[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/25823] New: Use after free in bfd_hash_lookup(), as demons
From: |
nguyenmanhdung1710 at gmail dot com |
Subject: |
[Bug binutils/25823] New: Use after free in bfd_hash_lookup(), as demonstrated by nm-new |
Date: |
Wed, 15 Apr 2020 05:27:33 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=25823
Bug ID: 25823
Summary: Use after free in bfd_hash_lookup(), as demonstrated
by nm-new
Product: binutils
Version: 2.35 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: nguyenmanhdung1710 at gmail dot com
Target Milestone: ---
Created attachment 12458
--> https://sourceware.org/bugzilla/attachment.cgi?id=12458&action=edit
PoC for a UAF in nm-new
Hi,
A use after free was discovered in nm-new (the latest commit c98a454) in
bfd_hash_lookup(), that can cause a denial of service, via a crafted file.
To reproduce: nm-new -C PoC
ASAN says:
READ of size 19 at 0x7f865818780e thread T0
#0 0x7f86570dd2c4 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x472c4)
#1 0x429e27 in bfd_hash_lookup ../../bfd/hash.c:475
#2 0x4339e7 in bfd_get_section_by_name ../../bfd/section.c:899
#3 0x5a0076 in _bfd_pei_swap_sym_in
/home/dungnguyen/fuzz/binutils-gdb/obj-asan/bfd/peXXigen.c:170
#4 0x5dbef1 in coff_get_normalized_symtab ../../bfd/coffgen.c:1816
#5 0x59c981 in coff_slurp_symbol_table ../../bfd/coffcode.h:4531
#6 0x5d2898 in coff_get_symtab_upper_bound ../../bfd/coffgen.c:411
#7 0x43609c in _bfd_generic_read_minisymbols ../../bfd/syms.c:802
#8 0x4072f1 in display_rel_file ../../binutils/nm.c:1126
#9 0x4081c5 in display_file ../../binutils/nm.c:1393
#10 0x409c6a in main ../../binutils/nm.c:1874
#11 0x7f8656ae882f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#12 0x402ce8 in _start (/home/dungnguyen/PoCs/readelf_f717994/nm+0x402ce8)
0x7f865818780e is located 14 bytes inside of 235653-byte region
[0x7f8658187800,0x7f86581c1085)
freed by thread T0 here:
#0 0x7f865712e32a in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9832a)
#1 0x5db9ba in _bfd_coff_free_symbols ../../bfd/coffgen.c:1756
#2 0x5d1ef4 in coff_real_object_p ../../bfd/coffgen.c:302
#3 0x592c2c in pe_bfd_object_p ../../bfd/peicode.h:1504
#4 0x428442 in bfd_check_format_matches ../../bfd/format.c:343
#5 0x408168 in display_file ../../binutils/nm.c:1389
#6 0x409c6a in main ../../binutils/nm.c:1874
#7 0x7f8656ae882f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
previously allocated by thread T0 here:
#0 0x7f865712e662 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98662)
#1 0x42be64 in bfd_malloc ../../bfd/libbfd.c:275
#2 0x5db59b in _bfd_coff_read_string_table ../../bfd/coffgen.c:1714
#3 0x5d2cb7 in _bfd_coff_internal_syment_name ../../bfd/coffgen.c:464
#4 0x5a0014 in _bfd_pei_swap_sym_in
/home/dungnguyen/fuzz/binutils-gdb/obj-asan/bfd/peXXigen.c:161
#5 0x59327b in handle_COMDAT ../../bfd/coffcode.h:925
#6 0x59406c in styp_to_sec_flags ../../bfd/coffcode.h:1306
#7 0x5d0c9a in make_a_section_from_file ../../bfd/coffgen.c:130
#8 0x5d1ec8 in coff_real_object_p ../../bfd/coffgen.c:297
#9 0x592c2c in pe_bfd_object_p ../../bfd/peicode.h:1504
#10 0x428442 in bfd_check_format_matches ../../bfd/format.c:343
#11 0x408168 in display_file ../../binutils/nm.c:1389
#12 0x409c6a in main ../../binutils/nm.c:1874
#13 0x7f8656ae882f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
Thanks,
Manh Dung
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/25823] New: Use after free in bfd_hash_lookup(), as demonstrated by nm-new,
nguyenmanhdung1710 at gmail dot com <=
- [Bug binutils/25823] Use after free in bfd_hash_lookup(), as demonstrated by nm-new, nguyenmanhdung1710 at gmail dot com, 2020/04/15
- [Bug binutils/25823] Use after free in bfd_hash_lookup(), as demonstrated by nm-new, luciham20 at gmail dot com, 2020/04/15
- [Bug binutils/25823] Use after free in bfd_hash_lookup(), as demonstrated by nm-new, luciham20 at gmail dot com, 2020/04/15
- [Bug binutils/25823] Use after free in bfd_hash_lookup(), as demonstrated by nm-new, amodra at gmail dot com, 2020/04/15
- [Bug binutils/25823] Use after free in bfd_hash_lookup(), as demonstrated by nm-new, cvs-commit at gcc dot gnu.org, 2020/04/15
- [Bug binutils/25823] Use after free in bfd_hash_lookup(), as demonstrated by nm-new, amodra at gmail dot com, 2020/04/15