[Bug binutils/24644] New: OOM-Bug in _bfd_archive_64_bit_slurp_armap in bfd/archive64.c
https://sourceware.org/bugzilla/show_bug.cgi?id=24644 Bug ID: 24644 Summary: OOM-Bug in _bfd_archive_64_bit_slurp_armap in bfd/archive64.c Product: binutils Version: 2.33 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: alex at forallsecure dot com Target Milestone: --- Created attachment 11819 --> https://sourceware.org/bugzilla/attachment.cgi?id=11819&action=edit Input to reproduce _bfd_archive_64_bit_slurp_armap reads nsymz from the archive, which is user controller. It then attempts to allocate an amount derived from nsymz, which allows attackers to trigger excessive memory consumption. I'm attaching a minimized input that triggers that issue. You can observe the behavior with `ltrace ./objdump -x ./input 2>&1 | grep malloc` or by compiling objdump with ASAN which produces the following stacktrace: ==39959==ERROR: AddressSanitizer: requested allocation size 0xa0a0a0a0a0a0a18 (0xa0a0a0a0a0a1a18 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x100 (thread T0) #0 0x49665d in __interceptor_malloc /b/swarming/w/ir/k/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:145:3 #1 0x1148578 in _objalloc_alloc /fas/apr/binutils-gdb/build-libfuzzer/libiberty/../../libiberty/objalloc.c:143:22 #2 0x7f91d9 in bfd_alloc /fas/apr/binutils-gdb/build-libfuzzer/bfd/../../bfd/opncls.c:949:9 #3 0x7f8381 in bfd_zalloc /fas/apr/binutils-gdb/build-libfuzzer/bfd/../../bfd/opncls.c:998:9 #4 0x10c1636 in _bfd_archive_64_bit_slurp_armap /fas/apr/binutils-gdb/build-libfuzzer/bfd/../../bfd/archive64.c:98:39 #5 0x7d90c6 in bfd_slurp_armap /fas/apr/binutils-gdb/build-libfuzzer/bfd/../../bfd/archive.c:1149:14 #6 0x7d8a84 in bfd_generic_archive_p /fas/apr/binutils-gdb/build-libfuzzer/bfd/../../bfd/archive.c:875:8 #7 0x7f0da6 in bfd_check_format_matches /fas/apr/binutils-gdb/build-libfuzzer/bfd/../../bfd/format.c:315:14 - binutils version: commit 12efd68d159444ad8dfe24e49965a228ba980b86 (Wed Jun 5 2019) - OS: Ubuntu 18.04.2, running in a docker container on Mac OS - Linux 4.9.125-linuxkit - clang version 9.0.0 Found using ForAllSecure's Mayhem. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/24644] OOM-Bug in _bfd_archive_64_bit_slurp_armap in bfd/archive64.c
https://sourceware.org/bugzilla/show_bug.cgi?id=24644 --- Comment #2 from Alex Rebert --- Oops. Sorry about that. I saw https://sourceware.org/bugzilla/show_bug.cgi?id=23361 and thought you were interested in those. FWIW, there are a few overflows in there, and the overflow checks don't catch them all. I haven't been able to make it crash yet, but I have an input that leads to calling bfd_bread on a small buffer with a very large size. Happy to upload it if you're interested in it. Details: When parsed_size=-1 and nsymz=2, the function allocates a 8-byte symdefs array, while stringsize is 18446744073709551591). Since bfd_read calls cache_bread, which takes a signed size which ends up being negative, no overflow happens. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
