[Bug binutils/18831] New: readelf "Build ID" overflow
https://sourceware.org/bugzilla/show_bug.cgi?id=18831 Bug ID: 18831 Summary: readelf "Build ID" overflow Product: binutils Version: 2.24 Status: NEW Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: hanafie.nurud...@f13-labs.net Target Milestone: --- -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/18831] readelf "Build ID" overflow
https://sourceware.org/bugzilla/show_bug.cgi?id=18831 Nafiez changed: What|Removed |Added CC||Hanafie.Nuruddin@f13-labs.n ||et --- Comment #1 from Nafiez --- Created attachment 8525 --> https://sourceware.org/bugzilla/attachment.cgi?id=8525&action=edit Binary used to trigger the segmentation fault. Possible integer overflow occur on readelf version 2.24 (GNU Binutils for Ubuntu). Triggered during fuzzing. To reproduced, just run: /usr/bin/readelf -a /home/fuzz/fuzzy/readelf/out/crashes/test -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/18831] readelf "Build ID" overflow
https://sourceware.org/bugzilla/show_bug.cgi?id=18831
--- Comment #2 from Nafiez ---
Output from GDB:
Starting program: /usr/bin/readelf -a /home/fuzz/fuzzy/readelf/out/crashes/test
...snippet...
Displaying notes found at file offset 0x0188 with length 0x0024:
Owner Data size Description
GNU 0x NT_GNU_BUILD_ID (unique build ID
bitstring)
Build ID: < Integer overflow
Program received signal SIGSEGV, Segmentation fault.
[--registers---]
EAX: 0x2
EBX: 0x80b347f --> 0xbbff6500
ECX: 0xb7fa8898 --> 0x0
EDX: 0x2
ESI: 0x80d2000
EDI: 0x8084b32 --> 0x494e5500 ('')
EBP: 0x80b347c --> 0x554e47 ('GNU')
ESP: 0xbfffed90 --> 0x1
EIP: 0x8061ab0 (movzx eax,BYTE PTR [esi])
EFLAGS: 0x10216 (carry PARITY ADJUST zero sign trap INTERRUPT direction
overflow)
[-code-]
0x8061aa4: leaebx,[esi+eax*1]
0x8061aa7: je 0x806192e
0x8061aad: leaesi,[esi+0x0]
=> 0x8061ab0: movzx eax,BYTE PTR [esi]
0x8061ab3: addesi,0x1
0x8061ab6: movDWORD PTR [esp+0x4],0x80a30ba
0x8061abe: movDWORD PTR [esp],0x1
0x8061ac5: movDWORD PTR [esp+0x8],eax
[stack-]
| 0xbfffed90 --> 0x1
0004| 0xbfffed94 --> 0x80a30ba ("%02x")
0008| 0xbfffed98 --> 0x0
0012| 0xbfffed9c --> 0x <--- integer overflow
0016| 0xbfffeda0 --> 0x809e480 ("NT_GNU_BUILD_ID (unique build ID bitstring)")
0020| 0xbfffeda4 --> 0x18
0024| 0xbfffeda8 --> 0x1
0028| 0xbfffedac --> 0x1
[--]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x08061ab0 in ?? ()
--
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/18831] readelf "Build ID" overflow
https://sourceware.org/bugzilla/show_bug.cgi?id=18831 --- Comment #3 from Nafiez --- Disassembly: .text:08061AB0 movzx eax, byte ptr [esi] .text:08061AB3 add esi, 1 .text:08061AB6 mov [esp+8Ch+msgid], offset a02x ; "%02x" .text:08061ABE mov [esp+8Ch+domainname], 1 .text:08061AC5 mov [esp+8Ch+category], eax .text:08061AC9 call___printf_chk -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/19379] New: "Augmentation Data:" Overflow in obdjump
https://sourceware.org/bugzilla/show_bug.cgi?id=19379
Bug ID: 19379
Summary: "Augmentation Data:" Overflow in obdjump
Product: binutils
Version: 2.24
Status: NEW
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: hanafie.nurud...@f13-labs.net
Target Milestone: ---
Created attachment 8855
--> https://sourceware.org/bugzilla/attachment.cgi?id=8855&action=edit
proof of concept to trigger crash
The crash trigger upon using objdump to parse binary (by reading the
"Augmentation Data:".
Code trigger crashed
; parsed strings (input) for "Augmentation Data:"
.text:08064227 mov dword ptr [esp+4], offset
aAugmentationDa ; " Augmentation data:"
.text:0806422F xor ebx, ebx
.text:08064231 mov dword ptr [esp], 1
.text:08064238 call___printf_chk
.text:0806423D mov eax, [ebp+var_20];
var_20 = strings (input) from binary that being parsed, then copy to eax
.text:08064240 testeax, eax
; if input is zero, jump out from here
.text:08064242 jz short loc_806426F;
.text:08064244 lea esi, [esi+0]
;
; overflow at "Augmentation Data:"
.text:08064248 mov eax, [ebp+var_24];
.text:0806424B movzx eax, byte ptr [eax+ebx] ; overflow here
due to long strings here
.text:0806424F add ebx, 1
.text:08064252 mov dword ptr [esp+4], offset unk_808A20E
.text:0806425A mov dword ptr [esp], 1
.text:08064261 mov [esp+8], eax
.text:08064265 call___printf_chk
.text:0806426A cmp [ebp+var_20], ebx
.text:0806426D ja short loc_8064248
Crashed Info (from GDB)
===
[--registers---]
EAX: 0x80a459c --> 0x0
EBX: 0x19a64
ECX: 0xb7dde898 --> 0x0
EDX: 0x3
ESI: 0x809c708 ("009c")
EDI: 0x98
EBP: 0xbfffed68 --> 0x809f82c --> 0x809e808 (".eh_frame")
ESP: 0xbfffecc0 --> 0x1
EIP: 0x806424b (movzx eax,BYTE PTR [eax+ebx*1])
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction
overflow)
[-code-]
0x8064242: je 0x806426f
0x8064244: leaesi,[esi+eiz*1+0x0]
0x8064248: moveax,DWORD PTR [ebp-0x24]
=> 0x806424b: movzx eax,BYTE PTR [eax+ebx*1]
0x806424f: addebx,0x1
0x8064252: movDWORD PTR [esp+0x4],0x808a20e
0x806425a: movDWORD PTR [esp],0x1
0x8064261: movDWORD PTR [esp+0x8],eax
[stack-]
| 0xbfffecc0 --> 0x1
0004| 0xbfffecc4 --> 0x808a20e (" %02x")
0008| 0xbfffecc8 --> 0x0
0012| 0xbfffeccc --> 0x809c388 ("fea6")
0016| 0xbfffecd0 --> 0x809c708 ("009c")
0020| 0xbfffecd4 --> 0x0
0024| 0xbfffecd8 --> 0xbfffecf4 --> 0x0
0028| 0xbfffecdc --> 0x0
[--]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0806424b in ?? ()
--
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
