[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/22507] New: Heap buffer overflow on _bfd_coff_read_string_
|
From: |
mgcho.minic at gmail dot com |
|
Subject: |
[Bug binutils/22507] New: Heap buffer overflow on _bfd_coff_read_string_table |
|
Date: |
Tue, 28 Nov 2017 05:26:29 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=22507
Bug ID: 22507
Summary: Heap buffer overflow on _bfd_coff_read_string_table
Product: binutils
Version: 2.30 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: mgcho.minic at gmail dot com
Target Milestone: ---
Created attachment 10643
--> https://sourceware.org/bugzilla/attachment.cgi?id=10643&action=edit
poc of the crash
Triggered by "./objdump -W $POC"
Tested on Ubuntu 16.04 (x86)
Heap overflow occurred when processing malformed PE file.
The GDB debugging information is as follows:
(gdb) r -W $POC
Program received signal SIGABRT, Aborted.
0xb7fd9ce5 in __kernel_vsyscall ()
(gdb) bt
#0 0xb7fd9ce5 in __kernel_vsyscall ()
#1 0xb7e2aea9 in __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#2 0xb7e2c407 in __GI_abort () at abort.c:89
#3 0xb7e6637c in __libc_message (do_abort=2, fmt=0xb7f5edf4 "*** Error in
`%s': %s: 0x%s ***\n")
at ../sysdeps/posix/libc_fatal.c:175
#4 0xb7e6c2f7 in malloc_printerr (action=<optimized out>, str=0xb7f5eef0
"free(): invalid next size (fast)",
ptr=<optimized out>, ar_ptr=0xb7fb1780 <main_arena>) at malloc.c:5006
#5 0xb7e6cc31 in _int_free (av=0xb7fb1780 <main_arena>, p=<optimized out>,
have_lock=0) at malloc.c:3867
#6 0x0816a700 in _bfd_coff_read_string_table (abfd=0x825ca08) at
coffgen.c:1743
#7 0x0816d3c9 in coff_get_normalized_symtab (abfd=0x825ca08) at coffgen.c:1956
#8 0x08153f38 in coff_slurp_symbol_table (abfd=0x825ca08) at ./coffcode.h:4783
#9 0x0816a2e6 in coff_get_symtab_upper_bound (abfd=0x825ca08) at coffgen.c:419
#10 0x0804c347 in slurp_symtab (abfd=0x825ca08) at ./objdump.c:615
#11 0x0804b99c in dump_bfd (abfd=0x825ca08) at ./objdump.c:3561
#12 0x0804b742 in display_object_bfd (abfd=0x825ca08) at ./objdump.c:3649
#13 0x0804b6f7 in display_any_bfd (file=0x825ca08, level=0) at ./objdump.c:3738
#14 0x0804b421 in display_file (filename=0xbffff2b0
"/home/min/Downloads/bfd_coff_read_string_table", target=0x0,
last_file=1) at ./objdump.c:3759
#15 0x0804aff0 in main (argc=3, argv=0xbffff094) at ./objdump.c:4061
ASAN output:
==7711==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb61006b1 at
pc 0x080f9f75 bp 0xbfe82888 sp 0xbfe82460
WRITE of size 4 at 0xb61006b1 thread T0
#0 0x80f9f74 in __asan_memset
(/home/min/fuzzing/program/binutils-master-patch/bin/objdump+0x80f9f74)
#1 0x85ed97d in _bfd_coff_read_string_table
/home/min/fuzzing/src/binutils/binutils-gdb/bfd/coffgen.c:1738:3
#2 0x85fdab1 in coff_get_normalized_symtab
/home/min/fuzzing/src/binutils/binutils-gdb/bfd/coffgen.c:1956:20
#3 0x8578d09 in coff_slurp_symbol_table
/home/min/fuzzing/src/binutils/binutils-gdb/bfd/./coffcode.h:4783:25
#4 0x85ec86c in coff_get_symtab_upper_bound
/home/min/fuzzing/src/binutils/binutils-gdb/bfd/coffgen.c:419:8
#5 0x81476cb in slurp_symtab
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:615:13
#6 0x8145950 in dump_bfd
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:3561:12
#7 0x81450ef in display_object_bfd
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:3649:7
#8 0x8144ffb in display_any_bfd
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:3738:5
#9 0x8144aa0 in display_file
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:3759:3
#10 0x814421e in main
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:4061:6
#11 0xb7498636 in __libc_start_main
/build/glibc-KM3i_a/glibc-2.23/csu/../csu/libc-start.c:291
#12 0x806c7c7 in _start
(/home/min/fuzzing/program/binutils-master-patch/bin/objdump+0x806c7c7)
0xb61006b1 is located 0 bytes to the right of 1-byte region
[0xb61006b0,0xb61006b1)
allocated by thread T0 here:
#0 0x8110b04 in malloc
(/home/min/fuzzing/program/binutils-master-patch/bin/objdump+0x8110b04)
#1 0x82cc0d2 in bfd_malloc
/home/min/fuzzing/src/binutils/binutils-gdb/bfd/libbfd.c:193:9
#2 0x85ed92a in _bfd_coff_read_string_table
/home/min/fuzzing/src/binutils/binutils-gdb/bfd/coffgen.c:1730:22
#3 0x85fdab1 in coff_get_normalized_symtab
/home/min/fuzzing/src/binutils/binutils-gdb/bfd/coffgen.c:1956:20
#4 0x8578d09 in coff_slurp_symbol_table
/home/min/fuzzing/src/binutils/binutils-gdb/bfd/./coffcode.h:4783:25
#5 0x85ec86c in coff_get_symtab_upper_bound
/home/min/fuzzing/src/binutils/binutils-gdb/bfd/coffgen.c:419:8
#6 0x81476cb in slurp_symtab
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:615:13
#7 0x8145950 in dump_bfd
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:3561:12
#8 0x81450ef in display_object_bfd
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:3649:7
#9 0x8144ffb in display_any_bfd
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:3738:5
#10 0x8144aa0 in display_file
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:3759:3
#11 0x814421e in main
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:4061:6
#12 0xb7498636 in __libc_start_main
/build/glibc-KM3i_a/glibc-2.23/csu/../csu/libc-start.c:291
Credits:
Mingi Cho and Taekyoung Kwon of the Information Security Lab, Yonsei
University.
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/22507] New: Heap buffer overflow on _bfd_coff_read_string_table,
mgcho.minic at gmail dot com <=