https://sourceware.org/bugzilla/show_bug.cgi?id=25306
Bug ID: 25306
Summary: Null Pointer Dereference in
bfd/pef.c:bfd_pef_parse_symbols()
Product: binutils
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: v.manhnd at vincss dot net
Target Milestone: ---
Created attachment 12139
--> https://sourceware.org/bugzilla/attachment.cgi?id=12139&action=edit
The crash PoC
Hello,
There is a null pointer dereference in bfd/pef.c:bfd_pef_parse_symbols().
## Analysis
Look at the following code in bfd/pef.c:bfd_pef_parse_symbols():
----------Code------------
if (codesec != NULL)
{
codelen = codesec->size;
codebuf = bfd_malloc (codelen);
if (bfd_seek (abfd, codesec->filepos, SEEK_SET) < 0)
goto end;
if (bfd_bread ((void *) codebuf, codelen, abfd) != codelen)
goto end;
}
---------------------------
In the code above, codebuf is allocated without checking if the return pointer
is null, which makes the writing to codebuf by bfd_bread invalid.
## Reproduce
The attachment makes objdump crashes provided objdump is built in 32-bit.
----------Log--------------
root@manh-ubuntu16:~/fuzz/fuzz_binutils# binutils-gdb-gcc-32/binutils/objdump
-x crash-objdump
crash-objdump: file format pef
crash-objdump
architecture: powerpc:common64, flags 0x000001ff:
HAS_RELOC, EXEC_P, HAS_LINENO, HAS_DEBUG, HAS_SYMS, HAS_LOCALS, DYNAMIC,
WP_TEXT, D_PAGED
start address 0x0000000000000630
Segmentation fault (core dumped)
---------------------------
Tested with version 39aa149769fd05fb6fade43bd41c1d7b6d63d06b of
github.com/bminor/binutils-gdb
--
Thanks & Regards,
Nguyen Duc Manh
VinCSS (a member of Vingroup)
[M] (+84) 346136886
[E] v.man...@vincss.net
[W] www.vincss.net
--
You are receiving this mail because:
You are on the CC list for the bug.
