[Bug binutils/22385] New: Integer overflow in coff_get_normalized_symtab

mgcho.minic at gmail dot com Wed, 01 Nov 2017 23:02:27 -0700

https://sourceware.org/bugzilla/show_bug.cgi?id=22385


            Bug ID: 22385
           Summary: Integer overflow in coff_get_normalized_symtab
           Product: binutils
           Version: 2.30 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: mgcho.minic at gmail dot com
  Target Milestone: ---

Created attachment 10568
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10568&action=edit
poc of the crash

Triggered by "./objdump -r $POC"
Tested on Ubuntu 16.04 (x86)

An integer overflow is occurred when numbers of symbols are too large.


ASAN output:

./objdump -r $POC

==30813==ERROR: AddressSanitizer: SEGV on unknown address 0xbebebebe (pc
0x08127bc6 bp 0xbfe51da8 sp 0xbfe5191c T0)
    #0 0x8127bc5 in __sanitizer::internal_strlen(char const*)
(/home/min/fuzzing/program/binutils-master-asan/bin/objdump+0x8127bc5)
    #1 0x80b4121 in printf_common(void*, char const*, char*)
(/home/min/fuzzing/program/binutils-master-asan/bin/objdump+0x80b4121)
    #2 0x80b45fc in __interceptor_vfprintf
(/home/min/fuzzing/program/binutils-master-asan/bin/objdump+0x80b45fc)
    #3 0x80b464b in __interceptor_fprintf
(/home/min/fuzzing/program/binutils-master-asan/bin/objdump+0x80b464b)
    #4 0x82b1b47 in _bfd_doprnt
/home/min/fuzzing/src/binutils/binutils-gdb/bfd/bfd.c:805:8
    #5 0x82b016c in error_handler_internal
/home/min/fuzzing/src/binutils/binutils-gdb/bfd/bfd.c:887:3
    #6 0x82a8e5e in _bfd_error_handler
/home/min/fuzzing/src/binutils/binutils-gdb/bfd/bfd.c:909:3
    #7 0x851deae in coff_slurp_symbol_table
/home/min/fuzzing/src/binutils/binutils-gdb/bfd/./coffcode.h:5085:8


The GDB debugging information is as follows:

(gdb) r -r $POC

Program received signal SIGSEGV, Segmentation fault.
0xb7e43383 in _IO_vfprintf_internal (s=0xbfffc4b8, format=<optimized out>, 
    ap=0xbfffea9c
"\306\350\"\b\214\342\365\267\200!\373\267@\353\377\277\242`ⷀ!\373\267\214\342\365\267\022")
    at vfprintf.c:1632
1632  vfprintf.c: No such file or directory.
(gdb) bt
#0  0xb7e43383 in _IO_vfprintf_internal (s=0xbfffc4b8, format=<optimized out>, 
    ap=0xbfffea9c
"\306\350\"\b\214\342\365\267\200!\373\267@\353\377\277\242`ⷀ!\373\267\214\342\365\267\022")
    at vfprintf.c:1632
#1  0xb7e43671 in buffered_vfprintf (s=s@entry=0xb7fb1cc0 <_IO_2_1_stderr_>,
format=format@entry=0xbfffeb8c "%s", 
    args=args@entry=0xbfffea98 "\001") at vfprintf.c:2320
#2  0xb7e412d1 in _IO_vfprintf_internal (s=0xb7fb1cc0 <_IO_2_1_stderr_>,
format=0xbfffeb8c "%s", 
    ap=0xbfffea98 "\001") at vfprintf.c:1293
#3  0xb7e48668 in __fprintf (stream=0xb7fb1cc0 <_IO_2_1_stderr_>,
format=0xbfffeb8c "%s") at fprintf.c:32
#4  0x080c08c2 in _bfd_doprnt (stream=0xb7fb1cc0 <_IO_2_1_stderr_>, 
    format=0x822e89e "%B: Unrecognized storage class %d for %s symbol `%s'",
ap=0xbfffeca4 "\340\276%\b\001")
    at bfd.c:805
#5  0x080c006f in error_handler_internal (fmt=0x822e89e "%B: Unrecognized
storage class %d for %s symbol `%s'", 
    ap=0xbfffec94 "\bZ%\b") at bfd.c:887
#6  0x080be625 in _bfd_error_handler (fmt=0x822e89e "%B: Unrecognized storage
class %d for %s symbol `%s'")
    at bfd.c:909
#7  0x08151029 in coff_slurp_symbol_table (abfd=0x8255a08) at ./coffcode.h:5085
#8  0x08166d06 in coff_get_symtab_upper_bound (abfd=0x8255a08) at coffgen.c:419
#9  0x0804c1d7 in slurp_symtab (abfd=0x8255a08) at ./objdump.c:615
#10 0x0804b82c in dump_bfd (abfd=0x8255a08) at ./objdump.c:3523
#11 0x0804b5d2 in display_object_bfd (abfd=0x8255a08) at ./objdump.c:3611
#12 0x0804b587 in display_any_bfd (file=0x8255a08, level=0) at ./objdump.c:3700
#13 0x0804b2b1 in display_file (filename=0xbffff2b7 "/tmp/poc", target=0x0,
last_file=1) at ./objdump.c:3721
#14 0x0804ae80 in main (argc=3, argv=0xbffff0a4) at ./objdump.c:4023


Proposed patch:

Check whether integer overflow occurs in coff_get_normalized_symtab ()

--- a/bfd/coffgen.c
+++ b/bfd/coffgen.c
@@ -1790,6 +1790,8 @@ coff_get_normalized_symtab (bfd *abfd)
     return NULL;

   size = obj_raw_syment_count (abfd) * sizeof (combined_entry_type);
+  if (obj_raw_syment_count (abfd) > size)
+    return NULL;
   internal = (combined_entry_type *) bfd_zalloc (abfd, size);
   if (internal == NULL && size != 0)
     return NULL;


Credits:

This vulnerability was discovered by Mingi Cho and Taekyoung Kwon of the
Information Security Lab, Yonsei University. Please contact
mgcho.mi...@gmail.com and taekyo...@yonsei.ac.kr if you need more information
about the vulnerability and the lab.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/22385] New: Integer overflow in coff_get_normalized_symtab

Reply via email to