[Bug binutils/22307] New: Heap out of bounds read in _bfd_elf_parse_gnu_properties()

Mon, 16 Oct 2017 23:50:24 -0700 

https://sourceware.org/bugzilla/show_bug.cgi?id=22307

            Bug ID: 22307
           Summary: Heap out of bounds read in
                    _bfd_elf_parse_gnu_properties()
           Product: binutils
           Version: 2.30 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: mgcho.minic at gmail dot com
  Target Milestone: ---

Created attachment 10535
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10535&action=edit
POC to trigger heap out of bounds read

Triggered by "./objdump -x $POC"
Tested on Ubuntu 16.04 (x86)


The GDB debugging information is as follows:

(gdb) r -x $POC

Program received signal SIGSEGV, Segmentation fault.
bfd_getl32 (p=0x21edd94) at libbfd.c:557
557       v = (unsigned long) addr[0];
(gdb) bt
#0  bfd_getl32 (p=0x21edd94) at libbfd.c:557
#1  0x080e6288 in _bfd_elf_parse_gnu_properties (abfd=<optimized out>,
note=<optimized out>) at elf-properties.c:98
#2  0x080bfbfc in elfobj_grok_gnu_note (abfd=<optimized out>, note=<optimized
out>) at elf.c:9815
#3  elf_parse_notes (abfd=<optimized out>, buf=<optimized out>, size=<optimized
out>, offset=<optimized out>)
    at elf.c:11028
#4  0x080bf3f8 in _bfd_elf_make_section_from_shdr (abfd=<optimized out>,
hdr=<optimized out>, name=<optimized out>, 
    shindex=<optimized out>) at elf.c:1092
#5  0x080c266f in bfd_section_from_shdr (abfd=<optimized out>,
shindex=<optimized out>) at elf.c:2421
#6  0x080bbc65 in bfd_elf32_object_p (abfd=<optimized out>) at ./elfcode.h:805
#7  0x080a6eca in bfd_check_format_matches (abfd=<optimized out>,
format=<optimized out>, matching=<optimized out>)
    at format.c:311
#8  0x0804a940 in display_object_bfd (abfd=0x81e9a08) at ./objdump.c:3609
#9  display_any_bfd (file=0x81e9a08, level=<optimized out>) at ./objdump.c:3700
#10 0x0804a4ea in display_file (filename=0xbffff305
"/tmp/objdump/libbfd_getl_crash", target=<optimized out>, 
    last_file=<optimized out>) at ./objdump.c:3721
#11 main (argc=<optimized out>, argv=<optimized out>) at ./objdump.c:4023


Credits:

This vulnerability was discovered by Mingi Cho and Taekyoung Kwon of the
Information Security Lab, Yonsei University. Please contact
mgcho.mi...@gmail.com and taekyo...@yonsei.ac.kr if you need more information
about the vulnerability and the lab.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

Reply via email to