[Bug binutils/23994] New: Heap overflow in libbfd caused by integer overflow
https://sourceware.org/bugzilla/show_bug.cgi?id=23994
Bug ID: 23994
Summary: Heap overflow in libbfd caused by integer overflow
Product: binutils
Version: 2.31
Status: UNCONFIRMED
Severity: critical
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: yanshb at gmail dot com
Target Milestone: ---
Created attachment 11464
--> https://sourceware.org/bugzilla/attachment.cgi?id=11464&action=edit
Heap overflow in libbfd caused by integer overflow.
Hi there,
A Heap overflow issue was discovered in bfd caused by integer overflow, as
distributed in GNU Binutils 2.31. It also exists with the latest version in
Binutils 2.32 commit 76d2760bc38ada83f81087f16eb151ccc0176574. This issue may
exist for a long time.
The source Code show as follow. Exec Binutils 2.31 "objdump -d poc1" as
example:
In disassemble_data function in objdump.c, line 2463 is a heap allocation. But
'relsize' maybe too small caused by integer overflow . Line 8271 in
_bfd_elf_canonicalize_dynamic_reloc function in elf.c will cause heap overflow.
objdump.c
>2456 long relsize = bfd_get_dynamic_reloc_upper_bound (abfd); //relsize = 4
>2463aux.dynrelbuf = (arelent **) xmalloc (relsize);
>2464aux.dynrelcount = bfd_canonicalize_dynamic_reloc (abfd,
>2465 aux.dynrelbuf,
>2466 dynsyms); //heap overflow
elf.c
>8210 _bfd_elf_get_dynamic_reloc_upper_bound (bfd *abfd)
>8211 {
>8212long ret;
...
>8226ret += ((s->size / elf_section_data (s)->this_hdr.sh_entsize)
>8227 * sizeof(arelent *)); //integer overflow
>8229return ret;
>8230 }
>8241 _bfd_elf_canonicalize_dynamic_reloc (bfd *abfd,
>8242arelent **storage, //objdump.c:2463 alloc
>8243asymbol **syms)
>8244 {
...
>8268 count = s->size / elf_section_data (s)->this_hdr.sh_entsize;
>8269 p = s->relocation;
>8270 for (i = 0; i < count; i++)
>8271 *storage++ = p++; //heap overflow
...
}
The crash output show as follow.
$ ../binutils-gdb/binutils/objdump --version
GNU objdump (GNU Binutils) 2.31.51.20181216
$ ../binutils-gdb/binutils/objdump -d poc2
../binutils-gdb/binutils/objdump: warning: poc2 has a corrupt section with a
size (fbff80) larger than the file size
poc2: file format elf64-x86-64
*** Error in `../binutils-gdb/binutils/objdump': malloc(): memory corruption:
0x08997948 ***
=== Backtrace: =
/lib/i386-linux-gnu/libc.so.6(+0x67377)[0xf7d60377]
/lib/i386-linux-gnu/libc.so.6(+0x6d2f7)[0xf7d662f7]
/lib/i386-linux-gnu/libc.so.6(+0x6f3f2)[0xf7d683f2]
/lib/i386-linux-gnu/libc.so.6(__libc_malloc+0xc5)[0xf7d69fc5]
/lib/i386-linux-gnu/libc.so.6(+0x29171)[0xf7d22171]
/lib/i386-linux-gnu/libc.so.6(+0x270a2)[0xf7d200a2]
/lib/i386-linux-gnu/libc.so.6(+0x26a20)[0xf7d1fa20]
/lib/i386-linux-gnu/libc.so.6(dcgettext+0x26)[0xf7d1e8b6]
/lib/i386-linux-gnu/libc.so.6(dgettext+0x12)[0xf7d1e8d2]
../binutils-gdb/binutils/objdump[0x809b1aa]
../binutils-gdb/binutils/objdump[0x8088100]
../binutils-gdb/binutils/objdump[0x80882ad]
../binutils-gdb/binutils/objdump[0x804edfd]
../binutils-gdb/binutils/objdump[0x80516a0]
../binutils-gdb/binutils/objdump[0x805182f]
../binutils-gdb/binutils/objdump[0x8051a7e]
../binutils-gdb/binutils/objdump[0x8051aeb]
../binutils-gdb/binutils/objdump[0x8052458]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf7)[0xf7d11637]
../binutils-gdb/binutils/objdump[0x8049b51]
=== Memory map:
08048000-08246000 r-xp 08:22 433952
../testcase/binutils/binutils-gdb/binutils/objdump
08246000-08247000 r--p 001fd000 08:22 433952
../testcase/binutils/binutils-gdb/binutils/objdump
08247000-0824c000 rw-p 001fe000 08:22 433952
../testcase/binutils/binutils-gdb/binutils/objdump
0824c000-08253000 rw-p 00:00 0
0898f000-089b rw-p 00:00 0 [heap]
f790-f7921000 rw-p 00:00 0
f7921000-f7a0 ---p 00:00 0
f7ab5000-f7ad1000 r-xp 08:06 3802106
/lib/i386-linux-gnu/libgcc_s.so.1
f7ad1000-f7ad2000 r--p 0001b000 08:06 3802106
/lib/i386-linux-gnu/libgcc_s.so.1
f7ad2000-f7ad3000 rw-p 0001c000 08:06 3802106
/lib/i386-linux-gnu/libgcc_s.so.1
f7af8000-f7cf8000 r--p 08:06 527047
/usr/lib/locale/locale-archive
f7cf8000-f7cf9000 rw-p 00:00 0
f7cf9000-f7ea9000 r-xp 08:06 3805752
/lib/i386-linux-gnu/libc-2.23.so
f7ea9000-f7eab000 r--p 001af000 08:06 380
[Bug binutils/23994] Heap overflow in libbfd caused by integer overflow
https://sourceware.org/bugzilla/show_bug.cgi?id=23994 ShengBo Yan changed: What|Removed |Added CC||yanshb at gmail dot com Version|2.31|2.32 (HEAD) -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/23994] Heap overflow in libbfd caused by integer overflow
https://sourceware.org/bugzilla/show_bug.cgi?id=23994 --- Comment #1 from ShengBo Yan --- I use 32bit objdump in 64bit Ubuntu 16.04.4 LTS. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/24005] objdump integer overflow in load_specific_debug_section
https://sourceware.org/bugzilla/show_bug.cgi?id=24005 --- Comment #1 from ShengBo Yan --- Created attachment 11474 --> https://sourceware.org/bugzilla/attachment.cgi?id=11474&action=edit patch -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/24005] New: objdump integer overflow in load_specific_debug_section
https://sourceware.org/bugzilla/show_bug.cgi?id=24005
Bug ID: 24005
Summary: objdump integer overflow in
load_specific_debug_section
Product: binutils
Version: 2.32 (HEAD)
Status: UNCONFIRMED
Severity: critical
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: yanshb at gmail dot com
Target Milestone: ---
Created attachment 11473
--> https://sourceware.org/bugzilla/attachment.cgi?id=11473&action=edit
POC3
I use 32bit objdump in 64bit Ubuntu 16.04.4 LTS.
The source Code show as follow in objdump.c.
>2528 bfd_size_type amt;
>2543 amt = section->size + 1;
>2544 section->start = contents = malloc (amt);
>2545 section->user_data = sec;
>2546 if (amt == 0
>2547 || section->start == NULL
>2548 || !bfd_get_full_section_contents (abfd, sec, &contents))
>2549{
>2550 free_debug_section (debug);
Integer overflow when section->size is 0x in line 2543, it will trigger
heap overflow in bfd_get_full_section_contents in line 2548. Finally crash in
line 2550.
The part of crash output show as follow.
./objdump -g POC3
*** Error in `./objdump': free(): invalid next size (fast): 0x0a0d06b8 ***
=== Backtrace: =
/lib/i386-linux-gnu/libc.so.6(+0x67377)[0xf7d8a377]
/lib/i386-linux-gnu/libc.so.6(+0x6d2f7)[0xf7d902f7]
/lib/i386-linux-gnu/libc.so.6(+0x6dc31)[0xf7d90c31]
./binutils/objdump[0x804f2c9]
./binutils/objdump[0x804efb9]
./binutils/objdump[0x804f463]
./binutils/objdump[0x80a69f5]
./binutils/objdump[0x804f60f]
./binutils/objdump[0x805174f]
./binutils/objdump[0x805182f]
./binutils/objdump[0x8051a7e]
./binutils/objdump[0x8051aeb]
./binutils/objdump[0x8052458]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf7)[0xf7d3b637]
./binutils/objdump[0x8049b51]
=== Memory map:
08048000-08246000 r-xp 08:22 438569
/e/vul/testcase/binutils/binutils-gdb/binutils/objdump
08246000-08247000 r--p 001fd000 08:22 438569
/e/vul/testcase/binutils/binutils-gdb/binutils/objdump
08247000-0824c000 rw-p 001fe000 08:22 438569
/e/vul/testcase/binutils/binutils-gdb/binutils/objdump
0824c000-08253000 rw-p 00:00 0
0a0c6000-0a0e7000 rw-p 00:00 0 [heap]
f790-f7921000 rw-p 00:00 0
f7921000-f7a0 ---p 00:00 0
f7adf000-f7afb000 r-xp 08:06 3802106
/lib/i386-linux-gnu/libgcc_s.so.1
f7afb000-f7afc000 r--p 0001b000 08:06 3802106
/lib/i386-linux-gnu/libgcc_s.so.1
f7afc000-f7afd000 rw-p 0001c000 08:06 3802106
/lib/i386-linux-gnu/libgcc_s.so.1
f7b22000-f7d22000 r--p 08:06 527047
/usr/lib/locale/locale-archive
f7d22000-f7d23000 rw-p 00:00 0
f7d23000-f7ed3000 r-xp 08:06 3805752
/lib/i386-linux-gnu/libc-2.23.so
f7ed3000-f7ed5000 r--p 001af000 08:06 3805752
/lib/i386-linux-gnu/libc-2.23.so
f7ed5000-f7ed6000 rw-p 001b1000 08:06 3805752
/lib/i386-linux-gnu/libc-2.23.so
f7ed6000-f7ed9000 rw-p 00:00 0
f7ed9000-f7edc000 r-xp 08:06 3805774
/lib/i386-linux-gnu/libdl-2.23.so
f7edc000-f7edd000 r--p 2000 08:06 3805774
/lib/i386-linux-gnu/libdl-2.23.so
f7edd000-f7ede000 rw-p 3000 08:06 3805774
/lib/i386-linux-gnu/libdl-2.23.so
f7efa000-f7efb000 rw-p 00:00 0
f7efb000-f7f02000 r--s 08:06 676504
/usr/lib/i386-linux-gnu/gconv/gconv-modules.cache
f7f02000-f7f03000 r--p 002d4000 08:06 527047
/usr/lib/locale/locale-archive
f7f03000-f7f04000 rw-p 00:00 0
f7f04000-f7f07000 r--p 00:00 0 [vvar]
f7f07000-f7f09000 r-xp 00:00 0 [vdso]
f7f09000-f7f2c000 r-xp 08:06 3805748
/lib/i386-linux-gnu/ld-2.23.so
f7f2c000-f7f2d000 r--p 00022000 08:06 3805748
/lib/i386-linux-gnu/ld-2.23.so
f7f2d000-f7f2e000 rw-p 00023000 08:06 3805748
/lib/i386-linux-gnu/ld-2.23.so
ffd91000-ffdb2000 rw-p 00:00 0
[stack]
Aborted
--
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/24005] objdump integer overflow in load_specific_debug_section
https://sourceware.org/bugzilla/show_bug.cgi?id=24005 ShengBo Yan changed: What|Removed |Added CC||yanshb at gmail dot com -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/23994] Heap overflow in libbfd caused by integer overflow
https://sourceware.org/bugzilla/show_bug.cgi?id=23994 abo changed: What|Removed |Added CC|yanshb at gmail dot com| -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/24039] New: integer overflow in libiberty, heap overflow will be triggered
https://sourceware.org/bugzilla/show_bug.cgi?id=24039 Bug ID: 24039 Summary: integer overflow in libiberty, heap overflow will be triggered Product: binutils Version: 2.32 (HEAD) Status: UNCONFIRMED Severity: critical Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: yanshb at gmail dot com Target Milestone: --- Created attachment 11495 --> https://sourceware.org/bugzilla/attachment.cgi?id=11495&action=edit nm -C POC I use 32bit binutils in 64bit Ubuntu 16.04.4 LTS. The trigger command is ./nm -C POC The source Code show as follow in cplus-dem.c >2246 work->tmpl_argvec = XNEWVEC (char *, r); //sizeof(char*) * r >2247 work->ntmpl_args = r; >2248 for (i = 0; i < r; i++) >2249 work->tmpl_argvec[i] = 0; Integer overflow when r > 0x4000 in line 2246, that will trigger heap overflow in in line 2249. There are several similar problems in libiberty. The part of crash output show as follow. = ==17964==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf44fea80 at pc 0x08837adf bp 0xffaceb68 sp 0xffaceb60 WRITE of size 4 at 0xf44fea80 thread T0 #0 0x8837ade (./nm-new+0x8837ade) #1 0x881916b (./nm-new+0x881916b) #2 0x880ad63 (./nm-new+0x880ad63) #3 0x88029fe (./nm-new+0x88029fe) #4 0x8185166 (./nm-new+0x8185166) #5 0x81472ea (./nm-new+0x81472ea) #6 0x815268b (./nm-new+0x815268b) #7 0x814d966 (./nm-new+0x814d966) #8 0x8146040 (./nm-new+0x8146040) #9 0x81441aa (./nm-new+0x81441aa) #10 0xf7c8e636 (/lib/i386-linux-gnu/libc.so.6+0x18636) #11 0x8069dfc (./nm-new+0x8069dfc) 0xf44fea80 is located 0 bytes to the right of 251581056-byte region [0xe5511800,0xf44fea80) allocated by thread T0 here: #0 0x8115823 (./nm-new+0x8115823) #1 0x89e6bd9 (./nm-new+0x89e6bd9) #2 0x881916b (./nm-new+0x881916b) #3 0x880ad63 (./nm-new+0x880ad63) #4 0x88029fe (./nm-new+0x88029fe) #5 0x8185166 (./nm-new+0x8185166) SUMMARY: AddressSanitizer: heap-buffer-overflow (./nm-new+0x8837ade) Shadow bytes around the buggy address: 0x3e89fd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e89fd10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e89fd20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e89fd30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e89fd40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x3e89fd50:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e89fd60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e89fd70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e89fd80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e89fd90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e89fda0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb ==17964==ABORTING AAborted -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
