[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/23685] New: heap based buffer overflow vulnerability in bf
From: |
92wyunchao at gmail dot com |
Subject: |
[Bug binutils/23685] New: heap based buffer overflow vulnerability in bfd_getl32 in libbfd.c in binutils-2.31.1 |
Date: |
Wed, 19 Sep 2018 13:47:13 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=23685
Bug ID: 23685
Summary: heap based buffer overflow vulnerability in bfd_getl32
in libbfd.c in binutils-2.31.1
Product: binutils
Version: 2.31
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: 92wyunchao at gmail dot com
Target Milestone: ---
Created attachment 11261
--> https://sourceware.org/bugzilla/attachment.cgi?id=11261&action=edit
poc file to reproduce the crash
There exists one heap based buffer overflow vulnerability in bfd_getl32 in
libbfd.c in binutils-2.31.1, which allows an attacker to cause a denial of
service through a crafted PE file. This vulnerability can be triggered by the
executable objdump.
$uname -a
Linux ubuntu 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC
2016 i686 i686 i686 GNU/Linux
$ASAN_OPTIONS=halt_on_error=false:allow_addr2line=true ./objdump --dwarf-check
-C -g -f -dwarf -x $poc
ASan:
==21442==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb37033f8 at
pc 0x840b006 bp 0xbfcc6a78 sp 0xbfcc6a70
READ of size 1 at 0xb37033f8 thread T0
#0 0x840b005 in bfd_getl32
/home/rookie/asan/binutils-2.31.1/bfd/libbfd.c:656
#1 0x881e876 in pe_print_edata
/home/rookie/asan/binutils-2.31.1/bfd/peigen.c:1791
#2 0x881e876 in _bfd_pe_print_private_bfd_data_common
/home/rookie/asan/binutils-2.31.1/bfd/peigen.c:2907
#3 0x87df6af in pe_print_private_bfd_data
/home/rookie/asan/binutils-2.31.1/bfd/./peicode.h:336
#4 0x80e3f94 in dump_bfd_private_header
/home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:2996
#5 0x80e3f94 in dump_bfd
/home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:3589
#6 0x80e10b9 in display_object_bfd
/home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:3688
#7 0x80e10b9 in display_any_bfd
/home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:3777
#8 0x80ddea0 in display_file
/home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:3798
#9 0x80ddea0 in main
/home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:4100
#10 0xb74a3af2 (/lib/i386-linux-gnu/libc.so.6+0x19af2)
#11 0x80d6324 in _start
(/home/rookie/asan/binutils-2.31.1/tmp/bin/objdump+0x80d6324)
0xb37033f8 is located 0 bytes to the right of 136-byte region
[0xb3703370,0xb37033f8)
allocated by thread T0 here:
#0 0x80bef51 in malloc
(/home/rookie/asan/binutils-2.31.1/tmp/bin/objdump+0x80bef51)
#1 0x8406e09 in bfd_malloc
/home/rookie/asan/binutils-2.31.1/bfd/libbfd.c:271
#2 0x87df6af in pe_print_private_bfd_data
/home/rookie/asan/binutils-2.31.1/bfd/./peicode.h:336
#3 0x80e10b9 in display_object_bfd
/home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:3688
#4 0x80e10b9 in display_any_bfd
/home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:3777
#5 0x80ddea0 in display_file
/home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:3798
#6 0x80ddea0 in main
/home/rookie/asan/binutils-2.31.1/binutils/./objdump.c:4100
#7 0xb74a3af2 (/lib/i386-linux-gnu/libc.so.6+0x19af2)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/rookie/asan/binutils-2.31.1/bfd/libbfd.c:656 bfd_getl32
Shadow bytes around the buggy address:
0x366e0620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x366e0630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x366e0640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x366e0650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x366e0660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 00
=>0x366e0670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
0x366e0680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x366e0690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x366e06a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x366e06b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x366e06c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==21442==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/23685] New: heap based buffer overflow vulnerability in bfd_getl32 in libbfd.c in binutils-2.31.1,
92wyunchao at gmail dot com <=
- [Bug binutils/23685] heap based buffer overflow vulnerability in bfd_getl32 in libbfd.c in binutils-2.31.1, nickc at redhat dot com, 2018/09/19
- [Bug binutils/23685] heap based buffer overflow vulnerability in bfd_getl32 in libbfd.c in binutils-2.31.1, amodra at gmail dot com, 2018/09/20
- [Bug binutils/23685] heap based buffer overflow vulnerability in bfd_getl32 in libbfd.c in binutils-2.31.1, amodra at gmail dot com, 2018/09/20
- [Bug binutils/23685] heap based buffer overflow vulnerability in bfd_getl32 in libbfd.c in binutils-2.31.1, amodra at gmail dot com, 2018/09/20
- [Bug binutils/23685] heap based buffer overflow vulnerability in bfd_getl32 in libbfd.c in binutils-2.31.1, nickc at redhat dot com, 2018/09/20
- [Bug binutils/23685] heap based buffer overflow vulnerability in bfd_getl32 in libbfd.c in binutils-2.31.1, cvs-commit at gcc dot gnu.org, 2018/09/20
- [Bug binutils/23685] heap based buffer overflow vulnerability in bfd_getl32 in libbfd.c in binutils-2.31.1, amodra at gmail dot com, 2018/09/20