[Bug binutils/22376] New: Heap overflow in coff_slurp_line_table

Tue, 31 Oct 2017 08:08:34 -0700 

https://sourceware.org/bugzilla/show_bug.cgi?id=22376

            Bug ID: 22376
           Summary: Heap overflow in coff_slurp_line_table
           Product: binutils
           Version: 2.30 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: mgcho.minic at gmail dot com
  Target Milestone: ---

Created attachment 10562
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10562&action=edit
poc of the crash

Triggered by "./objdump -x $POC"
Tested on Ubuntu 16.04 (x86)


There is no check on the number of tables when processing line table.


The GDB debugging information is as follows:

(gdb) r -x $POC

Program received signal SIGSEGV, Segmentation fault.
0x080c55f5 in bfd_getl32 (p=0x8276000) at libbfd.c:557
557       v = (unsigned long) addr[0];
(gdb) bt
#0  0x080c55f5 in bfd_getl32 (p=0x8276000) at libbfd.c:557
#1  0x081544d5 in _bfd_pei_swap_lineno_in (abfd=0x8255a08, ext1=0x8276000,
in1=0xbfffeac0) at peigen.c:446
#2  0x08151562 in coff_slurp_line_table (abfd=0x8255a08, asect=0x8256b9c) at
./coffcode.h:4606
#3  0x081510e9 in coff_slurp_symbol_table (abfd=0x8255a08) at ./coffcode.h:5122
#4  0x081505c7 in coff_slurp_reloc_table (abfd=0x8255a08, asect=0x8256db8,
symbols=0x0) at ./coffcode.h:5291
#5  0x0814cd2a in coff_canonicalize_reloc (abfd=0x8255a08, section=0x8256db8,
relptr=0x825c300, symbols=0x0)
    at ./coffcode.h:5435
#6  0x080be79b in bfd_canonicalize_reloc (abfd=0x8255a08, asect=0x8256db8,
location=0x825c300, symbols=0x0)
    at bfd.c:1090
#7  0x0804e3a6 in dump_relocs_in_section (abfd=0x8255a08, section=0x8256db8,
dummy=0x0) at ./objdump.c:3400
#8  0x080ca10c in bfd_map_over_sections (abfd=0x8255a08, operation=0x804e200
<dump_relocs_in_section>, 
    user_storage=0x0) at section.c:1395
#9  0x0804c9ee in dump_relocs (abfd=0x8255a08) at ./objdump.c:3422
#10 0x0804b9b8 in dump_bfd (abfd=0x8255a08) at ./objdump.c:3548
#11 0x0804b5d2 in display_object_bfd (abfd=0x8255a08) at ./objdump.c:3611
#12 0x0804b587 in display_any_bfd (file=0x8255a08, level=0) at ./objdump.c:3700
#13 0x0804b2b1 in display_file (filename=0xbffff2a0
"/home/min/Downloads/55_minimize", target=0x0, last_file=1)
    at ./objdump.c:3721
#14 0x0804ae80 in main (argc=3, argv=0xbffff094) at ./objdump.c:4023


Proposed patch:

--- a/bfd/coffcode.h
+++ b/bfd/coffcode.h
@@ -4578,6 +4578,9 @@ coff_slurp_line_table (bfd *abfd, asection *asect)

   BFD_ASSERT (asect->lineno == NULL);

+  if(asect->lineno_count > 0xffff)
+    return FALSE;
+
   amt = ((bfd_size_type) asect->lineno_count + 1) * sizeof (alent);
   lineno_cache = (alent *) bfd_alloc (abfd, amt);
   if (lineno_cache == NULL)


Credits:

This vulnerability was discovered by Mingi Cho and Taekyoung Kwon of the
Information Security Lab, Yonsei University. Please contact
mgcho.mi...@gmail.com and taekyo...@yonsei.ac.kr if you need more information
about the vulnerability and the lab.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

Reply via email to