[Bug binutils/21663] New: There is integer Overflow in the objdump tool of the GNU Binutils.

[v.owl337 at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=21663

            Bug ID: 21663
           Summary: There is integer Overflow in the objdump tool of the
                    GNU Binutils.
           Product: binutils
           Version: 2.28
            Status: UNCONFIRMED
          Severity: critical
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: v.owl337 at gmail dot com
  Target Milestone: ---

Created attachment 10215
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10215&action=edit
./objdump -S POC1

The asan debugging information is as follows:

$./objdump -S POC1
...

ASAN:SIGSEGV
=================================================================
==51582==ERROR: AddressSanitizer: SEGV on unknown address 0x255a0782 (pc
0x082abe10 bp 0xf3f01eb4 sp 0xffe74620 T0)
    #0 0x82abe0f in elf_x86_64_get_plt_sym_val
/home/icy/real/binutils-2.28/bfd/elf64-x86-64.c:6669
    #1 0x82f36fa in _bfd_elf_ifunc_get_synthetic_symtab
/home/icy/real/binutils-2.28/bfd/elf-ifunc.c:425
    #2 0x82aacd9 in elf_x86_64_get_synthetic_symtab
/home/icy/real/binutils-2.28/bfd/elf64-x86-64.c:6700
    #3 0x8069013 in dump_bfd objdump.c:3448
    #4 0x806b0ce in display_object_bfd objdump.c:3526
    #5 0x806b0ce in display_any_bfd objdump.c:3615
    #6 0x8056562 in display_file objdump.c:3636
    #7 0x8056562 in main objdump.c:3919
    #8 0xf703679d in __libc_start_main (/lib32/libc.so.6+0x1879d)
    #9 0x805944b  (/home/icy/real/binutils-2.28/binutils/objdump+0x805944b)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/icy/real/binutils-2.28/bfd/elf64-x86-64.c:6669 elf_x86_64_get_plt_sym_val
==51582==ABORTING

This is an integer overflow in line elf64-86-64.c:6655 at function
elf_x86_64_get_plt_sym_val(). With the exact input we provided, line
elf64-86-64.c:6655 will run multiple
times, but in the 90th cycle,the value of reloc_index is calculated as
3338665986, which exceeds the maximum range of long.

6586 static bfd_vma *
6587 elf_x86_64_get_plt_sym_val (bfd *abfd, asymbol **dynsyms, asection *plt,
6588                             asection *relplt)
6589 {
...
6651       if (p->howto->type != R_X86_64_JUMP_SLOT
6652           && p->howto->type != R_X86_64_IRELATIVE)
6653         continue;
6654 
6655       reloc_index = H_GET_32 (abfd, (plt_contents + plt_offset
6656                                      + bed->plt_reloc_offset));
6657       if (reloc_index < count)
6658         {
6659           if (plt_bnd)
6660             {
...


Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL.
Please contact ganshui...@gmail.com   and ch...@tsinghua.edu.cn if you need
more info about the team, the tool or the vulnerability.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils