[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/22376] New: Heap overflow in coff_slurp_line_table
|
From: |
mgcho.minic at gmail dot com |
|
Subject: |
[Bug binutils/22376] New: Heap overflow in coff_slurp_line_table |
|
Date: |
Tue, 31 Oct 2017 15:06:48 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=22376
Bug ID: 22376
Summary: Heap overflow in coff_slurp_line_table
Product: binutils
Version: 2.30 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: mgcho.minic at gmail dot com
Target Milestone: ---
Created attachment 10562
--> https://sourceware.org/bugzilla/attachment.cgi?id=10562&action=edit
poc of the crash
Triggered by "./objdump -x $POC"
Tested on Ubuntu 16.04 (x86)
There is no check on the number of tables when processing line table.
The GDB debugging information is as follows:
(gdb) r -x $POC
Program received signal SIGSEGV, Segmentation fault.
0x080c55f5 in bfd_getl32 (p=0x8276000) at libbfd.c:557
557 v = (unsigned long) addr[0];
(gdb) bt
#0 0x080c55f5 in bfd_getl32 (p=0x8276000) at libbfd.c:557
#1 0x081544d5 in _bfd_pei_swap_lineno_in (abfd=0x8255a08, ext1=0x8276000,
in1=0xbfffeac0) at peigen.c:446
#2 0x08151562 in coff_slurp_line_table (abfd=0x8255a08, asect=0x8256b9c) at
./coffcode.h:4606
#3 0x081510e9 in coff_slurp_symbol_table (abfd=0x8255a08) at ./coffcode.h:5122
#4 0x081505c7 in coff_slurp_reloc_table (abfd=0x8255a08, asect=0x8256db8,
symbols=0x0) at ./coffcode.h:5291
#5 0x0814cd2a in coff_canonicalize_reloc (abfd=0x8255a08, section=0x8256db8,
relptr=0x825c300, symbols=0x0)
at ./coffcode.h:5435
#6 0x080be79b in bfd_canonicalize_reloc (abfd=0x8255a08, asect=0x8256db8,
location=0x825c300, symbols=0x0)
at bfd.c:1090
#7 0x0804e3a6 in dump_relocs_in_section (abfd=0x8255a08, section=0x8256db8,
dummy=0x0) at ./objdump.c:3400
#8 0x080ca10c in bfd_map_over_sections (abfd=0x8255a08, operation=0x804e200
<dump_relocs_in_section>,
user_storage=0x0) at section.c:1395
#9 0x0804c9ee in dump_relocs (abfd=0x8255a08) at ./objdump.c:3422
#10 0x0804b9b8 in dump_bfd (abfd=0x8255a08) at ./objdump.c:3548
#11 0x0804b5d2 in display_object_bfd (abfd=0x8255a08) at ./objdump.c:3611
#12 0x0804b587 in display_any_bfd (file=0x8255a08, level=0) at ./objdump.c:3700
#13 0x0804b2b1 in display_file (filename=0xbffff2a0
"/home/min/Downloads/55_minimize", target=0x0, last_file=1)
at ./objdump.c:3721
#14 0x0804ae80 in main (argc=3, argv=0xbffff094) at ./objdump.c:4023
Proposed patch:
--- a/bfd/coffcode.h
+++ b/bfd/coffcode.h
@@ -4578,6 +4578,9 @@ coff_slurp_line_table (bfd *abfd, asection *asect)
BFD_ASSERT (asect->lineno == NULL);
+ if(asect->lineno_count > 0xffff)
+ return FALSE;
+
amt = ((bfd_size_type) asect->lineno_count + 1) * sizeof (alent);
lineno_cache = (alent *) bfd_alloc (abfd, amt);
if (lineno_cache == NULL)
Credits:
This vulnerability was discovered by Mingi Cho and Taekyoung Kwon of the
Information Security Lab, Yonsei University. Please contact
address@hidden and address@hidden if you need more information
about the vulnerability and the lab.
--
You are receiving this mail because:
You are on the CC list for the bug.
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Bug binutils/22376] New: Heap overflow in coff_slurp_line_table,
mgcho.minic at gmail dot com <=