[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/24644] New: OOM-Bug in _bfd_archive_64_bit_slurp_armap in
From: |
alex at forallsecure dot com |
Subject: |
[Bug binutils/24644] New: OOM-Bug in _bfd_archive_64_bit_slurp_armap in bfd/archive64.c |
Date: |
Fri, 07 Jun 2019 04:14:18 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=24644
Bug ID: 24644
Summary: OOM-Bug in _bfd_archive_64_bit_slurp_armap in
bfd/archive64.c
Product: binutils
Version: 2.33 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: alex at forallsecure dot com
Target Milestone: ---
Created attachment 11819
--> https://sourceware.org/bugzilla/attachment.cgi?id=11819&action=edit
Input to reproduce
_bfd_archive_64_bit_slurp_armap reads nsymz from the archive, which is user
controller. It then attempts to allocate an amount derived from nsymz, which
allows attackers to trigger excessive memory consumption. I'm attaching a
minimized input that triggers that issue. You can observe the behavior with
`ltrace ./objdump -x ./input 2>&1 | grep malloc` or by compiling objdump with
ASAN which produces the following stacktrace:
==39959==ERROR: AddressSanitizer: requested allocation size 0xa0a0a0a0a0a0a18
(0xa0a0a0a0a0a1a18 after adjustments for alignment, red zones etc.) exceeds
maximum supported size of 0x10000000000 (thread T0)
#0 0x49665d in __interceptor_malloc
/b/swarming/w/ir/k/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:145:3
#1 0x1148578 in _objalloc_alloc
/fas/apr/binutils-gdb/build-libfuzzer/libiberty/../../libiberty/objalloc.c:143:22
#2 0x7f91d9 in bfd_alloc
/fas/apr/binutils-gdb/build-libfuzzer/bfd/../../bfd/opncls.c:949:9
#3 0x7f8381 in bfd_zalloc
/fas/apr/binutils-gdb/build-libfuzzer/bfd/../../bfd/opncls.c:998:9
#4 0x10c1636 in _bfd_archive_64_bit_slurp_armap
/fas/apr/binutils-gdb/build-libfuzzer/bfd/../../bfd/archive64.c:98:39
#5 0x7d90c6 in bfd_slurp_armap
/fas/apr/binutils-gdb/build-libfuzzer/bfd/../../bfd/archive.c:1149:14
#6 0x7d8a84 in bfd_generic_archive_p
/fas/apr/binutils-gdb/build-libfuzzer/bfd/../../bfd/archive.c:875:8
#7 0x7f0da6 in bfd_check_format_matches
/fas/apr/binutils-gdb/build-libfuzzer/bfd/../../bfd/format.c:315:14
- binutils version: commit 12efd68d159444ad8dfe24e49965a228ba980b86 (Wed Jun 5
2019)
- OS: Ubuntu 18.04.2, running in a docker container on Mac OS
- Linux 4.9.125-linuxkit
- clang version 9.0.0
Found using ForAllSecure's Mayhem.
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/24644] New: OOM-Bug in _bfd_archive_64_bit_slurp_armap in bfd/archive64.c,
alex at forallsecure dot com <=