[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/24360] heap overflow in objdump.c caused by commit-7a6e0d
From: |
tfx_sec at hotmail dot com |
Subject: |
[Bug binutils/24360] heap overflow in objdump.c caused by commit-7a6e0d89 |
Date: |
Tue, 19 Mar 2019 07:56:03 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=24360
tfx <tfx_sec at hotmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |tfx_sec at hotmail dot com
Host| |Ubuntu 16.04 LTS
Summary|commit-7a6e0d89 cause |heap overflow in objdump.c
|PR24005 to reappear |caused by commit-7a6e0d89
Build| |clang -m32
Severity|normal |critical
--- Comment #2 from tfx <tfx_sec at hotmail dot com> ---
I use 32bit objdump which build by commit-4faa59bb.
./objdump -g poc
The part of crash output show as follow.
*** Error in `../../binutils-gdb/binutils/objdump': malloc(): memory corruption
(fast): 0x09846880 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x67377)[0xf7dce377]
/lib/i386-linux-gnu/libc.so.6(+0x6d2f7)[0xf7dd42f7]
/lib/i386-linux-gnu/libc.so.6(+0x6f7cc)[0xf7dd67cc]
/lib/i386-linux-gnu/libc.so.6(__libc_malloc+0xc5)[0xf7dd7fc5]
/lib/i386-linux-gnu/libc.so.6(+0x29171)[0xf7d90171]
/lib/i386-linux-gnu/libc.so.6(+0x270a2)[0xf7d8e0a2]
/lib/i386-linux-gnu/libc.so.6(+0x26a20)[0xf7d8da20]
/lib/i386-linux-gnu/libc.so.6(dcgettext+0x26)[0xf7d8c8b6]
/lib/i386-linux-gnu/libc.so.6(gettext+0x10)[0xf7d8c8f0]
../../binutils-gdb/binutils/objdump[0x804f259]
../../binutils-gdb/binutils/objdump[0x804f6fe]
../../binutils-gdb/binutils/objdump[0x80a6f34]
../../binutils-gdb/binutils/objdump[0x804f869]
../../binutils-gdb/binutils/objdump[0x8051b10]
../../binutils-gdb/binutils/objdump[0x8051bfd]
../../binutils-gdb/binutils/objdump[0x8051e6d]
../../binutils-gdb/binutils/objdump[0x8051eda]
../../binutils-gdb/binutils/objdump[0x8052847]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf7)[0xf7d7f637]
../../binutils-gdb/binutils/objdump[0x8049af1]
======= Memory map: ========
gdb output:
gef⤠bt
#0 0xf7fd7dc9 in __kernel_vsyscall ()
#1 0xf7e1dea9 in raise () from /lib/i386-linux-gnu/libc.so.6
#2 0xf7e1f407 in abort () from /lib/i386-linux-gnu/libc.so.6
#3 0xf7e5937c in ?? () from /lib/i386-linux-gnu/libc.so.6
#4 0xf7e5f2f7 in ?? () from /lib/i386-linux-gnu/libc.so.6
#5 0xf7e617cc in ?? () from /lib/i386-linux-gnu/libc.so.6
#6 0xf7e62fc5 in malloc () from /lib/i386-linux-gnu/libc.so.6
#7 0xf7e1b171 in ?? () from /lib/i386-linux-gnu/libc.so.6
#8 0xf7e190a2 in ?? () from /lib/i386-linux-gnu/libc.so.6
#9 0xf7e18a20 in ?? () from /lib/i386-linux-gnu/libc.so.6
#10 0xf7e178b6 in dcgettext () from /lib/i386-linux-gnu/libc.so.6
#11 0xf7e178f0 in gettext () from /lib/i386-linux-gnu/libc.so.6
#12 0x0804f259 in load_specific_debug_section (debug=eh_frame, sec=0x824c54c,
file=0x824aa08) at ./objdump.c:2712
#13 0x0804f6fe in dump_dwarf_section (abfd=0x824aa08, section=0x824c54c,
arg=0x0) at ./objdump.c:2888
#14 0x080a6f34 in bfd_map_over_sections (abfd=0x824aa08, operation=0x804f5fb
<dump_dwarf_section>, user_storage=0x0) at section.c:1374
#15 0x0804f869 in dump_dwarf (abfd=0x824aa08) at ./objdump.c:2963
#16 0x08051b10 in dump_bfd (abfd=0x824aa08, is_mainfile=0x1) at
./objdump.c:3903
#17 0x08051bfd in display_object_bfd (abfd=0x824aa08) at ./objdump.c:3940
#18 0x08051e6d in display_any_bfd (file=0x824aa08, level=0x0) at
./objdump.c:4030
#19 0x08051eda in display_file (filename=0xffffd046
"crashes20190319/id:000006,sig:06,src:002800+001543,op:splice,rep:16",
target=0x0, last_file=0x1) at ./objdump.c:4051
#20 0x08052847 in main (argc=0x3, argv=0xffffcde4) at ./objdump.c:4361
objdump.c --> load_specific_debug_section
>2696
section->size = bfd_get_section_size (sec);
amt = section->size + 1;
if (amt == 0)
{
section->start = NULL;
free_debug_section (debug);
printf (_("\nSection '%s' has an invalid size: %#llx.\n"),
sanitize_string (section->name),
(unsigned long long) section->size);
return FALSE;
}
section->start = contents = malloc (amt);
if (section->start == NULL
|| !bfd_get_full_section_contents (abfd, sec, &contents))
{
free_debug_section (debug);
printf (_("\nCan't get contents for section '%s'.\n"),
sanitize_string (section->name));
return FALSE;
}
if section->size == 0xFFFFFFFF
amt = 0x100000000
malloc(0) // Integer overflow
Finally it will trigger heap overflow in bfd_get_full_section_contents.
I go back to the git log and find this bug is caused by commit-7a6e0d89.
The commit cause PR24005 to reappear.
--
You are receiving this mail because:
You are on the CC list for the bug.