[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/19323] [FG-VD-15-113] BinUtils-2.25 Objdump Heap Overflow
|
From: |
kshah at fortinet dot com |
|
Subject: |
[Bug binutils/19323] [FG-VD-15-113] BinUtils-2.25 Objdump Heap Overflow Vulnerability Notification |
|
Date: |
Thu, 03 Dec 2015 19:26:12 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=19323
Kushal Shah <kshah at fortinet dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|INVALID |---
--- Comment #2 from Kushal Shah <kshah at fortinet dot com> ---
Hi Alan,
I re-ran the PoC using both readelf and objdump and I saw that the "readelf"
tool returns an out-of-memory error and "objdump" crashes with a Segmentation
Fault and using Valgrind we can see that there is a Heap Overflow caused by
Objdump.
I am attaching both the "out-of-memory" error obtained using readelf and also
the gdb and valgrind output confirming the heap overflow vulnerability in
objdump.
I would also like to request you if you could share the out-of-memory error
output returned by objdump using the PoC and reproduction steps provided
previously?
Vulnerability Confirmation using GDB & Valgrind: -
##########----------Valgrind Output----------##########
# valgrind --tool=memcheck --leak-check=full --track-origins=yes
--show-reachable=yes --keep-stacktraces=alloc-and-free --num-callers=40
--track-fds=yes -v binutils-gdb/binutils/objdump -s /root/Desktop/file1
/dev/null
==13429== Invalid write of size 4
==13429== at 0x82499B7: bfd_elf32_swap_phdr_in (elfcode.h:367)
==13429== by 0x824D0B4: bfd_elf32_object_p (elfcode.h:782)
==13429== by 0x81E00F6: bfd_check_format_matches.part.1 (format.c:305)
==13429== by 0x806734F: display_object_bfd (objdump.c:3418)
==13429== by 0x806734F: display_any_bfd (objdump.c:3509)
==13429== by 0x8053ECA: display_file (objdump.c:3530)
==13429== by 0x8053ECA: main (objdump.c:3813)
==13429== Address 0x420bdf0 is 0 bytes after a block of size 4,064 alloc'd
==13429== at 0x40291CC: malloc (vg_replace_malloc.c:296)
==13429== by 0x851B130: objalloc_create (objalloc.c:95)
==13429== by 0x81F049B: _bfd_new_bfd (opncls.c:73)
==13429== by 0x81F049B: bfd_fopen (opncls.c:199)
==13429== by 0x81F049B: bfd_openr (opncls.c:287)
==13429== by 0x8053E83: display_file (objdump.c:3523)
==13429== by 0x8053E83: main (objdump.c:3813)
==13429==
==13429== Invalid write of size 4
==13429== at 0x82499FF: bfd_elf32_swap_phdr_in (elfcode.h:369)
==13429== by 0x824D0B4: bfd_elf32_object_p (elfcode.h:782)
==13429== by 0x81E00F6: bfd_check_format_matches.part.1 (format.c:305)
==13429== by 0x806734F: display_object_bfd (objdump.c:3418)
==13429== by 0x806734F: display_any_bfd (objdump.c:3509)
==13429== by 0x8053ECA: display_file (objdump.c:3530)
==13429== by 0x8053ECA: main (objdump.c:3813)
==13429== Address 0x420bdf4 is 4 bytes after a block of size 4,064 alloc'd
==13429== at 0x40291CC: malloc (vg_replace_malloc.c:296)
==13429== by 0x851B130: objalloc_create (objalloc.c:95)
==13429== by 0x81F049B: _bfd_new_bfd (opncls.c:73)
==13429== by 0x81F049B: bfd_fopen (opncls.c:199)
==13429== by 0x81F049B: bfd_openr (opncls.c:287)
==13429== by 0x8053E83: display_file (objdump.c:3523)
==13429== by 0x8053E83: main (objdump.c:3813)
==13429==
==13429== Invalid write of size 4
==13429== at 0x8249A0E: bfd_elf32_swap_phdr_in (elfcode.h:370)
==13429== by 0x824D0B4: bfd_elf32_object_p (elfcode.h:782)
==13429== by 0x81E00F6: bfd_check_format_matches.part.1 (format.c:305)
==13429== by 0x806734F: display_object_bfd (objdump.c:3418)
==13429== by 0x806734F: display_any_bfd (objdump.c:3509)
==13429== by 0x8053ECA: display_file (objdump.c:3530)
==13429== by 0x8053ECA: main (objdump.c:3813)
==13429== Address 0x420bdf8 is 8 bytes after a block of size 4,064 alloc'd
==13429== at 0x40291CC: malloc (vg_replace_malloc.c:296)
==13429== by 0x851B130: objalloc_create (objalloc.c:95)
==13429== by 0x81F049B: _bfd_new_bfd (opncls.c:73)
==13429== by 0x81F049B: bfd_fopen (opncls.c:199)
==13429== by 0x81F049B: bfd_openr (opncls.c:287)
==13429== by 0x8053E83: display_file (objdump.c:3523)
==13429== by 0x8053E83: main (objdump.c:3813)
==13429==
==13429== Invalid write of size 4
==13429== at 0x8249A1A: bfd_elf32_swap_phdr_in (elfcode.h:371)
==13429== by 0x824D0B4: bfd_elf32_object_p (elfcode.h:782)
==13429== by 0x81E00F6: bfd_check_format_matches.part.1 (format.c:305)
==13429== by 0x806734F: display_object_bfd (objdump.c:3418)
==13429== by 0x806734F: display_any_bfd (objdump.c:3509)
==13429== by 0x8053ECA: display_file (objdump.c:3530)
==13429== by 0x8053ECA: main (objdump.c:3813)
==13429== Address 0x420bdfc is 12 bytes after a block of size 4,064 alloc'd
==13429== at 0x40291CC: malloc (vg_replace_malloc.c:296)
==13429== by 0x851B130: objalloc_create (objalloc.c:95)
==13429== by 0x81F049B: _bfd_new_bfd (opncls.c:73)
==13429== by 0x81F049B: bfd_fopen (opncls.c:199)
==13429== by 0x81F049B: bfd_openr (opncls.c:287)
==13429== by 0x8053E83: display_file (objdump.c:3523)
==13429== by 0x8053E83: main (objdump.c:3813)
==13429==
==13429== Invalid write of size 4
==13429== at 0x8249938: bfd_elf32_swap_phdr_in (elfcode.h:356)
==13429== by 0x824D0B4: bfd_elf32_object_p (elfcode.h:782)
==13429== by 0x81E00F6: bfd_check_format_matches.part.1 (format.c:305)
==13429== by 0x806734F: display_object_bfd (objdump.c:3418)
==13429== by 0x806734F: display_any_bfd (objdump.c:3509)
==13429== by 0x8053ECA: display_file (objdump.c:3530)
==13429== by 0x8053ECA: main (objdump.c:3813)
==13429== Address 0x420be00 is 16 bytes after a block of size 4,064 alloc'd
==13429== at 0x40291CC: malloc (vg_replace_malloc.c:296)
==13429== by 0x851B130: objalloc_create (objalloc.c:95)
==13429== by 0x81F049B: _bfd_new_bfd (opncls.c:73)
==13429== by 0x81F049B: bfd_fopen (opncls.c:199)
==13429== by 0x81F049B: bfd_openr (opncls.c:287)
==13429== by 0x8053E83: display_file (objdump.c:3523)
==13429== by 0x8053E83: main (objdump.c:3813)
==13429==
==13429== Invalid write of size 4
==13429== at 0x8249946: bfd_elf32_swap_phdr_in (elfcode.h:357)
==13429== by 0x824D0B4: bfd_elf32_object_p (elfcode.h:782)
==13429== by 0x81E00F6: bfd_check_format_matches.part.1 (format.c:305)
==13429== by 0x806734F: display_object_bfd (objdump.c:3418)
==13429== by 0x806734F: display_any_bfd (objdump.c:3509)
==13429== by 0x8053ECA: display_file (objdump.c:3530)
==13429== by 0x8053ECA: main (objdump.c:3813)
==13429== Address 0x420be04 is 20 bytes after a block of size 4,064 in arena
"client"
==13429==
valgrind: m_mallocfree.c:304 (get_bszB_as_is): Assertion 'bszB_lo == bszB_hi'
failed.
valgrind: Heap block lo/hi size mismatch: lo = 4112, hi = 6.
This is probably caused by your program erroneously writing past the
end of a heap block and corrupting heap metadata.
##########----------Valgrind Output----------##########
##########----------GDB Output----------##########
#gdb --args binutils-gdb/binutils/objdump -s /root/Desktop/file1 /dev/null
0xb7c1d927 <__GI__IO_fread+7> mov 0x34(%esp),%edi
│
│0xb7c1d92b <__GI__IO_fread+11> imul 0x38(%esp),%edi
│
│0xb7c1d930 <__GI__IO_fread+16> call 0xb7cdd14b <__x86.get_pc_thunk.bx>
│
│0xb7c1d935 <__GI__IO_fread+21> add $0x1426cb,%ebx
│
│0xb7c1d93b <__GI__IO_fread+27> mov 0x3c(%esp),%esi
│
│0xb7c1d93f <__GI__IO_fread+31> test %edi,%edi
│
│0xb7c1d941 <__GI__IO_fread+33> je 0xb7c1d9e0 <__GI__IO_fread+192>
│
│0xb7c1d947 <__GI__IO_fread+39> mov (%esi),%eax
│
│0xb7c1d949 <__GI__IO_fread+41> and $0x8000,%eax
│
│0xb7c1d94e <__GI__IO_fread+46> jne 0xb7c1d985 <__GI__IO_fread+101>
│
│0xb7c1d950 <__GI__IO_fread+48> mov 0x48(%esi),%edx
│
│0xb7c1d953 <__GI__IO_fread+51> mov %gs:0x8,%ebp
│
>│0xb7c1d95a <__GI__IO_fread+58> cmp 0x8(%edx),%ebp
----------------------------------->Crash happens here.
│0xb7c1d95d <__GI__IO_fread+61> je 0xb7c1d981 <__GI__IO_fread+97>
│
│0xb7c1d95f <__GI__IO_fread+63> mov $0x1,%ecx
│
│0xb7c1d964 <__GI__IO_fread+68> cmpl $0x0,%gs:0xc
│
│0xb7c1d96c <__GI__IO_fread+76> je 0xb7c1d96f <__GI__IO_fread+79>
│
│0xb7c1d96e <__GI__IO_fread+78> lock cmpxchg %ecx,(%edx)
│
│0xb7c1d972 <__GI__IO_fread+82> jne 0xb7c1da23 <_L_lock_53>
│
│0xb7c1d978 <__GI__IO_fread+88> mov 0x48(%esi),%eax
│
│0xb7c1d97b <__GI__IO_fread+91> mov 0x48(%esi),%edx
│
│0xb7c1d97e <__GI__IO_fread+94> mov %ebp,0x8(%eax)
│
│0xb7c1d981 <__GI__IO_fread+97> addl $0x1,0x4(%edx)
│
│0xb7c1d985 <__GI__IO_fread+101> mov 0x30(%esp),%eax
│
│0xb7c1d989 <__GI__IO_fread+105> mov %edi,0x8(%esp)
│
│0xb7c1d98d <__GI__IO_fread+109> mov %esi,(%esp)
│
│0xb7c1d990 <__GI__IO_fread+112> mov %eax,0x4(%esp)
│
│0xb7c1d994 <__GI__IO_fread+116> call 0xb7c2a090 <__GI__IO_sgetn>
│
│0xb7c1d999 <__GI__IO_fread+121> testl $0x8000,(%esi)
(gdb) r
Starting program: /usr/bin/objdump -s /root/Desktop/file1 /dev/null
Program received signal SIGSEGV, Segmentation fault.
0xb7c1d95a in __GI__IO_fread (buf=0xbffff21c, size=1, count=32, fp=0x80a4528)
at iofread.c:41
(gdb) bt
bt
#0 0xb7c1d95a in __GI__IO_fread (buf=0xbffff21c, size=1, count=32,
fp=0x80a4528) at iofread.c:41
#1 0xb7dac6e3 in ?? () from /usr/lib/libbfd-2.25-system.so
#2 0xb7dab879 in bfd_bread () from /usr/lib/libbfd-2.25-system.so
#3 0xb7dd6ce4 in bfd_elf32_object_p () from /usr/lib/libbfd-2.25-system.so
#4 0xb7db11b7 in bfd_check_format_matches () from
/usr/lib/libbfd-2.25-system.so
#5 0x0804fa60 in ?? ()
#6 0x08051e11 in ?? ()
#7 0x0804c1b6 in ?? ()
#8 0xb7bd3a63 in __libc_start_main (main=0x804ba20, argc=4, argv=0xbffff4d4,
init=0x8080e20, fini=0x8080e90, rtld_fini=0xb7fedc90 <_dl_fini>,
stack_end=0xbffff4cc) at libc-start.c:287
#9 0x0804c340 in ?? ()
(gdb) x $edx
0x6469676b: Cannot access memory at address 0x6469676b
(gdb) x $ebp
x $ebp
0xb7bb9940: 0xb7bb9940
(gdb) x $esi
x $esi
0x80a4528: 0x00000000
(gdb) x $eax
x $eax
0x0: Cannot access memory at address 0x0
(gdb) x $eip
x $eip
0xb7c1d95a <__GI__IO_fread+58>: 0x74086a3b
(gdb)
##########----------GDB Output----------##########
"ReadElf" Output showing out-of-memory error: -
##########----------ReadElf Output----------##########
readelf -a /root/Desktop/file1
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: DYN (Shared object file)
Machine: Intel 80386
Version: 0x1
Entry point address: 0x753
Start of program headers: 52 (bytes into file)
Start of section headers: 4364 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 65535 (-2147483648)
Size of section headers: 40 (bytes)
Number of section headers: 27
Section header string table index: 26
Section Headers:
[Nr] Name Type Addr Off Size ES Flg Lk Inf
Al
[ 0] NULL 00000000 000000 000000 00 0
2147483648 0
[ 1] .interp PROGBITS 00000154 000154 000013 00 A 0 0
1
[ 2] .note.ABI-tag NOTE 00000168 000168 000020 00 A 0 0
4
[ 3] .note.gnu.build-i NOTE 00000188 000188 000024 00 A 0 0
4
[ 4] .gnu.hash GNU_HASH 000001ac 0001ac 000034 04 A 5 0
4
[ 5] .dynsym DYNSYM 000001e0 0001e0 000130 10 A 6 1
4
[ 6] .dynstr STRTAB 00000310 000310 00012c 00 A 0 0
1
[ 7] .gnu.version VERSYM 0000043c 00043c 000026 02 A 5 0
2
[ 8] .gnu.version_r VERNEED 00000464 000464 000050 00 A 6 1
4
[ 9] .rel.dyn REL 000004b4 0004b4 000050 08 A 5 0
4
[10] .rel.plt REL 00000504 000504 000048 08 AI 5 12
4
[11] .init PROGBITS 0000054c 00054c 000023 00 AX 0 0
4
[12] .plt PROGBITS 00000570 000570 0000a0 04 AX 0 0
16
[13] .text PROGBITS 00000610 000610 000354 00 AX 0 0
16
[14] .fini PROGBITS 00000964 000964 000014 00 AX 0 0
4
[15] .rodata PROGBITS 00000978 000978 00003a 00 A 0 0
4
[16] .eh_frame_hdr PROGBITS 000009b4 0009b4 000034 00 A 0 0
4
[17] .eh_frame PROGBITS 000009e8 0009e8 0000f4 00 A 0 0
4
[18] .init_array INIT_ARRAY 00001ea8 000ea8 000004 00 WA 0 0
4
[19] .fini_array FINI_ARRAY 00001eac 000eac 000004 00 WA 0 0
4
[20] .jcr PROGBITS 00001eb0 000eb0 000004 00 WA 0 0
4
[21] .dynamic DYNAMIC 00001eb4 000eb4 000100 08 WA 6 0
4
[22] .got PROGBITS 00001fb4 000fb4 00004c 04 WA 0 0
4
[23] .data PROGBITS 00002000 001000 000008 00 WA 0 0
4
[24] .bss NOBITS 00002008 001008 000004 00 WA 0 0
1
[25] .gnu_debuglink PROGBITS 00000000 001008 000010 00 0 0
1
[26] .shstrtab STRTAB 00000000 001018 0000f3 00 0 0
1
Key to Flags:
W (write), A (alloc), X (execute), M (merge), S (strings)
I (info), L (link order), G (group), T (TLS), E (exclude), x (unknown)
O (extra OS processing required) o (OS specific), p (processor specific)
There are no section groups in this file.
readelf: Error: Out of memory reading 2147483648 program headers
Relocation section '.rel.dyn' at offset 0x4b4 contains 10 entries:
Offset Info Type Sym.Value Sym. Name
00001ea8 00000008 R_386_RELATIVE
00001eac 00000008 R_386_RELATIVE
00001ff4 00000008 R_386_RELATIVE
00002004 00000008 R_386_RELATIVE
00001fe4 00000106 R_386_GLOB_DAT 00000000 _ITM_deregisterTMClone
00001fe8 00000206 R_386_GLOB_DAT 00000000 stderr
00001fec 00000406 R_386_GLOB_DAT 00000000 __cxa_finalize
00001ff0 00000706 R_386_GLOB_DAT 00000000 __gmon_start__
00001ff8 00000906 R_386_GLOB_DAT 00000000 _Jv_RegisterClasses
00001ffc 00000b06 R_386_GLOB_DAT 00000000 _ITM_registerTMCloneTa
Relocation section '.rel.plt' at offset 0x504 contains 9 entries:
Offset Info Type Sym.Value Sym. Name
00001fc0 00000307 R_386_JUMP_SLOT 00000000 __stack_chk_fail
00001fc4 00000407 R_386_JUMP_SLOT 00000000 __cxa_finalize
00001fc8 00000507 R_386_JUMP_SLOT 00000000 perror
00001fcc 00000607 R_386_JUMP_SLOT 00000000 setgid
00001fd0 00000707 R_386_JUMP_SLOT 00000000 __gmon_start__
00001fd4 00000807 R_386_JUMP_SLOT 00000000 __libc_start_main
00001fd8 00000a07 R_386_JUMP_SLOT 00000000 __fprintf_chk
00001fdc 00000c07 R_386_JUMP_SLOT 00000000 strtol
00001fe0 00000d07 R_386_JUMP_SLOT 00000000 getgrnam
The decoding of unwind sections for machine type Intel 80386 is not currently
supported.
Symbol table '.dynsym' contains 19 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 00000000 0 NOTYPE LOCAL DEFAULT UND
1: 00000000 0 NOTYPE WEAK DEFAULT UND _ITM_deregisterTMCloneTab
2: 00000000 0 OBJECT GLOBAL DEFAULT UND stderr
3: 00000000 0 FUNC GLOBAL DEFAULT UND __stack_chk_fail
4: 00000000 0 FUNC WEAK DEFAULT UND __cxa_finalize
5: 00000000 0 FUNC GLOBAL DEFAULT UND perror
6: 00000000 0 FUNC GLOBAL DEFAULT UND setgid
7: 00000000 0 NOTYPE WEAK DEFAULT UND __gmon_start__
8: 00000000 0 FUNC GLOBAL DEFAULT UND __libc_start_main
9: 00000000 0 NOTYPE WEAK DEFAULT UND _Jv_RegisterClasses
10: 00000000 0 FUNC GLOBAL DEFAULT UND __fprintf_chk
11: 00000000 0 NOTYPE WEAK DEFAULT UND _ITM_registerTMCloneTable
12: 00000000 0 FUNC GLOBAL DEFAULT UND strtol
13: 00000000 0 FUNC GLOBAL DEFAULT UND getgrnam
14: 00002008 0 NOTYPE GLOBAL DEFAULT 23 _edata
15: 0000200c 0 NOTYPE GLOBAL DEFAULT 24 _end
16: 0000097c 4 OBJECT GLOBAL DEFAULT 15 _IO_stdin_used
17: 00002008 0 NOTYPE GLOBAL DEFAULT 24 __bss_start
18: 00000610 323 FUNC GLOBAL DEFAULT 13 main
Version symbols section '.gnu.version' contains 19 entries:
Addr: 000000000000043c Offset: 0x00043c Link: 5 (.dynsym)
readelf: Error: Out of memory reading 2147483648 program headers
readelf: Warning: Cannot interpret virtual addresses without program headers.
000:457f 464c 101 1 (*global*)
004: 0 (*local*) 0 (*local*) 0 (*local*) 0 (*local*)
008: 3 3 1 (*global*) 0 (*local*)
00c: 753 0 (*local*) 34 0 (*local*)
010:110c 0 (*local*) 0 (*local*)
Version needs section '.gnu.version_r' contains 1 entries:
Addr: 0x0000000000000464 Offset: 0x000464 Link: 6 (.dynstr)
000000: Version: 1 File: libc.so.6 Cnt: 4
0x0010: Name: GLIBC_2.3.4 Flags: none Version: 5
0x0020: Name: GLIBC_2.1.3 Flags: none Version: 4
0x0030: Name: GLIBC_2.4 Flags: none Version: 3
0x0040: Name: GLIBC_2.0 Flags: none Version: 2
Displaying notes found at file offset 0x00000168 with length 0x00000020:
Owner Data size Description
GNU 0x00000010 NT_GNU_ABI_TAG (ABI version tag)
OS: Linux, ABI: 2.6.32
Displaying notes found at file offset 0x00000188 with length 0x00000024:
Owner Data size Description
GNU 0x00000014 NT_GNU_BUILD_ID (unique build ID
bitstring)
Build ID: 877dd3f1ef18a2dc8185514f69586d496a1b187e
##########----------ReadElf Output----------##########
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/19323] New: BinUtils-2.25 Objdump Heap Overflow Vulnerability Notification, kshah at fortinet dot com, 2015/12/01
- [Bug binutils/19323] BinUtils-2.25 Objdump Heap Overflow Vulnerability Notification, kshah at fortinet dot com, 2015/12/01
- [Bug binutils/19323] [FG-VD-15-113] BinUtils-2.25 Objdump Heap Overflow Vulnerability Notification, kshah at fortinet dot com, 2015/12/01
- [Bug binutils/19323] [FG-VD-15-113] BinUtils-2.25 Objdump Heap Overflow Vulnerability Notification, amodra at gmail dot com, 2015/12/01
- [Bug binutils/19323] [FG-VD-15-113] BinUtils-2.25 Objdump Heap Overflow Vulnerability Notification,
kshah at fortinet dot com <=
- [Bug binutils/19323] [FG-VD-15-113] BinUtils-2.25 Objdump Heap Overflow Vulnerability Notification, amodra at gmail dot com, 2015/12/03
- [Bug binutils/19323] [FG-VD-15-113] BinUtils-2.25 Objdump Heap Overflow Vulnerability Notification, amodra at gmail dot com, 2015/12/07
- [Bug binutils/19323] [FG-VD-15-113] BinUtils-2.25 Objdump Heap Overflow Vulnerability Notification, kshah at fortinet dot com, 2015/12/08
- [Bug binutils/19323] [FG-VD-15-113] BinUtils-2.25 Objdump Heap Overflow Vulnerability Notification, cvs-commit at gcc dot gnu.org, 2015/12/10