bug-binutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/23361] New: OOM-Bug in bfd_malloc in libbfd.c

From: 92wyunchao at gmail dot com
Subject: [Bug binutils/23361] New: OOM-Bug in bfd_malloc in libbfd.c
Date: Sun, 01 Jul 2018 13:13:43 +0000 
https://sourceware.org/bugzilla/show_bug.cgi?id=23361

            Bug ID: 23361
           Summary: OOM-Bug in bfd_malloc in libbfd.c
           Product: binutils
           Version: 2.30
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: 92wyunchao at gmail dot com
  Target Milestone: ---

Created attachment 11114
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11114&action=edit
poc to reproduce the crash

in bfd_malloc in binutils-2.30/bfd/libbfd.c, as distributed in GNU Binutils
2.30, allows attackers to trigger excessive memory consumption (aka OOM). This
can occur during execution of nm.

To reproduce:
#CC=clang CXX=clang++ CFLAGS="-fsanitize=address -fsanitize-recover=address
-ggdb" CXXFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb"
LDFLAGS="-fsanitize=address" ./configure
#ASAN_OPTIONS=halt_on_error=false:allow_addr2line=true  ./nm-new $poc

ASan:
==90210==AddressSanitizer CHECK failed:
/build/llvm-toolchain-3.8-_PD09B/llvm-toolchain-3.8-3.8/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183
"((0 && "unable to mmap")) != (0)" (0x0, 0x0)
    #0 0x4c2a9d in __asan::AsanCheckFailed(char const*, int, char const*,
unsigned long long, unsigned long long) asan_rtl.cc.o
    #1 0x4c96c3 in __sanitizer::CheckFailed(char const*, int, char const*,
unsigned long long, unsigned long long)
(/home/s2e/asan/binutils-2.30/binutils/nm-new+0x4c96c3)
    #2 0x4c98b1 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char
const*, char const*, int, bool)
(/home/s2e/asan/binutils-2.30/binutils/nm-new+0x4c98b1)
    #3 0x4d2822 in __sanitizer::MmapOrDie(unsigned long, char const*, bool)
(/home/s2e/asan/binutils-2.30/binutils/nm-new+0x4d2822)
    #4 0x41f4af in __asan::asan_malloc(unsigned long,
__sanitizer::BufferedStackTrace*)
(/home/s2e/asan/binutils-2.30/binutils/nm-new+0x41f4af)
    #5 0x4b9471 in malloc
(/home/s2e/asan/binutils-2.30/binutils/nm-new+0x4b9471)
    #6 0x52405c in bfd_malloc /home/s2e/asan/binutils-2.30/bfd/libbfd.c:193
    #7 0x6a5118 in _bfd_elf_parse_attributes
/home/s2e/asan/binutils-2.30/bfd/elf-attrs.c:441
    #8 0x5ce586 in bfd_section_from_shdr
/home/s2e/asan/binutils-2.30/bfd/elf.c:2465
    #9 0x71a003 in bfd_elf32_object_p
/home/s2e/asan/binutils-2.30/bfd/./elfcode.h:805
    #10 0x51dd2c in bfd_check_format_matches
/home/s2e/asan/binutils-2.30/bfd/format.c:311
    #11 0x4ec122 in display_file
/home/s2e/asan/binutils-2.30/binutils/nm.c:1321
    #12 0x4eb893 in main /home/s2e/asan/binutils-2.30/binutils/nm.c:1799
    #13 0x7f154296e82f in __libc_start_main
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #14 0x419368 in _start
(/home/s2e/asan/binutils-2.30/binutils/nm-new+0x419368)

-- 
You are receiving this mail because:
You are on the CC list for the bug.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]