[Bug binutils/25306] New: Null Pointer Dereference in bfd/pef.c:bfd_pef

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/25306] New: Null Pointer Dereference in bfd/pef.c:bfd_pef_

From:	v.manhnd at vincss dot net
Subject:	[Bug binutils/25306] New: Null Pointer Dereference in bfd/pef.c:bfd_pef_parse_symbols()
Date:	Sat, 21 Dec 2019 18:01:48 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=25306

            Bug ID: 25306
           Summary: Null Pointer Dereference in
                    bfd/pef.c:bfd_pef_parse_symbols()
           Product: binutils
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: v.manhnd at vincss dot net
  Target Milestone: ---

Created attachment 12139
  --> https://sourceware.org/bugzilla/attachment.cgi?id=12139&action=edit
The crash PoC

Hello,

There is a null pointer dereference in bfd/pef.c:bfd_pef_parse_symbols().

## Analysis
Look at the following code in bfd/pef.c:bfd_pef_parse_symbols():
----------Code------------
  if (codesec != NULL)
    {
      codelen = codesec->size;
      codebuf = bfd_malloc (codelen);
      if (bfd_seek (abfd, codesec->filepos, SEEK_SET) < 0)
        goto end;
      if (bfd_bread ((void *) codebuf, codelen, abfd) != codelen)
        goto end;
    }
---------------------------
In the code above, codebuf is allocated without checking if the return pointer
is null, which makes the writing to codebuf by bfd_bread invalid.

## Reproduce
The attachment makes objdump crashes provided objdump is built in 32-bit.
----------Log--------------
root@manh-ubuntu16:~/fuzz/fuzz_binutils# binutils-gdb-gcc-32/binutils/objdump
-x crash-objdump 

crash-objdump:     file format pef
crash-objdump
architecture: powerpc:common64, flags 0x000001ff:
HAS_RELOC, EXEC_P, HAS_LINENO, HAS_DEBUG, HAS_SYMS, HAS_LOCALS, DYNAMIC,
WP_TEXT, D_PAGED
start address 0x0000000000000630

Segmentation fault (core dumped)
---------------------------
Tested with version 39aa149769fd05fb6fade43bd41c1d7b6d63d06b of
github.com/bminor/binutils-gdb

--
Thanks & Regards,
Nguyen Duc Manh
VinCSS (a member of Vingroup)
[M] (+84) 346136886
[E] address@hidden
[W]  www.vincss.net

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/25306] New: Null Pointer Dereference in bfd/pef.c:bfd_pef_parse_symbols(), v.manhnd at vincss dot net <=

Prev by Date: [Bug gas/25224] [Z80][PATCH] Add support for Zilog Z180 and eZ80 CPUs
Next by Date: [Bug binutils/25307] New: Heap-buffer-overflow in bfd/pef.c:bfd_pef_parse_function_stubs()
Previous by thread: Issue 19577 in oss-fuzz
Next by thread: [Bug binutils/25307] New: Heap-buffer-overflow in bfd/pef.c:bfd_pef_parse_function_stubs()
Index(es):
- Date
- Thread