[Bug binutils/22307] New: Heap out of bounds read in _bfd_elf_parse_gnu

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/22307] New: Heap out of bounds read in _bfd_elf_parse_gnu_

From:	mgcho.minic at gmail dot com
Subject:	[Bug binutils/22307] New: Heap out of bounds read in _bfd_elf_parse_gnu_properties()
Date:	Tue, 17 Oct 2017 06:49:42 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=22307

            Bug ID: 22307
           Summary: Heap out of bounds read in
                    _bfd_elf_parse_gnu_properties()
           Product: binutils
           Version: 2.30 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: mgcho.minic at gmail dot com
  Target Milestone: ---

Created attachment 10535
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10535&action=edit
POC to trigger heap out of bounds read

Triggered by "./objdump -x $POC"
Tested on Ubuntu 16.04 (x86)


The GDB debugging information is as follows:

(gdb) r -x $POC

Program received signal SIGSEGV, Segmentation fault.
bfd_getl32 (p=0x21edd94) at libbfd.c:557
557       v = (unsigned long) addr[0];
(gdb) bt
#0  bfd_getl32 (p=0x21edd94) at libbfd.c:557
#1  0x080e6288 in _bfd_elf_parse_gnu_properties (abfd=<optimized out>,
note=<optimized out>) at elf-properties.c:98
#2  0x080bfbfc in elfobj_grok_gnu_note (abfd=<optimized out>, note=<optimized
out>) at elf.c:9815
#3  elf_parse_notes (abfd=<optimized out>, buf=<optimized out>, size=<optimized
out>, offset=<optimized out>)
    at elf.c:11028
#4  0x080bf3f8 in _bfd_elf_make_section_from_shdr (abfd=<optimized out>,
hdr=<optimized out>, name=<optimized out>, 
    shindex=<optimized out>) at elf.c:1092
#5  0x080c266f in bfd_section_from_shdr (abfd=<optimized out>,
shindex=<optimized out>) at elf.c:2421
#6  0x080bbc65 in bfd_elf32_object_p (abfd=<optimized out>) at ./elfcode.h:805
#7  0x080a6eca in bfd_check_format_matches (abfd=<optimized out>,
format=<optimized out>, matching=<optimized out>)
    at format.c:311
#8  0x0804a940 in display_object_bfd (abfd=0x81e9a08) at ./objdump.c:3609
#9  display_any_bfd (file=0x81e9a08, level=<optimized out>) at ./objdump.c:3700
#10 0x0804a4ea in display_file (filename=0xbffff305
"/tmp/objdump/libbfd_getl_crash", target=<optimized out>, 
    last_file=<optimized out>) at ./objdump.c:3721
#11 main (argc=<optimized out>, argv=<optimized out>) at ./objdump.c:4023


Credits:

This vulnerability was discovered by Mingi Cho and Taekyoung Kwon of the
Information Security Lab, Yonsei University. Please contact
address@hidden and address@hidden if you need more information
about the vulnerability and the lab.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/22307] New: Heap out of bounds read in _bfd_elf_parse_gnu_properties(), mgcho.minic at gmail dot com <=
- [Bug binutils/22307] Heap out of bounds read in _bfd_elf_parse_gnu_properties(), amodra at gmail dot com, 2017/10/17
- [Bug binutils/22307] Heap out of bounds read in _bfd_elf_parse_gnu_properties(), cvs-commit at gcc dot gnu.org, 2017/10/17
- [Bug binutils/22307] Heap out of bounds read in _bfd_elf_parse_gnu_properties(), amodra at gmail dot com, 2017/10/17

Prev by Date: [Bug binutils/22306] Invalid free() in slurp_symtab() [Heap corruption]
Next by Date: [Bug binutils/22307] Heap out of bounds read in _bfd_elf_parse_gnu_properties()
Previous by thread: [Bug binutils/22306] New: Invalid free() in slurp_symtab() [Heap corruption]
Next by thread: [Bug binutils/22307] Heap out of bounds read in _bfd_elf_parse_gnu_properties()
Index(es):
- Date
- Thread