[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/24644] New: OOM-Bug in _bfd_archive_64_bit_slurp_armap in

From: alex at forallsecure dot com
Subject: [Bug binutils/24644] New: OOM-Bug in _bfd_archive_64_bit_slurp_armap in bfd/archive64.c
Date: Fri, 07 Jun 2019 04:14:18 +0000


            Bug ID: 24644
           Summary: OOM-Bug in _bfd_archive_64_bit_slurp_armap in
           Product: binutils
           Version: 2.33 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: alex at forallsecure dot com
  Target Milestone: ---

Created attachment 11819
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11819&action=edit
Input to reproduce

_bfd_archive_64_bit_slurp_armap reads nsymz from the archive, which is user
controller. It then attempts to allocate an amount derived from nsymz, which
allows attackers to trigger excessive memory consumption. I'm attaching a
minimized input that triggers that issue. You can observe the behavior with
`ltrace ./objdump -x ./input 2>&1 | grep malloc` or by compiling objdump with
ASAN which produces the following stacktrace:

==39959==ERROR: AddressSanitizer: requested allocation size 0xa0a0a0a0a0a0a18
(0xa0a0a0a0a0a1a18 after adjustments for alignment, red zones etc.) exceeds
maximum supported size of 0x10000000000 (thread T0)
    #0 0x49665d in __interceptor_malloc
    #1 0x1148578 in _objalloc_alloc
    #2 0x7f91d9 in bfd_alloc
    #3 0x7f8381 in bfd_zalloc
    #4 0x10c1636 in _bfd_archive_64_bit_slurp_armap
    #5 0x7d90c6 in bfd_slurp_armap
    #6 0x7d8a84 in bfd_generic_archive_p
    #7 0x7f0da6 in bfd_check_format_matches

- binutils version: commit 12efd68d159444ad8dfe24e49965a228ba980b86 (Wed Jun 5
- OS: Ubuntu 18.04.2, running in a docker container on Mac OS
- Linux 4.9.125-linuxkit
- clang version 9.0.0

Found using ForAllSecure's Mayhem.

You are receiving this mail because:
You are on the CC list for the bug.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]