[Bug binutils/24005] New: objdump integer overflow in load_specific

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/24005] New: objdump integer overflow in load_specific_debu

From:	yanshb at gmail dot com
Subject:	[Bug binutils/24005] New: objdump integer overflow in load_specific_debug_section
Date:	Wed, 19 Dec 2018 03:11:05 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=24005

            Bug ID: 24005
           Summary: objdump integer overflow in
                    load_specific_debug_section
           Product: binutils
           Version: 2.32 (HEAD)
            Status: UNCONFIRMED
          Severity: critical
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: yanshb at gmail dot com
  Target Milestone: ---

Created attachment 11473
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11473&action=edit
POC3

I use 32bit objdump in 64bit Ubuntu 16.04.4 LTS.

The source Code show as follow in objdump.c.
>2528  bfd_size_type amt;

>2543  amt = section->size + 1;
>2544  section->start = contents = malloc (amt);
>2545  section->user_data = sec;
>2546  if (amt == 0
>2547      || section->start == NULL
>2548      || !bfd_get_full_section_contents (abfd, sec, &contents))
>2549    {
>2550      free_debug_section (debug);

Integer overflow when section->size is 0xFFFFFFFF in line 2543, it will trigger
heap overflow in bfd_get_full_section_contents in line 2548. Finally crash in
line 2550.

The part of crash output show as follow.

./objdump -g POC3

*** Error in `./objdump': free(): invalid next size (fast): 0x0a0d06b8 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x67377)[0xf7d8a377]
/lib/i386-linux-gnu/libc.so.6(+0x6d2f7)[0xf7d902f7]
/lib/i386-linux-gnu/libc.so.6(+0x6dc31)[0xf7d90c31]
./binutils/objdump[0x804f2c9]
./binutils/objdump[0x804efb9]
./binutils/objdump[0x804f463]
./binutils/objdump[0x80a69f5]
./binutils/objdump[0x804f60f]
./binutils/objdump[0x805174f]
./binutils/objdump[0x805182f]
./binutils/objdump[0x8051a7e]
./binutils/objdump[0x8051aeb]
./binutils/objdump[0x8052458]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf7)[0xf7d3b637]
./binutils/objdump[0x8049b51]
======= Memory map: ========
08048000-08246000 r-xp 00000000 08:22 438569                            
/e/vul/testcase/binutils/binutils-gdb/binutils/objdump
08246000-08247000 r--p 001fd000 08:22 438569                            
/e/vul/testcase/binutils/binutils-gdb/binutils/objdump
08247000-0824c000 rw-p 001fe000 08:22 438569                            
/e/vul/testcase/binutils/binutils-gdb/binutils/objdump
0824c000-08253000 rw-p 00000000 00:00 0 
0a0c6000-0a0e7000 rw-p 00000000 00:00 0                                  [heap]
f7900000-f7921000 rw-p 00000000 00:00 0 
f7921000-f7a00000 ---p 00000000 00:00 0 
f7adf000-f7afb000 r-xp 00000000 08:06 3802106                           
/lib/i386-linux-gnu/libgcc_s.so.1
f7afb000-f7afc000 r--p 0001b000 08:06 3802106                           
/lib/i386-linux-gnu/libgcc_s.so.1
f7afc000-f7afd000 rw-p 0001c000 08:06 3802106                           
/lib/i386-linux-gnu/libgcc_s.so.1
f7b22000-f7d22000 r--p 00000000 08:06 527047                            
/usr/lib/locale/locale-archive
f7d22000-f7d23000 rw-p 00000000 00:00 0 
f7d23000-f7ed3000 r-xp 00000000 08:06 3805752                           
/lib/i386-linux-gnu/libc-2.23.so
f7ed3000-f7ed5000 r--p 001af000 08:06 3805752                           
/lib/i386-linux-gnu/libc-2.23.so
f7ed5000-f7ed6000 rw-p 001b1000 08:06 3805752                           
/lib/i386-linux-gnu/libc-2.23.so
f7ed6000-f7ed9000 rw-p 00000000 00:00 0 
f7ed9000-f7edc000 r-xp 00000000 08:06 3805774                           
/lib/i386-linux-gnu/libdl-2.23.so
f7edc000-f7edd000 r--p 00002000 08:06 3805774                           
/lib/i386-linux-gnu/libdl-2.23.so
f7edd000-f7ede000 rw-p 00003000 08:06 3805774                           
/lib/i386-linux-gnu/libdl-2.23.so
f7efa000-f7efb000 rw-p 00000000 00:00 0 
f7efb000-f7f02000 r--s 00000000 08:06 676504                            
/usr/lib/i386-linux-gnu/gconv/gconv-modules.cache
f7f02000-f7f03000 r--p 002d4000 08:06 527047                            
/usr/lib/locale/locale-archive
f7f03000-f7f04000 rw-p 00000000 00:00 0 
f7f04000-f7f07000 r--p 00000000 00:00 0                                  [vvar]
f7f07000-f7f09000 r-xp 00000000 00:00 0                                  [vdso]
f7f09000-f7f2c000 r-xp 00000000 08:06 3805748                           
/lib/i386-linux-gnu/ld-2.23.so
f7f2c000-f7f2d000 r--p 00022000 08:06 3805748                           
/lib/i386-linux-gnu/ld-2.23.so
f7f2d000-f7f2e000 rw-p 00023000 08:06 3805748                           
/lib/i386-linux-gnu/ld-2.23.so
ffd91000-ffdb2000 rw-p 00000000 00:00 0                                 
[stack]
Aborted

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/24005] New: objdump integer overflow in load_specific_debug_section, yanshb at gmail dot com <=
- [Bug binutils/24005] objdump integer overflow in load_specific_debug_section, yanshb at gmail dot com, 2018/12/18
- [Bug binutils/24005] objdump integer overflow in load_specific_debug_section, yanshb at gmail dot com, 2018/12/19

Prev by Date: [Bug binutils/24005] objdump integer overflow in load_specific_debug_section
Next by Date: [Bug gas/23997] PLT32 relocation is off by 4
Previous by thread: [Bug binutils/24002] New: A memory leak issue was discovered in cplus-dem.c
Next by thread: [Bug binutils/24005] objdump integer overflow in load_specific_debug_section
Index(es):
- Date
- Thread