[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/22306] New: Invalid free() in slurp_symtab() [Heap corrupt
From: |
mgcho.minic at gmail dot com |
Subject: |
[Bug binutils/22306] New: Invalid free() in slurp_symtab() [Heap corruption] |
Date: |
Tue, 17 Oct 2017 02:55:29 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=22306
Bug ID: 22306
Summary: Invalid free() in slurp_symtab() [Heap corruption]
Product: binutils
Version: 2.30 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: mgcho.minic at gmail dot com
Target Milestone: ---
Created attachment 10533
--> https://sourceware.org/bugzilla/attachment.cgi?id=10533&action=edit
poc for heap corruption
Triggered by "./objdump -x $POC"
The GDB debugging information is as follows:
(gdb) r -x $POC
(gdb) bt
#0 0xb7fd9ce5 in __kernel_vsyscall ()
#1 0xb7e2bea9 in __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#2 0xb7e2d407 in __GI_abort () at abort.c:89
#3 0xb7e6737c in __libc_message (do_abort=2, fmt=0xb7f5fdf4 "*** Error in
`%s': %s: 0x%s ***\n")
at ../sysdeps/posix/libc_fatal.c:175
#4 0xb7e6d2f7 in malloc_printerr (action=<optimized out>,
str=0xb7f5fef0 "free(): invalid next size (fast)", ptr=<optimized out>,
ar_ptr=0xb7fb2780 <main_arena>) at malloc.c:5006
#5 0xb7e6dc31 in _int_free (av=0xb7fb2780 <main_arena>, p=<optimized out>,
have_lock=0)
at malloc.c:3867
#6 0x080f3f55 in aout_get_external_symbols (abfd=0x81e9a08) at ./aoutx.h:1370
#7 0x080f3d15 in aout_32_slurp_symbol_table (abfd=0x81e9a08) at ./aoutx.h:1757
#8 0x080f4e30 in aout_32_get_symtab_upper_bound (abfd=0x81e9a08) at
./aoutx.h:2522
#9 0x0804aea7 in slurp_symtab (abfd=0x81e9a08) at ./objdump.c:615
#10 dump_bfd (abfd=0x81e9a08) at ./objdump.c:3523
#11 0x0804aa6e in display_object_bfd (abfd=0x81e9a08) at ./objdump.c:3611
#12 display_any_bfd (file=0x81e9a08, level=<optimized out>) at ./objdump.c:3700
#13 0x0804a4ea in display_file (filename=0xbffff30f "/tmp/heap-corruption",
target=<optimized out>, last_file=<optimized out>) at ./objdump.c:3721
#14 main (argc=<optimized out>, argv=<optimized out>) at ./objdump.c:4023
Credits:
This vulnerability was discovered by Mingi Cho and Taekyoung Kwon of the
Information Security Lab, Yonsei University. Please contact
address@hidden and address@hidden if you need more information
about the vulnerability and the lab.
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/22306] New: Invalid free() in slurp_symtab() [Heap corruption],
mgcho.minic at gmail dot com <=