[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/24005] New: objdump integer overflow in load_specific_debu
From: |
yanshb at gmail dot com |
Subject: |
[Bug binutils/24005] New: objdump integer overflow in load_specific_debug_section |
Date: |
Wed, 19 Dec 2018 03:11:05 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=24005
Bug ID: 24005
Summary: objdump integer overflow in
load_specific_debug_section
Product: binutils
Version: 2.32 (HEAD)
Status: UNCONFIRMED
Severity: critical
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: yanshb at gmail dot com
Target Milestone: ---
Created attachment 11473
--> https://sourceware.org/bugzilla/attachment.cgi?id=11473&action=edit
POC3
I use 32bit objdump in 64bit Ubuntu 16.04.4 LTS.
The source Code show as follow in objdump.c.
>2528 bfd_size_type amt;
>2543 amt = section->size + 1;
>2544 section->start = contents = malloc (amt);
>2545 section->user_data = sec;
>2546 if (amt == 0
>2547 || section->start == NULL
>2548 || !bfd_get_full_section_contents (abfd, sec, &contents))
>2549 {
>2550 free_debug_section (debug);
Integer overflow when section->size is 0xFFFFFFFF in line 2543, it will trigger
heap overflow in bfd_get_full_section_contents in line 2548. Finally crash in
line 2550.
The part of crash output show as follow.
./objdump -g POC3
*** Error in `./objdump': free(): invalid next size (fast): 0x0a0d06b8 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x67377)[0xf7d8a377]
/lib/i386-linux-gnu/libc.so.6(+0x6d2f7)[0xf7d902f7]
/lib/i386-linux-gnu/libc.so.6(+0x6dc31)[0xf7d90c31]
./binutils/objdump[0x804f2c9]
./binutils/objdump[0x804efb9]
./binutils/objdump[0x804f463]
./binutils/objdump[0x80a69f5]
./binutils/objdump[0x804f60f]
./binutils/objdump[0x805174f]
./binutils/objdump[0x805182f]
./binutils/objdump[0x8051a7e]
./binutils/objdump[0x8051aeb]
./binutils/objdump[0x8052458]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf7)[0xf7d3b637]
./binutils/objdump[0x8049b51]
======= Memory map: ========
08048000-08246000 r-xp 00000000 08:22 438569
/e/vul/testcase/binutils/binutils-gdb/binutils/objdump
08246000-08247000 r--p 001fd000 08:22 438569
/e/vul/testcase/binutils/binutils-gdb/binutils/objdump
08247000-0824c000 rw-p 001fe000 08:22 438569
/e/vul/testcase/binutils/binutils-gdb/binutils/objdump
0824c000-08253000 rw-p 00000000 00:00 0
0a0c6000-0a0e7000 rw-p 00000000 00:00 0 [heap]
f7900000-f7921000 rw-p 00000000 00:00 0
f7921000-f7a00000 ---p 00000000 00:00 0
f7adf000-f7afb000 r-xp 00000000 08:06 3802106
/lib/i386-linux-gnu/libgcc_s.so.1
f7afb000-f7afc000 r--p 0001b000 08:06 3802106
/lib/i386-linux-gnu/libgcc_s.so.1
f7afc000-f7afd000 rw-p 0001c000 08:06 3802106
/lib/i386-linux-gnu/libgcc_s.so.1
f7b22000-f7d22000 r--p 00000000 08:06 527047
/usr/lib/locale/locale-archive
f7d22000-f7d23000 rw-p 00000000 00:00 0
f7d23000-f7ed3000 r-xp 00000000 08:06 3805752
/lib/i386-linux-gnu/libc-2.23.so
f7ed3000-f7ed5000 r--p 001af000 08:06 3805752
/lib/i386-linux-gnu/libc-2.23.so
f7ed5000-f7ed6000 rw-p 001b1000 08:06 3805752
/lib/i386-linux-gnu/libc-2.23.so
f7ed6000-f7ed9000 rw-p 00000000 00:00 0
f7ed9000-f7edc000 r-xp 00000000 08:06 3805774
/lib/i386-linux-gnu/libdl-2.23.so
f7edc000-f7edd000 r--p 00002000 08:06 3805774
/lib/i386-linux-gnu/libdl-2.23.so
f7edd000-f7ede000 rw-p 00003000 08:06 3805774
/lib/i386-linux-gnu/libdl-2.23.so
f7efa000-f7efb000 rw-p 00000000 00:00 0
f7efb000-f7f02000 r--s 00000000 08:06 676504
/usr/lib/i386-linux-gnu/gconv/gconv-modules.cache
f7f02000-f7f03000 r--p 002d4000 08:06 527047
/usr/lib/locale/locale-archive
f7f03000-f7f04000 rw-p 00000000 00:00 0
f7f04000-f7f07000 r--p 00000000 00:00 0 [vvar]
f7f07000-f7f09000 r-xp 00000000 00:00 0 [vdso]
f7f09000-f7f2c000 r-xp 00000000 08:06 3805748
/lib/i386-linux-gnu/ld-2.23.so
f7f2c000-f7f2d000 r--p 00022000 08:06 3805748
/lib/i386-linux-gnu/ld-2.23.so
f7f2d000-f7f2e000 rw-p 00023000 08:06 3805748
/lib/i386-linux-gnu/ld-2.23.so
ffd91000-ffdb2000 rw-p 00000000 00:00 0
[stack]
Aborted
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/24005] New: objdump integer overflow in load_specific_debug_section,
yanshb at gmail dot com <=