[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/24266] New: Heap out-of-bound read in pex64_bfd_print_pdat
From: |
mgcho.minic at gmail dot com |
Subject: |
[Bug binutils/24266] New: Heap out-of-bound read in pex64_bfd_print_pdata_section |
Date: |
Mon, 25 Feb 2019 10:45:29 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=24266
Bug ID: 24266
Summary: Heap out-of-bound read in
pex64_bfd_print_pdata_section
Product: binutils
Version: 2.32
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: mgcho.minic at gmail dot com
Target Milestone: ---
Created attachment 11644
--> https://sourceware.org/bugzilla/attachment.cgi?id=11644&action=edit
Poc to trigger bug
Triggered by "./objdump -x $POC"
Tested on Ubuntu 16.04 (x86)
Heap out-of-bound read occurred when processing malformed PE file.
There are no checks of raw size of pdata section in
pex64_bfd_print_pdata_section().
bfd/pei-x86_64.c:
if (altent >= pdata_vma
&& (altent + PDATA_ROW_SIZE <= pdata_vma
+ pei_section_data (abfd, pdata_section)->virt_size))
ASAN output:
==196912==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf3f1758c
at pc 0x0835a8bd bp 0xffee2188 sp 0xffee217c
READ of size 1 at 0xf3f1758c thread T0
#0 0x835a8bc in bfd_getl32
/home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/bfd/libbfd.c:695:23
#1 0x87e1da5 in pex64_get_runtime_function
/home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/bfd/pei-x86_64.c:94:26
#2 0x87e1da5 in pex64_bfd_print_pdata_section
/home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/bfd/pei-x86_64.c:730
#3 0x87de95c in pex64_bfd_print_pdata
/home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/bfd/pei-x86_64.c:794:12
#4 0x883c1cd in _bfd_pex64_print_private_bfd_data_common
/home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/bfd/pex64igen.c:2911:5
#5 0x87fb7d2 in pe_print_private_bfd_data
/home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/bfd/./peicode.h:336:8
#6 0x8172853 in dump_bfd_private_header
/home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/binutils/./objdump.c:3181:3
#7 0x8172853 in dump_bfd
/home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/binutils/./objdump.c:3782
#8 0x81711a3 in display_any_bfd
/home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/binutils/./objdump.c:3881:7
#9 0x816f747 in display_file
/home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/binutils/./objdump.c:3994:3
#10 0x816f747 in main
/home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/binutils/./objdump.c:4304
#11 0xf7584636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
#12 0x806c9d7 in _start
(/home/seclab/fuzzing-experiment/fuzzing/program/x86/binutils-2.32/aflclang5-asan/bin/objdump+0x806c9d7)
Address 0xf3f1758c is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/seclab/fuzzing-experiment/fuzzing/src/binutils-2.32/bfd/libbfd.c:695:23
in bfd_getl32
Credits:
Mingi Cho, Seoyoung Kim, and Taekyoung Kwon of the Information Security Lab,
Yonsei University.
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/24266] New: Heap out-of-bound read in pex64_bfd_print_pdata_section,
mgcho.minic at gmail dot com <=