[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/24360] heap overflow in objdump.c caused by commit-7a6e0d

From: tfx_sec at hotmail dot com
Subject: [Bug binutils/24360] heap overflow in objdump.c caused by commit-7a6e0d89
Date: Tue, 19 Mar 2019 07:56:03 +0000


tfx <tfx_sec at hotmail dot com> changed:

           What    |Removed                     |Added
                 CC|                            |tfx_sec at hotmail dot com
               Host|                            |Ubuntu 16.04 LTS
            Summary|commit-7a6e0d89 cause       |heap overflow in objdump.c
                   |PR24005 to reappear         |caused by commit-7a6e0d89
              Build|                            |clang -m32
           Severity|normal                      |critical

--- Comment #2 from tfx <tfx_sec at hotmail dot com> ---
I use 32bit objdump which build by commit-4faa59bb.

./objdump -g poc

The part of crash output show as follow.

*** Error in `../../binutils-gdb/binutils/objdump': malloc(): memory corruption
(fast): 0x09846880 ***
======= Backtrace: =========
======= Memory map: ========

gdb output:
gef➤  bt
#0  0xf7fd7dc9 in __kernel_vsyscall ()
#1  0xf7e1dea9 in raise () from /lib/i386-linux-gnu/libc.so.6
#2  0xf7e1f407 in abort () from /lib/i386-linux-gnu/libc.so.6
#3  0xf7e5937c in ?? () from /lib/i386-linux-gnu/libc.so.6
#4  0xf7e5f2f7 in ?? () from /lib/i386-linux-gnu/libc.so.6
#5  0xf7e617cc in ?? () from /lib/i386-linux-gnu/libc.so.6
#6  0xf7e62fc5 in malloc () from /lib/i386-linux-gnu/libc.so.6
#7  0xf7e1b171 in ?? () from /lib/i386-linux-gnu/libc.so.6
#8  0xf7e190a2 in ?? () from /lib/i386-linux-gnu/libc.so.6
#9  0xf7e18a20 in ?? () from /lib/i386-linux-gnu/libc.so.6
#10 0xf7e178b6 in dcgettext () from /lib/i386-linux-gnu/libc.so.6
#11 0xf7e178f0 in gettext () from /lib/i386-linux-gnu/libc.so.6
#12 0x0804f259 in load_specific_debug_section (debug=eh_frame, sec=0x824c54c,
file=0x824aa08) at ./objdump.c:2712
#13 0x0804f6fe in dump_dwarf_section (abfd=0x824aa08, section=0x824c54c,
arg=0x0) at ./objdump.c:2888
#14 0x080a6f34 in bfd_map_over_sections (abfd=0x824aa08, operation=0x804f5fb
<dump_dwarf_section>, user_storage=0x0) at section.c:1374
#15 0x0804f869 in dump_dwarf (abfd=0x824aa08) at ./objdump.c:2963
#16 0x08051b10 in dump_bfd (abfd=0x824aa08, is_mainfile=0x1) at
#17 0x08051bfd in display_object_bfd (abfd=0x824aa08) at ./objdump.c:3940
#18 0x08051e6d in display_any_bfd (file=0x824aa08, level=0x0) at
#19 0x08051eda in display_file (filename=0xffffd046
target=0x0, last_file=0x1) at ./objdump.c:4051
#20 0x08052847 in main (argc=0x3, argv=0xffffcde4) at ./objdump.c:4361

objdump.c --> load_specific_debug_section

  section->size = bfd_get_section_size (sec);
  amt = section->size + 1;
  if (amt == 0)
      section->start = NULL;
      free_debug_section (debug);
      printf (_("\nSection '%s' has an invalid size: %#llx.\n"),
              sanitize_string (section->name),
              (unsigned long long) section->size);
      return FALSE;
  section->start = contents = malloc (amt);
  if (section->start == NULL
      || !bfd_get_full_section_contents (abfd, sec, &contents))
      free_debug_section (debug);
      printf (_("\nCan't get contents for section '%s'.\n"),
              sanitize_string (section->name));
      return FALSE;

if section->size == 0xFFFFFFFF
amt = 0x100000000 
malloc(0)  // Integer overflow

Finally it will trigger heap overflow in bfd_get_full_section_contents.

I go back to the git log and find this bug is caused by commit-7a6e0d89. 
The commit cause PR24005 to reappear.

You are receiving this mail because:
You are on the CC list for the bug.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]