[Bug binutils/22443] New: Global buffer overflow in _bfd_elf_get_symbol_version_string

[mgcho.minic at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=22443

            Bug ID: 22443
           Summary: Global buffer overflow in
                    _bfd_elf_get_symbol_version_string
           Product: binutils
           Version: 2.30 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: mgcho.minic at gmail dot com
  Target Milestone: ---

Created attachment 10591
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10591&action=edit
poc file

Triggered by "./objdump -x $POC"
Tested on Ubuntu 16.04 (x86)

Global buffer overflow is occured when corrupted processing elf file.


Configuration information:

CC=clang CXX=clang++ CFLAGS="-g -O0 -fno-omit-frame-pointer -fsanitize=address
-fno-sanitize-recover=all" CXXFLAGS=-fsanitize="-g -O0 -fno-omit-frame-pointer
-fsanitize=address -fno-sanitize-recover=all" ./configure


ASAN output:

==14558==ERROR: AddressSanitizer
: global-buffer-overflow on address 0x08626220 at pc 0x082dd706 bp 0xbfeb88a8
sp 0xbfeb889c
READ of size 2 at 0x08626220 thread T0
    #0 0x82dd705 in _bfd_elf_get_symbol_version_string
/home/min/fuzzing/src/binutils/binutils-gdb/bfd/elf.c:1838:59
    #1 0x8149baf in objdump_print_symname
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:892:22
    #2 0x814f52f in disassemble_bytes
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:2050:7
    #3 0x814f52f in disassemble_section
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:2319
    #4 0x8279497 in bfd_map_over_sections
/home/min/fuzzing/src/binutils/binutils-gdb/bfd/section.c:1395:5
    #5 0x8144976 in disassemble_data
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:2455:3
    #6 0x8144976 in dump_bfd
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:3554
    #7 0x8142d75 in display_object_bfd
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:3611:7
    #8 0x8142d75 in display_any_bfd
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:3700
    #9 0x8141fe4 in display_file
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:3721:3
    #10 0x8141fe4 in main
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:4023
    #11 0xb7494636 in __libc_start_main
/build/glibc-KM3i_a/glibc-2.23/csu/../csu/libc-start.c:291
    #12 0x806c687 in _start
(/home/min/fuzzing/program/binutils-master-patch/bin/objdump+0x806c687)

0x08626220 is located 32 bytes to the left of global variable '<string
literal>' defined in 'section.c:771:3' (0x8626240) of size 6
  '<string literal>' is ascii string '*UND*'
0x08626220 is located 0 bytes to the right of global variable 'global_syms'
defined in 'section.c:758:22' (0x86261c0) of size 96
SUMMARY: AddressSanitizer: global-buffer-overflow
/home/min/fuzzing/src/binutils/binutils-gdb/bfd/elf.c:1838:59 in
_bfd_elf_get_symbol_version_string


Credits:

Mingi Cho and Taekyoung Kwon of the Information Security Lab, Yonsei
University.

-- 
You are receiving this mail because:
You are on the CC list for the bug.