[Bug binutils/22385] New: Integer overflow in coff_get_normalized

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/22385] New: Integer overflow in coff_get_normalized_symtab

From:	mgcho.minic at gmail dot com
Subject:	[Bug binutils/22385] New: Integer overflow in coff_get_normalized_symtab
Date:	Thu, 02 Nov 2017 06:00:49 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=22385

            Bug ID: 22385
           Summary: Integer overflow in coff_get_normalized_symtab
           Product: binutils
           Version: 2.30 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: mgcho.minic at gmail dot com
  Target Milestone: ---

Created attachment 10568
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10568&action=edit
poc of the crash

Triggered by "./objdump -r $POC"
Tested on Ubuntu 16.04 (x86)

An integer overflow is occurred when numbers of symbols are too large.


ASAN output:

./objdump -r $POC

==30813==ERROR: AddressSanitizer: SEGV on unknown address 0xbebebebe (pc
0x08127bc6 bp 0xbfe51da8 sp 0xbfe5191c T0)
    #0 0x8127bc5 in __sanitizer::internal_strlen(char const*)
(/home/min/fuzzing/program/binutils-master-asan/bin/objdump+0x8127bc5)
    #1 0x80b4121 in printf_common(void*, char const*, char*)
(/home/min/fuzzing/program/binutils-master-asan/bin/objdump+0x80b4121)
    #2 0x80b45fc in __interceptor_vfprintf
(/home/min/fuzzing/program/binutils-master-asan/bin/objdump+0x80b45fc)
    #3 0x80b464b in __interceptor_fprintf
(/home/min/fuzzing/program/binutils-master-asan/bin/objdump+0x80b464b)
    #4 0x82b1b47 in _bfd_doprnt
/home/min/fuzzing/src/binutils/binutils-gdb/bfd/bfd.c:805:8
    #5 0x82b016c in error_handler_internal
/home/min/fuzzing/src/binutils/binutils-gdb/bfd/bfd.c:887:3
    #6 0x82a8e5e in _bfd_error_handler
/home/min/fuzzing/src/binutils/binutils-gdb/bfd/bfd.c:909:3
    #7 0x851deae in coff_slurp_symbol_table
/home/min/fuzzing/src/binutils/binutils-gdb/bfd/./coffcode.h:5085:8


The GDB debugging information is as follows:

(gdb) r -r $POC

Program received signal SIGSEGV, Segmentation fault.
0xb7e43383 in _IO_vfprintf_internal (s=0xbfffc4b8, format=<optimized out>, 
    ap=0xbfffea9c
"\306\350\"address@hidden")
    at vfprintf.c:1632
1632  vfprintf.c: No such file or directory.
(gdb) bt
#0  0xb7e43383 in _IO_vfprintf_internal (s=0xbfffc4b8, format=<optimized out>, 
    ap=0xbfffea9c
"\306\350\"address@hidden")
    at vfprintf.c:1632
#1  0xb7e43671 in buffered_vfprintf (address@hidden <_IO_2_1_stderr_>,
address@hidden "%s", 
    address@hidden "\001") at vfprintf.c:2320
#2  0xb7e412d1 in _IO_vfprintf_internal (s=0xb7fb1cc0 <_IO_2_1_stderr_>,
format=0xbfffeb8c "%s", 
    ap=0xbfffea98 "\001") at vfprintf.c:1293
#3  0xb7e48668 in __fprintf (stream=0xb7fb1cc0 <_IO_2_1_stderr_>,
format=0xbfffeb8c "%s") at fprintf.c:32
#4  0x080c08c2 in _bfd_doprnt (stream=0xb7fb1cc0 <_IO_2_1_stderr_>, 
    format=0x822e89e "%B: Unrecognized storage class %d for %s symbol `%s'",
ap=0xbfffeca4 "\340\276%\b\001")
    at bfd.c:805
#5  0x080c006f in error_handler_internal (fmt=0x822e89e "%B: Unrecognized
storage class %d for %s symbol `%s'", 
    ap=0xbfffec94 "\bZ%\b") at bfd.c:887
#6  0x080be625 in _bfd_error_handler (fmt=0x822e89e "%B: Unrecognized storage
class %d for %s symbol `%s'")
    at bfd.c:909
#7  0x08151029 in coff_slurp_symbol_table (abfd=0x8255a08) at ./coffcode.h:5085
#8  0x08166d06 in coff_get_symtab_upper_bound (abfd=0x8255a08) at coffgen.c:419
#9  0x0804c1d7 in slurp_symtab (abfd=0x8255a08) at ./objdump.c:615
#10 0x0804b82c in dump_bfd (abfd=0x8255a08) at ./objdump.c:3523
#11 0x0804b5d2 in display_object_bfd (abfd=0x8255a08) at ./objdump.c:3611
#12 0x0804b587 in display_any_bfd (file=0x8255a08, level=0) at ./objdump.c:3700
#13 0x0804b2b1 in display_file (filename=0xbffff2b7 "/tmp/poc", target=0x0,
last_file=1) at ./objdump.c:3721
#14 0x0804ae80 in main (argc=3, argv=0xbffff0a4) at ./objdump.c:4023


Proposed patch:

Check whether integer overflow occurs in coff_get_normalized_symtab ()

--- a/bfd/coffgen.c
+++ b/bfd/coffgen.c
@@ -1790,6 +1790,8 @@ coff_get_normalized_symtab (bfd *abfd)
     return NULL;

   size = obj_raw_syment_count (abfd) * sizeof (combined_entry_type);
+  if (obj_raw_syment_count (abfd) > size)
+    return NULL;
   internal = (combined_entry_type *) bfd_zalloc (abfd, size);
   if (internal == NULL && size != 0)
     return NULL;


Credits:

This vulnerability was discovered by Mingi Cho and Taekyoung Kwon of the
Information Security Lab, Yonsei University. Please contact
address@hidden and address@hidden if you need more information
about the vulnerability and the lab.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/22385] New: Integer overflow in coff_get_normalized_symtab, mgcho.minic at gmail dot com <=
- [Bug binutils/22385] Integer overflow in coff_get_normalized_symtab, cvs-commit at gcc dot gnu.org, 2017/11/03
- [Bug binutils/22385] Integer overflow in coff_get_normalized_symtab, nickc at redhat dot com, 2017/11/03

Prev by Date: [Bug binutils/22384] New: heap buffer overflow in print_gnu_property_note
Next by Date: [Bug binutils/22386] New: Integer overflow in print_debug_frame ()
Previous by thread: [Bug binutils/22384] New: heap buffer overflow in print_gnu_property_note
Next by thread: [Bug binutils/22385] Integer overflow in coff_get_normalized_symtab
Index(es):
- Date
- Thread