[Bug binutils/22372] New: Integer overflow in pe_bfd_read_buildid()

Tue, 08 May 2018 22:41:04 -0700 

https://sourceware.org/bugzilla/show_bug.cgi?id=22372

            Bug ID: 22372
           Summary: Integer overflow in pe_bfd_read_buildid()
           Product: binutils
           Version: 2.30
            Status: RESOLVED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: mgcho.minic at gmail dot com
                CC: amodra at gmail dot com
  Target Milestone: ---
            Status: RESOLVED
                CC: amodra at gmail dot com
        Resolution: DUPLICATE

Created attachment 10561
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10561&action=edit
POC of the crash

Triggered by "./objdump -x $POC"
Tested on Ubuntu 16.04 (x86)


Integer overflow is occurring when checking size of debug directory of the PE
format binary file.


The GDB debugging information is as follows:

(gdb) r -x $POC

Program received signal SIGSEGV, Segmentation fault.
0x080c55f5 in bfd_getl32 (p=0x8276000) at libbfd.c:557
557       v = (unsigned long) addr[0];
(gdb) bt
#0  0x080c55f5 in bfd_getl32 (p=0x8276000) at libbfd.c:557
#1  0x08155ff6 in _bfd_pei_swap_debugdir_in (abfd=0x8255a08, ext1=0x8276000,
in1=0xbfffe168) at peigen.c:1119
#2  0x0814d8e6 in pe_bfd_read_buildid (abfd=0x8255a08) at ./peicode.h:1353
#3  0x0814b813 in pe_bfd_object_p (abfd=0x8255a08) at ./peicode.h:1497
#4  0x080c323c in bfd_check_format_matches (abfd=0x8255a08, format=bfd_object,
matching=0xbfffedb0) at format.c:311
#5  0x0804b5be in display_object_bfd (abfd=0x8255a08) at ./objdump.c:3609
#6  0x0804b587 in display_any_bfd (file=0x8255a08, level=0) at ./objdump.c:3700
#7  0x0804b2b1 in display_file (
    filename=0xbffff257
"/home/min/fuzzing/result/binutils/objdump_x_D_s_pe_1/crashes/id:000015,sig:06,src:000270,op:havoc,rep:64",
target=0x0, last_file=1) at ./objdump.c:3721
#8  0x0804ae80 in main (argc=3, argv=0xbffff044) at ./objdump.c:4023


Proposed patch:

--- a/bfd/peicode.h
+++ b/bfd/peicode.h
@@ -1328,7 +1328,7 @@ pe_bfd_read_buildid (bfd *abfd)
   dataoff = addr - section->vma;

   /* PR 20605: Make sure that the data is really there.  */
-  if (dataoff + size > section->size)
+  if (size > section->size - dataoff)
     {
       _bfd_error_handler (_("%B: Error: Debug Data ends beyond end of debug
directory."),
                          abfd);


Credits:

This vulnerability was discovered by Mingi Cho and Taekyoung Kwon of the
Information Security Lab, Yonsei University. Please contact
mgcho.mi...@gmail.com and taekyo...@yonsei.ac.kr if you need more information
about the vulnerability and the lab.

--- Comment #1 from Alan Modra <amodra at gmail dot com> ---
Already fixed

*** This bug has been marked as a duplicate of bug 22373 ***

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

Reply via email to