[Bug binutils/22386] New: Integer overflow in print_debug

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/22386] New: Integer overflow in print_debug_frame ()

From:	mgcho.minic at gmail dot com
Subject:	[Bug binutils/22386] New: Integer overflow in print_debug_frame ()
Date:	Thu, 02 Nov 2017 12:43:51 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=22386

            Bug ID: 22386
           Summary: Integer overflow in print_debug_frame ()
           Product: binutils
           Version: 2.30 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: mgcho.minic at gmail dot com
  Target Milestone: ---

Created attachment 10569
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10569&action=edit
POC file

Triggered by "./readelf -w $POC"
Tested on Ubuntu 16.04 (x86)

An integer overflow is occurred when processing corrupted elf file.


ASAN output:

./readelf -w $POC

==14407==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb4803295 at
pc 0x081f11ad bp 0xbff83328 sp 0xbff8331c
READ of size 1 at 0xb4803295 thread T0
    #0 0x81f11ac in display_debug_frames
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/dwarf.c:7433:20
    #1 0x81c4355 in display_debug_section
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/readelf.c:13399:16
    #2 0x8172193 in process_section_contents
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/readelf.c:13485:10
    #3 0x81486c0 in process_object
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/readelf.c:18173:9
    #4 0x8137e9a in process_file
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/readelf.c:18565:13
    #5 0x81367a1 in main
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/readelf.c:18637:11
    #6 0xb7507636 in __libc_start_main
/build/glibc-KM3i_a/glibc-2.23/csu/../csu/libc-start.c:291
    #7 0x805fda7 in _start
(/home/min/fuzzing/program/binutils-master-asan/bin/readelf+0x805fda7)

0xb4803295 is located 0 bytes to the right of 341-byte region
[0xb4803140,0xb4803295)
allocated by thread T0 here:
    #0 0x81040e4 in __interceptor_malloc
(/home/min/fuzzing/program/binutils-master-asan/bin/readelf+0x81040e4)
    #1 0x81384ba in get_data
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/readelf.c:415:9
    #2 0x81347f4 in load_specific_debug_section
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/readelf.c:13200:38
    #3 0x81c42c4 in display_debug_section
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/readelf.c:13392:6
    #4 0x8172193 in process_section_contents
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/readelf.c:13485:10
    #5 0x81486c0 in process_object
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/readelf.c:18173:9
    #6 0x8137e9a in process_file
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/readelf.c:18565:13
    #7 0x81367a1 in main
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/readelf.c:18637:11
    #8 0xb7507636 in __libc_start_main
/build/glibc-KM3i_a/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/dwarf.c:7433:20 in
display_debug_frames
Shadow bytes around the buggy address:
  0x36900600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36900610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36900620: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x36900630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36900640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x36900650: 00 00[05]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36900660: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x36900670: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x36900680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x36900690: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x369006a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==14407==ABORTING


The GDB debugging information is as follows:

(gdb) r -w $POC

(gdb) bt
Breakpoint 4, display_debug_frames (section=0x8366c84 <debug_displays+420>,
file=0xb5003d80) at dwarf.c:7432
7432                  for (i = 0; i < augmentation_data_len; ++i)
(gdb) bt
#0  display_debug_frames (section=0x8366c84 <debug_displays+420>,
file=0xb5003d80) at dwarf.c:7432
#1  0x081c4356 in display_debug_section (shndx=18, section=0xb4602d90,
file=0xb5003d80) at readelf.c:13399
#2  0x08172194 in process_section_contents (file=0xb5003d80) at readelf.c:13485
#3  0x081486c1 in process_object (file_name=0xbffff284
"/home/min/Downloads/test", file=0xb5003d80)
    at readelf.c:18173
#4  0x08137e9b in process_file (file_name=0xbffff284
"/home/min/Downloads/test") at readelf.c:18565
#5  0x081367a2 in main (argc=3, argv=0xbffff064) at readelf.c:18637
(gdb) p start
$18 = (unsigned char *) 0x27e6046a ""
(gdb) p end
$19 = (unsigned char *) 0xb5003994 ""
(gdb) p augmentation_data_len 
$20 = 1927662487


Proposed patch:

Check if variable start is overflowed.

--- a/home/min/fuzzing/src/binutils/binutils-gdb/binutils/dwarf.c
+++ b/home/min/Downloads/dwarf.c
@@ -7401,7 +7401,7 @@ display_debug_frames (struct dwarf_section *section,
              augmentation_data = start;
              start += augmentation_data_len;
              /* PR 17512: file: 722-8446-0.004.  */
-             if (start >= end || ((signed long) augmentation_data_len) < 0)
+             if (start >= end || ((signed long) augmentation_data_len) < 0 ||
augmentation_data > start)
                {
                  warn (_("Corrupt augmentation data length: %lx\n"),
                        augmentation_data_len);


Credits:

This vulnerability was discovered by Mingi Cho and Taekyoung Kwon of the
Information Security Lab, Yonsei University. Please contact
address@hidden and address@hidden if you need more information
about the vulnerability and the lab.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/22386] New: Integer overflow in print_debug_frame (), mgcho.minic at gmail dot com <=
- [Bug binutils/22386] Integer overflow in print_debug_frame (), cvs-commit at gcc dot gnu.org, 2017/11/03
- [Bug binutils/22386] Integer overflow in print_debug_frame (), nickc at redhat dot com, 2017/11/03

Prev by Date: [Bug binutils/22385] New: Integer overflow in coff_get_normalized_symtab
Next by Date: [Bug binutils/22384] heap buffer overflow in print_gnu_property_note
Previous by thread: [Bug binutils/22385] New: Integer overflow in coff_get_normalized_symtab
Next by thread: [Bug binutils/22386] Integer overflow in print_debug_frame ()
Index(es):
- Date
- Thread