[Bug binutils/25823] New: Use after free in bfd_hash_lookup(), as demonstrated by nm-new

[nguyenmanhdung1710 at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=25823

            Bug ID: 25823
           Summary: Use after free in bfd_hash_lookup(), as demonstrated
                    by nm-new
           Product: binutils
           Version: 2.35 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: nguyenmanhdung1710 at gmail dot com
  Target Milestone: ---

Created attachment 12458
  --> https://sourceware.org/bugzilla/attachment.cgi?id=12458&action=edit
PoC for a UAF in nm-new

Hi,

A use after free was discovered in nm-new (the latest commit c98a454) in
bfd_hash_lookup(), that can cause a denial of service, via a crafted file.

To reproduce: nm-new -C PoC

ASAN says:
READ of size 19 at 0x7f865818780e thread T0
    #0 0x7f86570dd2c4  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x472c4)
    #1 0x429e27 in bfd_hash_lookup ../../bfd/hash.c:475
    #2 0x4339e7 in bfd_get_section_by_name ../../bfd/section.c:899
    #3 0x5a0076 in _bfd_pei_swap_sym_in
/home/dungnguyen/fuzz/binutils-gdb/obj-asan/bfd/peXXigen.c:170
    #4 0x5dbef1 in coff_get_normalized_symtab ../../bfd/coffgen.c:1816
    #5 0x59c981 in coff_slurp_symbol_table ../../bfd/coffcode.h:4531
    #6 0x5d2898 in coff_get_symtab_upper_bound ../../bfd/coffgen.c:411
    #7 0x43609c in _bfd_generic_read_minisymbols ../../bfd/syms.c:802
    #8 0x4072f1 in display_rel_file ../../binutils/nm.c:1126
    #9 0x4081c5 in display_file ../../binutils/nm.c:1393
    #10 0x409c6a in main ../../binutils/nm.c:1874
    #11 0x7f8656ae882f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #12 0x402ce8 in _start (/home/dungnguyen/PoCs/readelf_f717994/nm+0x402ce8)

0x7f865818780e is located 14 bytes inside of 235653-byte region
[0x7f8658187800,0x7f86581c1085)
freed by thread T0 here:
    #0 0x7f865712e32a in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9832a)
    #1 0x5db9ba in _bfd_coff_free_symbols ../../bfd/coffgen.c:1756
    #2 0x5d1ef4 in coff_real_object_p ../../bfd/coffgen.c:302
    #3 0x592c2c in pe_bfd_object_p ../../bfd/peicode.h:1504
    #4 0x428442 in bfd_check_format_matches ../../bfd/format.c:343
    #5 0x408168 in display_file ../../binutils/nm.c:1389
    #6 0x409c6a in main ../../binutils/nm.c:1874
    #7 0x7f8656ae882f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T0 here:
    #0 0x7f865712e662 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98662)
    #1 0x42be64 in bfd_malloc ../../bfd/libbfd.c:275
    #2 0x5db59b in _bfd_coff_read_string_table ../../bfd/coffgen.c:1714
    #3 0x5d2cb7 in _bfd_coff_internal_syment_name ../../bfd/coffgen.c:464
    #4 0x5a0014 in _bfd_pei_swap_sym_in
/home/dungnguyen/fuzz/binutils-gdb/obj-asan/bfd/peXXigen.c:161
    #5 0x59327b in handle_COMDAT ../../bfd/coffcode.h:925
    #6 0x59406c in styp_to_sec_flags ../../bfd/coffcode.h:1306
    #7 0x5d0c9a in make_a_section_from_file ../../bfd/coffgen.c:130
    #8 0x5d1ec8 in coff_real_object_p ../../bfd/coffgen.c:297
    #9 0x592c2c in pe_bfd_object_p ../../bfd/peicode.h:1504
    #10 0x428442 in bfd_check_format_matches ../../bfd/format.c:343
    #11 0x408168 in display_file ../../binutils/nm.c:1389
    #12 0x409c6a in main ../../binutils/nm.c:1874
    #13 0x7f8656ae882f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Thanks,
Manh Dung

-- 
You are receiving this mail because:
You are on the CC list for the bug.