Bug 29924 - Huge memoy allocation in objdump
Summary: Huge memoy allocation in objdump
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.39
: P2 normal
Target Milestone: ---
Assignee: Nick Clifton
Depends on:
Reported: 2022-12-21 08:05 UTC by 邓朋
Modified: 2022-12-21 11:54 UTC (History)
1 user (show)

See Also:
Last reconfirmed: 2022-12-21 00:00:00

PoC to replay the vulnerability (10.12 KB, application/x-object)
2022-12-21 08:05 UTC, 邓朋

Note You need to log in before you can comment on or make changes to this bug.
Description 邓朋 2022-12-21 08:05:54 UTC
Created attachment 14533 [details]
PoC to replay the vulnerability

There is a huge memory allocation vulnerability in objdump, which can be triggered by a craft elf file.

git clone git://sourceware.org/git/binutils-gdb.git
CC="clang -fsanitize=address" CXX="clang++ -fsanitize=address" ./configure --disable-shared && make -j$(nproc)
./binutils/objdump -S poc

==23722==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x3000000001 bytes
    #0 0x4942ed in malloc (/binutils-gdb/binutils/objdump+0x4942ed)
    #1 0x8410c8 in xmalloc /binutils-gdb/libiberty/./xmalloc.c:149:12
    #2 0x4dbb9d in load_separate_debug_files /binutils-gdb/binutils/./dwarf.c:11965:7
    #3 0x4c6e60 in display_object_bfd /binutils-gdb/binutils/./objdump.c
    #4 0x4c6e60 in display_any_bfd /binutils-gdb/binutils/./objdump.c:5823:5
    #5 0x4c5604 in display_file /binutils-gdb/binutils/./objdump.c:5844:3
    #6 0x4c5604 in main /binutils-gdb/binutils/./objdump.c:6252:6
    #7 0x7f08291dec86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310

==23722==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: out-of-memory (/binutils-gdb/binutils/objdump+0x4942ed) in malloc

Ubuntu 18.04
clang 10.0.0
Comment 1 Sourceware Commits 2022-12-21 11:52:02 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:


commit 75393a2d54bcc40053e5262a3de9d70c5ebfbbfd
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Dec 21 11:51:23 2022 +0000

    Fix an attempt to allocate an unreasonably large amount of memory when parsing a corrupt ELF file.
            PR  29924
            * objdump.c (load_specific_debug_section): Check for excessively
            large sections.
Comment 2 Nick Clifton 2022-12-21 11:54:12 UTC
Thanks for reporting this problem.  I have checked in a small patch to add a check for an excessively DWARF information section.