[Bug binutils/24793] New: A memory leak of objdump in Binutils 2.32

15664243668 at 163 dot com Tue, 09 Jul 2019 08:28:48 -0700

https://sourceware.org/bugzilla/show_bug.cgi?id=24793


            Bug ID: 24793
           Summary: A memory leak of objdump in Binutils 2.32
           Product: binutils
           Version: 2.32
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: 15664243668 at 163 dot com
  Target Milestone: ---

Created attachment 11899
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11899&action=edit
POC

Hi, 

A memory leak was discovered in slurp_symtab in objdump.c, as distributed in
binutils v2.32. A crafted ELF input can cause crash with being executed by
objdump in binutils v2.32 and I have confirmed them with address sanitizer too.

Here are the POC files. Please use "objdump -d $POC" to reproduce the error. In
addition, I compiler binutils 2.32 to the 64-bit LSB version with ASAN. The
binutils runs in the x86-64 Ubuntu 16.04 services.

ASAN dumps the backtrace as follow:

Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
/home/yuetai/experiment/binutils-2.32_with_asan/binutils-2.32/binutils/objdump:
warning:
/home/zeroyu/CVE/output/objdump_learnAFL_1/crashes/id:000054,sig:06,src:002627,op:havoc,rep:8
has a corrupt section with a size (f0000000) larger than the file size
/home/yuetai/experiment/binutils-2.32_with_asan/binutils-2.32/binutils/objdump:
warning:
/home/zeroyu/CVE/output/objdump_learnAFL_1/crashes/id:000054,sig:06,src:002627,op:havoc,rep:8
has a corrupt section with a size (21000040) larger than the file size
/home/yuetai/experiment/binutils-2.32_with_asan/binutils-2.32/binutils/objdump:
/home/zeroyu/CVE/output/objdump_learnAFL_1/crashes/id:000054,sig:06,src:002627,op:havoc,rep:8:
warning: multiple symbol tables detected - ignoring the table in section 15
/home/yuetai/experiment/binutils-2.32_with_asan/binutils-2.32/binutils/objdump:
warning:
/home/zeroyu/CVE/output/objdump_learnAFL_1/crashes/id:000054,sig:06,src:002627,op:havoc,rep:8
has a corrupt section with a size (f0000000) larger than the file size
/home/yuetai/experiment/binutils-2.32_with_asan/binutils-2.32/binutils/objdump:
warning:
/home/zeroyu/CVE/output/objdump_learnAFL_1/crashes/id:000054,sig:06,src:002627,op:havoc,rep:8
has a corrupt section with a size (21000040) larger than the file size
/home/yuetai/experiment/binutils-2.32_with_asan/binutils-2.32/binutils/objdump:
/home/zeroyu/CVE/output/objdump_learnAFL_1/crashes/id:000054,sig:06,src:002627,op:havoc,rep:8:
warning: multiple symbol tables detected - ignoring the table in section 15
/home/yuetai/experiment/binutils-2.32_with_asan/binutils-2.32/binutils/objdump:
warning:
/home/zeroyu/CVE/output/objdump_learnAFL_1/crashes/id:000054,sig:06,src:002627,op:havoc,rep:8
has a corrupt section with a size (f0000000) larger than the file size
/home/yuetai/experiment/binutils-2.32_with_asan/binutils-2.32/binutils/objdump:
warning:
/home/zeroyu/CVE/output/objdump_learnAFL_1/crashes/id:000054,sig:06,src:002627,op:havoc,rep:8
has a corrupt section with a size (21000040) larger than the file size
/home/yuetai/experiment/binutils-2.32_with_asan/binutils-2.32/binutils/objdump:
/home/zeroyu/CVE/output/objdump_learnAFL_1/crashes/id:000054,sig:06,src:002627,op:havoc,rep:8:
warning: multiple symbol tables detected - ignoring the table in section 15

/home/zeroyu/CVE/output/objdump_learnAFL_1/crashes/id:000054,sig:06,src:002627,op:havoc,rep:8:
    file format elf32-iamcu

/home/yuetai/experiment/binutils-2.32_with_asan/binutils-2.32/binutils/objdump:
/home/zeroyu/CVE/output/objdump_learnAFL_1/crashes/id:000054,sig:06,src:002627,op:havoc,rep:8:
file truncated

=================================================================
==5097==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 2013265920 byte(s) in 1 object(s) allocated from:
    #0 0x7ffff6f02602 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x712833 in xmalloc xmalloc.c:147
    #2 0x404ed6 in slurp_symtab objdump.c:697
    #3 0x41506a in dump_bfd objdump.c:3793
    #4 0x4155ae in display_object_bfd objdump.c:3883
    #5 0x4159bb in display_any_bfd objdump.c:3973
    #6 0x415a30 in display_file objdump.c:3994
    #7 0x416ac1 in main objdump.c:4304
    #8 0x7ffff68bc82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: 2013265920 byte(s) leaked in 1 allocation(s).
[Inferior 1 (process 5097) exited with code 027]
[Thread debugging using libthread_db enabled]

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/24793] New: A memory leak of objdump in Binutils 2.32

Reply via email to