https://sourceware.org/bugzilla/show_bug.cgi?id=21665
Bug ID: 21665
Summary: Multiple heap based buffer overflow in the objdump
tool of the GNU Binutils.
Product: binutils
Version: 2.28
Status: UNCONFIRMED
Severity: critical
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: v.owl337 at gmail dot com
Target Milestone: ---
Created attachment 10217
--> https://sourceware.org/bugzilla/attachment.cgi?id=10217&action=edit
./objdump -S $POC
The first heap overflow debug information is below:
$ ./objdump -S POC1
...
Disassembly of section .init:
0000000000401ab0 <.init>:
=================================================================
==14591==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4c00bf4 at
pc 0xf72e3c75 bp 0xffa3a548 sp 0xffa3a11c
READ of size 148 at 0xf4c00bf4 thread T0
#0 0xf72e3c74 in __asan_memcpy (/usr/lib32/libasan.so.2+0x8ac74)
#1 0xf72e3e2f in memcpy (/usr/lib32/libasan.so.2+0x8ae2f)
#2 0x824edca in get_build_id /home/icy/real/binutils-2.28/bfd/opncls.c:1833
#3 0x825e675 in get_build_id /home/icy/real/binutils-2.28/bfd/opncls.c:1782
#4 0x825e675 in get_build_id_name
/home/icy/real/binutils-2.28/bfd/opncls.c:1875
#5 0x825e675 in find_separate_debug_file
/home/icy/real/binutils-2.28/bfd/opncls.c:1386
#6 0x825e675 in bfd_follow_build_id_debuglink
/home/icy/real/binutils-2.28/bfd/opncls.c:1989
#7 0x84c132d in _bfd_dwarf2_slurp_debug_info dwarf2.c:3920
#8 0x84c6a40 in _bfd_dwarf2_find_nearest_line dwarf2.c:4115
#9 0x839a408 in _bfd_elf_find_nearest_line
/home/icy/real/binutils-2.28/bfd/elf.c:8565
#10 0x8073c06 in show_line objdump.c:1434
#11 0x8073c06 in disassemble_bytes objdump.c:1728
#12 0x8073c06 in disassemble_section objdump.c:2241
#13 0x82641fc in bfd_map_over_sections
/home/icy/real/binutils-2.28/bfd/section.c:1395
#14 0x8068597 in disassemble_data objdump.c:2375
#15 0x8068597 in dump_bfd objdump.c:3469
#16 0x806b0ce in display_object_bfd objdump.c:3526
#17 0x806b0ce in display_any_bfd objdump.c:3615
#18 0x8056562 in display_file objdump.c:3636
#19 0x8056562 in main objdump.c:3919
#20 0xf70b479d in __libc_start_main (/lib32/libc.so.6+0x1879d)
#21 0x805944b (/home/icy/real/binutils-2.28/binutils/objdump+0x805944b)
0xf4c00bf4 is located 0 bytes to the right of 36-byte region
[0xf4c00bd0,0xf4c00bf4)
allocated by thread T0 here:
#0 0xf72eff06 in malloc (/usr/lib32/libasan.so.2+0x96f06)
#1 0x8247518 in bfd_malloc /home/icy/real/binutils-2.28/bfd/libbfd.c:184
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
0x3e980120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e980130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e980140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e980150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e980160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3e980170: fa fa fa fa fa fa fa fa fa fa 00 00 00 00[04]fa
0x3e980180: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x3e980190: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 04 fa
0x3e9801a0: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 04 fa
0x3e9801b0: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 04 fa
0x3e9801c0: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 04 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==14591==ABORTING
Crash happended at line bfd/opncls.c:1833. The function tries to copy
inote.descsz bytes from inote.descdata to build_id->data, but it didn't take
the situation that value inote.descsz is larger than inote.descdata into
account.
1771 static struct bfd_build_id *
1772 get_build_id (bfd *abfd)
1773 {
...
1825 build_id = bfd_alloc (abfd, sizeof (struct bfd_build_id) +
inote.descsz);
1826 if (build_id == NULL)
1827 {
1828 free (contents);
1829 return NULL;
1830 }
1831
1832 build_id->size = inote.descsz;
1833 memcpy (build_id->data, inote.descdata, inote.descsz);
1834 abfd->build_id = build_id;
1835 free (contents);
1836
1837 return build_id;
1838 }
...
The second heap overflow debug information is below:
$ ./objdump -S POC2
fuzz/objdump/output/crashes/id:000008,sig:06,src:000000,op:flip1,pos:92180:
file format elf64-x86-64
Disassembly of section .init:
0000000000401ab0 <.init>:
401ab0: be be be be be mov $0xbebebebe,%esi
401ab5: be be be be be mov $0xbebebebe,%esi
401aba: be be be be be mov $0xbebebebe,%esi
401abf: be be be be be mov $0xbebebebe,%esi
401ac4: be be be be be mov $0xbebebebe,%esi
401ac9: be .byte 0xbe
=================================================================
==96445==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4300b0a at
pc 0x0807eefe bp 0xffad0b58 sp 0xffad0b48
READ of size 1 at 0xf4300b0a thread T0
#0 0x807eefd in disassemble_bytes objdump.c:1692
#1 0x807eefd in disassemble_section objdump.c:2241
#2 0x82641fc in bfd_map_over_sections
/home/icy/real/binutils-2.28/bfd/section.c:1395
#3 0x8068597 in disassemble_data objdump.c:2375
#4 0x8068597 in dump_bfd objdump.c:3469
#5 0x806b0ce in display_object_bfd objdump.c:3526
#6 0x806b0ce in display_any_bfd objdump.c:3615
#7 0x8056562 in display_file objdump.c:3636
#8 0x8056562 in main objdump.c:3919
#9 0xf6fbc79d in __libc_start_main (/lib32/libc.so.6+0x1879d)
#10 0x805944b (/home/icy/real/binutils-2.28/binutils/objdump+0x805944b)
0xf4300b0a is located 0 bytes to the right of 26-byte region
[0xf4300af0,0xf4300b0a)
allocated by thread T0 here:
#0 0xf71f7f06 in malloc (/usr/lib32/libasan.so.2+0x96f06)
#1 0x88832a7 in xmalloc xmalloc.c:148
SUMMARY: AddressSanitizer: heap-buffer-overflow objdump.c:1692
disassemble_bytes
Shadow bytes around the buggy address:
0x3e860110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e860120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e860130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e860140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e860150: fa fa fa fa fa fa fa fa fd fd fd fd fa fa 00 00
=>0x3e860160: 00[02]fa fa 00 00 00 04 fa fa 00 00 00 04 fa fa
0x3e860170: fd fd fd fd fa fa 00 00 03 fa fa fa 00 00 05 fa
0x3e860180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e860190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e8601a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e8601b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==96445==ABORTING
The array data accesses uninitialized memory in line objdump.c:1692.
1615 static void
1616 disassemble_bytes (struct disassemble_info * inf,
...
1687 aux->reloc = NULL;
1688
1689 /* If we see more than SKIP_ZEROES octets of zeroes, we just
1690 print `...'. */
1691 for (z = addr_offset * opb; z < stop_offset * opb; z++)
1692 if (data[z] != 0)
1693 break;
1694 if (! disassemble_zeroes
...
Credits:
This vulnerability is detected by team OWL337, with our custom fuzzer collAFL.
Please contact ganshui...@gmail.com and ch...@tsinghua.edu.cn if you need
more info about the team, the tool or the vulnerability.
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
