729:24
    #1 0x5862c0 in read_section_stabs_debugging_info /home/aidai/fuzzing/binutils/binutils-gdb/binutils/rddbg.c:220:25
    #2 0x5862c0 in read_debugging_info /home/aidai/fuzzing/binutils/binutils-gdb/binutils/rddbg.c:56:9
    #3 0x4cef17 in dump_bfd /home/aidai/fuzzing/binutils/binutils-gdb/binutils/./objdump.c:5153:17
    #4 0x4ca155 in display_object_bfd /home/aidai/fuzzing/binutils/binutils-gdb/binutils/./objdump.c
    #5 0x4ca155 in display_any_bfd /home/aidai/fuzzing/binutils/binutils-gdb/binutils/./objdump.c:5299:5
    #6 0x4c9ce5 in display_file /home/aidai/fuzzing/binutils/binutils-gdb/binutils/./objdump.c:5320:3
    #7 0x4c74af in main /home/aidai/fuzzing/binutils/binutils-gdb/binutils/./objdump.c:5688:6
    #8 0x7f5ea20030b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #9 0x41c5ed in _start (/home/aidai/fuzzing/binutils/results/out-objdump-0102/objdump-fuzzer/crashes/objdump+0x41c5ed)

0x60300000011a is located 0 bytes to the right of 26-byte region [0x603000000100,0x60300000011a)
allocated by thread T0 here:
    #0 0x494d2d in malloc (/home/aidai/fuzzing/binutils/results/out-objdump-0102/objdump-fuzzer/crashes/objdump+0x494d2d)
    #1 0xa2008a in xmalloc /home/aidai/fuzzing/binutils/binutils-gdb/libiberty/./xmalloc.c:147:12
    #2 0x4cef17 in dump_bfd /home/aidai/fuzzing/binutils/binutils-gdb/binutils/./objdump.c:5153:17
    #3 0x4ca155 in display_object_bfd /home/aidai/fuzzing/binutils/binutils-gdb/binutils/./objdump.c
    #4 0x4ca155 in display_any_bfd /home/aidai/fuzzing/binutils/binutils-gdb/binutils/./objdump.c:5299:5
    #5 0x4c9ce5 in display_file /home/aidai/fuzzing/binutils/binutils-gdb/binutils/./objdump.c:5320:3

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/aidai/fuzzing/binutils/binutils-gdb/bfd/libbfd.c:729:24 in bfd_getl32
Shadow bytes around the buggy address:
  0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff8000: fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa fd fd
  0x0c067fff8010: fd fa fa fa fd fd fd fa fa fa 00 00 00 fa fa fa
=>0x0c067fff8020: 00 00 00[02]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3170153==ABORTING
Comment 1 Sourceware Commits 2022-01-28 06:32:18 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=085b299b71721e15f5c5c5344dc3e4e4536dadba

commit 085b299b71721e15f5c5c5344dc3e4e4536dadba
Author: Alan Modra <amodra@gmail.com>
Date:   Thu Jan 20 13:58:38 2022 +1030

    PR28753, buffer overflow in read_section_stabs_debugging_info
    
            PR 28753
            * rddbg.c (read_section_stabs_debugging_info): Don't read past
            end of section when concatentating stab strings.
Comment 2 Sourceware Commits 2022-02-05 08:29:40 UTC
The binutils-2_38-branch branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cad4d6b91e97b6962807d33c04ed7e7797788438

commit cad4d6b91e97b6962807d33c04ed7e7797788438
Author: Alan Modra <amodra@gmail.com>
Date:   Thu Jan 20 13:58:38 2022 +1030

    PR28753, buffer overflow in read_section_stabs_debugging_info
    
            PR 28753
            * rddbg.c (read_section_stabs_debugging_info): Don't read past
            end of section when concatentating stab strings.
    
    (cherry picked from commit 085b299b71721e15f5c5c5344dc3e4e4536dadba)
Comment 3 Alan Modra 2022-02-09 11:12:09 UTC
Fixed mainline and 2.38 branch