[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/22385] New: Integer overflow in coff_get_normalized_symtab
From: |
mgcho.minic at gmail dot com |
Subject: |
[Bug binutils/22385] New: Integer overflow in coff_get_normalized_symtab |
Date: |
Thu, 02 Nov 2017 06:00:49 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=22385
Bug ID: 22385
Summary: Integer overflow in coff_get_normalized_symtab
Product: binutils
Version: 2.30 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: mgcho.minic at gmail dot com
Target Milestone: ---
Created attachment 10568
--> https://sourceware.org/bugzilla/attachment.cgi?id=10568&action=edit
poc of the crash
Triggered by "./objdump -r $POC"
Tested on Ubuntu 16.04 (x86)
An integer overflow is occurred when numbers of symbols are too large.
ASAN output:
./objdump -r $POC
==30813==ERROR: AddressSanitizer: SEGV on unknown address 0xbebebebe (pc
0x08127bc6 bp 0xbfe51da8 sp 0xbfe5191c T0)
#0 0x8127bc5 in __sanitizer::internal_strlen(char const*)
(/home/min/fuzzing/program/binutils-master-asan/bin/objdump+0x8127bc5)
#1 0x80b4121 in printf_common(void*, char const*, char*)
(/home/min/fuzzing/program/binutils-master-asan/bin/objdump+0x80b4121)
#2 0x80b45fc in __interceptor_vfprintf
(/home/min/fuzzing/program/binutils-master-asan/bin/objdump+0x80b45fc)
#3 0x80b464b in __interceptor_fprintf
(/home/min/fuzzing/program/binutils-master-asan/bin/objdump+0x80b464b)
#4 0x82b1b47 in _bfd_doprnt
/home/min/fuzzing/src/binutils/binutils-gdb/bfd/bfd.c:805:8
#5 0x82b016c in error_handler_internal
/home/min/fuzzing/src/binutils/binutils-gdb/bfd/bfd.c:887:3
#6 0x82a8e5e in _bfd_error_handler
/home/min/fuzzing/src/binutils/binutils-gdb/bfd/bfd.c:909:3
#7 0x851deae in coff_slurp_symbol_table
/home/min/fuzzing/src/binutils/binutils-gdb/bfd/./coffcode.h:5085:8
The GDB debugging information is as follows:
(gdb) r -r $POC
Program received signal SIGSEGV, Segmentation fault.
0xb7e43383 in _IO_vfprintf_internal (s=0xbfffc4b8, format=<optimized out>,
ap=0xbfffea9c
"\306\350\"address@hidden")
at vfprintf.c:1632
1632 vfprintf.c: No such file or directory.
(gdb) bt
#0 0xb7e43383 in _IO_vfprintf_internal (s=0xbfffc4b8, format=<optimized out>,
ap=0xbfffea9c
"\306\350\"address@hidden")
at vfprintf.c:1632
#1 0xb7e43671 in buffered_vfprintf (address@hidden <_IO_2_1_stderr_>,
address@hidden "%s",
address@hidden "\001") at vfprintf.c:2320
#2 0xb7e412d1 in _IO_vfprintf_internal (s=0xb7fb1cc0 <_IO_2_1_stderr_>,
format=0xbfffeb8c "%s",
ap=0xbfffea98 "\001") at vfprintf.c:1293
#3 0xb7e48668 in __fprintf (stream=0xb7fb1cc0 <_IO_2_1_stderr_>,
format=0xbfffeb8c "%s") at fprintf.c:32
#4 0x080c08c2 in _bfd_doprnt (stream=0xb7fb1cc0 <_IO_2_1_stderr_>,
format=0x822e89e "%B: Unrecognized storage class %d for %s symbol `%s'",
ap=0xbfffeca4 "\340\276%\b\001")
at bfd.c:805
#5 0x080c006f in error_handler_internal (fmt=0x822e89e "%B: Unrecognized
storage class %d for %s symbol `%s'",
ap=0xbfffec94 "\bZ%\b") at bfd.c:887
#6 0x080be625 in _bfd_error_handler (fmt=0x822e89e "%B: Unrecognized storage
class %d for %s symbol `%s'")
at bfd.c:909
#7 0x08151029 in coff_slurp_symbol_table (abfd=0x8255a08) at ./coffcode.h:5085
#8 0x08166d06 in coff_get_symtab_upper_bound (abfd=0x8255a08) at coffgen.c:419
#9 0x0804c1d7 in slurp_symtab (abfd=0x8255a08) at ./objdump.c:615
#10 0x0804b82c in dump_bfd (abfd=0x8255a08) at ./objdump.c:3523
#11 0x0804b5d2 in display_object_bfd (abfd=0x8255a08) at ./objdump.c:3611
#12 0x0804b587 in display_any_bfd (file=0x8255a08, level=0) at ./objdump.c:3700
#13 0x0804b2b1 in display_file (filename=0xbffff2b7 "/tmp/poc", target=0x0,
last_file=1) at ./objdump.c:3721
#14 0x0804ae80 in main (argc=3, argv=0xbffff0a4) at ./objdump.c:4023
Proposed patch:
Check whether integer overflow occurs in coff_get_normalized_symtab ()
--- a/bfd/coffgen.c
+++ b/bfd/coffgen.c
@@ -1790,6 +1790,8 @@ coff_get_normalized_symtab (bfd *abfd)
return NULL;
size = obj_raw_syment_count (abfd) * sizeof (combined_entry_type);
+ if (obj_raw_syment_count (abfd) > size)
+ return NULL;
internal = (combined_entry_type *) bfd_zalloc (abfd, size);
if (internal == NULL && size != 0)
return NULL;
Credits:
This vulnerability was discovered by Mingi Cho and Taekyoung Kwon of the
Information Security Lab, Yonsei University. Please contact
address@hidden and address@hidden if you need more information
about the vulnerability and the lab.
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/22385] New: Integer overflow in coff_get_normalized_symtab,
mgcho.minic at gmail dot com <=