[Bug binutils/23994] New: Heap overflow in libbfd caused by integer over

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/23994] New: Heap overflow in libbfd caused by integer over

From:	yanshb at gmail dot com
Subject:	[Bug binutils/23994] New: Heap overflow in libbfd caused by integer overflow
Date:	Sun, 16 Dec 2018 08:56:23 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=23994

            Bug ID: 23994
           Summary: Heap overflow in libbfd caused by integer overflow
           Product: binutils
           Version: 2.31
            Status: UNCONFIRMED
          Severity: critical
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: yanshb at gmail dot com
  Target Milestone: ---

Created attachment 11464
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11464&action=edit
Heap overflow in libbfd caused by integer overflow.

Hi there,

A Heap overflow issue was discovered in bfd caused by integer overflow, as
distributed in GNU Binutils 2.31. It also exists with the latest version in
Binutils 2.32 commit 76d2760bc38ada83f81087f16eb151ccc0176574. This issue may
exist for a long time.

The source Code show as follow. Exec Binutils 2.31 "objdump -d poc1" as
example：

In disassemble_data function in objdump.c, line 2463 is a heap allocation. But
'relsize' maybe too small caused by integer overflow . Line 8271 in
_bfd_elf_canonicalize_dynamic_reloc function in elf.c will cause heap overflow.


objdump.c 
>2456  long relsize = bfd_get_dynamic_reloc_upper_bound (abfd); //relsize = 4

>2463    aux.dynrelbuf = (arelent **) xmalloc (relsize);
>2464    aux.dynrelcount = bfd_canonicalize_dynamic_reloc (abfd,  
>2465                                               aux.dynrelbuf,
>2466                                               dynsyms);   //heap overflow

elf.c
>8210  _bfd_elf_get_dynamic_reloc_upper_bound (bfd *abfd)
>8211  {
>8212    long ret; 
  ...

>8226    ret += ((s->size / elf_section_data (s)->this_hdr.sh_entsize) 
>8227      * sizeof(arelent *));   //integer overflow  


>8229    return ret; 
>8230  }

>8241  _bfd_elf_canonicalize_dynamic_reloc (bfd *abfd,
>8242                                arelent **storage, //objdump.c:2463 alloc
>8243                                asymbol **syms)
>8244  {
          ...

>8268     count = s->size / elf_section_data (s)->this_hdr.sh_entsize;
>8269     p = s->relocation;
>8270     for (i = 0; i < count; i++)
>8271       *storage++ = p++;             //heap overflow

          ...
}


The crash output show as follow.

$ ../binutils-gdb/binutils/objdump --version
GNU objdump (GNU Binutils) 2.31.51.20181216


$ ../binutils-gdb/binutils/objdump -d poc2 
../binutils-gdb/binutils/objdump: warning: poc2 has a corrupt section with a
size (fbffffff80) larger than the file size

poc2:     file format elf64-x86-64

*** Error in `../binutils-gdb/binutils/objdump': malloc(): memory corruption:
0x08997948 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x67377)[0xf7d60377]
/lib/i386-linux-gnu/libc.so.6(+0x6d2f7)[0xf7d662f7]
/lib/i386-linux-gnu/libc.so.6(+0x6f3f2)[0xf7d683f2]
/lib/i386-linux-gnu/libc.so.6(__libc_malloc+0xc5)[0xf7d69fc5]
/lib/i386-linux-gnu/libc.so.6(+0x29171)[0xf7d22171]
/lib/i386-linux-gnu/libc.so.6(+0x270a2)[0xf7d200a2]
/lib/i386-linux-gnu/libc.so.6(+0x26a20)[0xf7d1fa20]
/lib/i386-linux-gnu/libc.so.6(dcgettext+0x26)[0xf7d1e8b6]
/lib/i386-linux-gnu/libc.so.6(dgettext+0x12)[0xf7d1e8d2]
../binutils-gdb/binutils/objdump[0x809b1aa]
../binutils-gdb/binutils/objdump[0x8088100]
../binutils-gdb/binutils/objdump[0x80882ad]
../binutils-gdb/binutils/objdump[0x804edfd]
../binutils-gdb/binutils/objdump[0x80516a0]
../binutils-gdb/binutils/objdump[0x805182f]
../binutils-gdb/binutils/objdump[0x8051a7e]
../binutils-gdb/binutils/objdump[0x8051aeb]
../binutils-gdb/binutils/objdump[0x8052458]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf7)[0xf7d11637]
../binutils-gdb/binutils/objdump[0x8049b51]
======= Memory map: ========
08048000-08246000 r-xp 00000000 08:22 433952                            
../testcase/binutils/binutils-gdb/binutils/objdump
08246000-08247000 r--p 001fd000 08:22 433952                            
../testcase/binutils/binutils-gdb/binutils/objdump
08247000-0824c000 rw-p 001fe000 08:22 433952                            
../testcase/binutils/binutils-gdb/binutils/objdump
0824c000-08253000 rw-p 00000000 00:00 0 
0898f000-089b0000 rw-p 00000000 00:00 0                                  [heap]
f7900000-f7921000 rw-p 00000000 00:00 0 
f7921000-f7a00000 ---p 00000000 00:00 0 
f7ab5000-f7ad1000 r-xp 00000000 08:06 3802106                           
/lib/i386-linux-gnu/libgcc_s.so.1
f7ad1000-f7ad2000 r--p 0001b000 08:06 3802106                           
/lib/i386-linux-gnu/libgcc_s.so.1
f7ad2000-f7ad3000 rw-p 0001c000 08:06 3802106                           
/lib/i386-linux-gnu/libgcc_s.so.1
f7af8000-f7cf8000 r--p 00000000 08:06 527047                            
/usr/lib/locale/locale-archive
f7cf8000-f7cf9000 rw-p 00000000 00:00 0 
f7cf9000-f7ea9000 r-xp 00000000 08:06 3805752                           
/lib/i386-linux-gnu/libc-2.23.so
f7ea9000-f7eab000 r--p 001af000 08:06 3805752                           
/lib/i386-linux-gnu/libc-2.23.so
f7eab000-f7eac000 rw-p 001b1000 08:06 3805752                           
/lib/i386-linux-gnu/libc-2.23.so
f7eac000-f7eaf000 rw-p 00000000 00:00 0 
f7eaf000-f7eb2000 r-xp 00000000 08:06 3805774                           
/lib/i386-linux-gnu/libdl-2.23.so
f7eb2000-f7eb3000 r--p 00002000 08:06 3805774                           
/lib/i386-linux-gnu/libdl-2.23.so
f7eb3000-f7eb4000 rw-p 00003000 08:06 3805774                           
/lib/i386-linux-gnu/libdl-2.23.so
f7ed0000-f7ed1000 rw-p 00000000 00:00 0 
f7ed1000-f7ed8000 r--s 00000000 08:06 676504                            
/usr/lib/i386-linux-gnu/gconv/gconv-modules.cache
f7ed8000-f7ed9000 r--p 002d4000 08:06 527047                            
/usr/lib/locale/locale-archive
f7ed9000-f7eda000 rw-p 00000000 00:00 0 
f7eda000-f7edd000 r--p 00000000 00:00 0                                  [vvar]
f7edd000-f7edf000 r-xp 00000000 00:00 0                                  [vdso]
f7edf000-f7f02000 r-xp 00000000 08:06 3805748                           
/lib/i386-linux-gnu/ld-2.23.so
f7f02000-f7f03000 r--p 00022000 08:06 3805748                           
/lib/i386-linux-gnu/ld-2.23.so
f7f03000-f7f04000 rw-p 00023000 08:06 3805748                           
/lib/i386-linux-gnu/ld-2.23.so
ffd42000-ffd63000 rw-p 00000000 00:00 0                                 
[stack]
Aborted

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/23994] New: Heap overflow in libbfd caused by integer overflow, yanshb at gmail dot com <=
- [Bug binutils/23994] Heap overflow in libbfd caused by integer overflow, yanshb at gmail dot com, 2018/12/16
- [Bug binutils/23994] Heap overflow in libbfd caused by integer overflow, yanshb at gmail dot com, 2018/12/16
- [Bug binutils/23994] Heap overflow in libbfd caused by integer overflow, amodra at gmail dot com, 2018/12/16
- [Bug binutils/23994] Heap overflow in libbfd caused by integer overflow, cvs-commit at gcc dot gnu.org, 2018/12/16
- [Bug binutils/23994] Heap overflow in libbfd caused by integer overflow, amodra at gmail dot com, 2018/12/16
- [Bug binutils/23994] Heap overflow in libbfd caused by integer overflow, yanshb at gmail dot com, 2018/12/20

Prev by Date: [Bug ld/23980] powerpc64 ld segfault when linking libc on FreeBSD
Next by Date: [Bug binutils/23994] Heap overflow in libbfd caused by integer overflow
Previous by thread: [Bug ld/23900] Can't detect GNU program property generated by older linkers
Next by thread: [Bug binutils/23994] Heap overflow in libbfd caused by integer overflow
Index(es):
- Date
- Thread