bug-binutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/23685] New: heap based buffer overflow vulnerability in bf


From: 92wyunchao at gmail dot com
Subject: [Bug binutils/23685] New: heap based buffer overflow vulnerability in bfd_getl32 in libbfd.c in binutils-2.31.1
Date: Wed, 19 Sep 2018 13:47:13 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=23685

            Bug ID: 23685
           Summary: heap based buffer overflow vulnerability in bfd_getl32
                    in libbfd.c in binutils-2.31.1
           Product: binutils
           Version: 2.31
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: 92wyunchao at gmail dot com
  Target Milestone: ---

Created attachment 11261
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11261&action=edit
poc file to reproduce the crash

There exists one heap based buffer overflow vulnerability in bfd_getl32 in
libbfd.c in binutils-2.31.1, which allows an attacker to cause a denial of
service through a crafted PE file. This vulnerability can be triggered by the
executable objdump.

$uname -a
Linux ubuntu 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC
2016 i686 i686 i686 GNU/Linux


$ASAN_OPTIONS=halt_on_error=false:allow_addr2line=true ./objdump --dwarf-check
-C -g -f -dwarf -x $poc

ASan:
==21442==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb37033f8 at
pc 0x840b006 bp 0xbfcc6a78 sp 0xbfcc6a70
READ of size 1 at 0xb37033f8 thread T0
    #0 0x840b005 in bfd_getl32
/home/rookie/asan/binutils-2.31.1/bfd/libbfd.c:656
    #1 0x881e876 in pe_print_edata
/home/rookie/asan/binutils-2.31.1/bfd/peigen.c:1791
    #2 0x881e876 in _bfd_pe_print_private_bfd_data_common
/home/rookie/asan/binutils-2.31.1/bfd/peigen.c:2907
    #3 0x87df6af in pe_print_private_bfd_data
/home/rookie/asan/binutils-2.31.1/bfd/./peicode.h:336
    #4 0x80e3f94 in dump_bfd_private_header
/home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:2996
    #5 0x80e3f94 in dump_bfd
/home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:3589
    #6 0x80e10b9 in display_object_bfd
/home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:3688
    #7 0x80e10b9 in display_any_bfd
/home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:3777
    #8 0x80ddea0 in display_file
/home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:3798
    #9 0x80ddea0 in main
/home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:4100
    #10 0xb74a3af2 (/lib/i386-linux-gnu/libc.so.6+0x19af2)
    #11 0x80d6324 in _start
(/home/rookie/asan/binutils-2.31.1/tmp/bin/objdump+0x80d6324)

0xb37033f8 is located 0 bytes to the right of 136-byte region
[0xb3703370,0xb37033f8)
allocated by thread T0 here:
    #0 0x80bef51 in malloc
(/home/rookie/asan/binutils-2.31.1/tmp/bin/objdump+0x80bef51)
    #1 0x8406e09 in bfd_malloc
/home/rookie/asan/binutils-2.31.1/bfd/libbfd.c:271
    #2 0x87df6af in pe_print_private_bfd_data
/home/rookie/asan/binutils-2.31.1/bfd/./peicode.h:336
    #3 0x80e10b9 in display_object_bfd
/home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:3688
    #4 0x80e10b9 in display_any_bfd
/home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:3777
    #5 0x80ddea0 in display_file
/home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:3798
    #6 0x80ddea0 in main
/home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:4100
    #7 0xb74a3af2 (/lib/i386-linux-gnu/libc.so.6+0x19af2)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/rookie/asan/binutils-2.31.1/bfd/libbfd.c:656 bfd_getl32
Shadow bytes around the buggy address:
  0x366e0620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x366e0630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x366e0640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x366e0650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x366e0660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 00
=>0x366e0670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
  0x366e0680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x366e0690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x366e06a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x366e06b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x366e06c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==21442==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]