mgcho.minic at gmail dot com
2018-05-07 14:34:56 UTC
https://sourceware.org/bugzilla/show_bug.cgi?id=23147
Bug ID: 23147
Summary: Heap buffer overflow in pe_print_idata
Product: binutils
Version: 2.31 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: mgcho.minic at gmail dot com
Target Milestone: ---
Created attachment 10998
--> https://sourceware.org/bugzilla/attachment.cgi?id=10998&action=edit
POC to trigger bug
Triggered by "./objdump -x -W $POC"
Tested on Ubuntu 16.04 (x86)
Heap buffer overread occurred when processing malformed PE file.
The GDB debugging information is as follows:
ASAN output:
==26446==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5e0207f at
pc 0x08293f7a bp 0xbfc8e458 sp 0xbfc8e44c
READ of size 1 at 0xb5e0207f thread T0
#0 0x8293f79 in bfd_getl32
/home/min/fuzzing/src/binutils/binutils-gdb/bfd/libbfd.c:635:23
#1 0x852550a in pe_print_idata
/home/min/fuzzing/src/binutils/binutils-gdb/bfd/peigen.c:1544:31
#2 0x8523579 in _bfd_pe_print_private_bfd_data_common
/home/min/fuzzing/src/binutils/binutils-gdb/bfd/peigen.c:2905:3
#3 0x84ed8f4 in pe_print_private_bfd_data
/home/min/fuzzing/src/binutils/binutils-gdb/bfd/./peicode.h:336:8
#4 0x814737f in dump_bfd_private_header
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:2996:3
#5 0x8145d10 in dump_bfd
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:3589:5
#6 0x8145539 in display_object_bfd
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:3688:7
#7 0x8145425 in display_any_bfd
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:3777:5
#8 0x8144e8b in display_file
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:3798:3
#9 0x814457b in main
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:4100:6
#10 0xb74f4636 in __libc_start_main
/build/glibc-mUak1Y/glibc-2.23/csu/../csu/libc-start.c:291
#11 0x806ca37 in _start
(/home/min/fuzzing/program/binutils-2.30-21432/bin/objdump+0x806ca37)
Credits:
Mingi Cho and Taekyoung Kwon of the Information Security Lab, Yonsei
University.
Bug ID: 23147
Summary: Heap buffer overflow in pe_print_idata
Product: binutils
Version: 2.31 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: mgcho.minic at gmail dot com
Target Milestone: ---
Created attachment 10998
--> https://sourceware.org/bugzilla/attachment.cgi?id=10998&action=edit
POC to trigger bug
Triggered by "./objdump -x -W $POC"
Tested on Ubuntu 16.04 (x86)
Heap buffer overread occurred when processing malformed PE file.
The GDB debugging information is as follows:
ASAN output:
==26446==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5e0207f at
pc 0x08293f7a bp 0xbfc8e458 sp 0xbfc8e44c
READ of size 1 at 0xb5e0207f thread T0
#0 0x8293f79 in bfd_getl32
/home/min/fuzzing/src/binutils/binutils-gdb/bfd/libbfd.c:635:23
#1 0x852550a in pe_print_idata
/home/min/fuzzing/src/binutils/binutils-gdb/bfd/peigen.c:1544:31
#2 0x8523579 in _bfd_pe_print_private_bfd_data_common
/home/min/fuzzing/src/binutils/binutils-gdb/bfd/peigen.c:2905:3
#3 0x84ed8f4 in pe_print_private_bfd_data
/home/min/fuzzing/src/binutils/binutils-gdb/bfd/./peicode.h:336:8
#4 0x814737f in dump_bfd_private_header
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:2996:3
#5 0x8145d10 in dump_bfd
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:3589:5
#6 0x8145539 in display_object_bfd
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:3688:7
#7 0x8145425 in display_any_bfd
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:3777:5
#8 0x8144e8b in display_file
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:3798:3
#9 0x814457b in main
/home/min/fuzzing/src/binutils/binutils-gdb/binutils/./objdump.c:4100:6
#10 0xb74f4636 in __libc_start_main
/build/glibc-mUak1Y/glibc-2.23/csu/../csu/libc-start.c:291
#11 0x806ca37 in _start
(/home/min/fuzzing/program/binutils-2.30-21432/bin/objdump+0x806ca37)
Credits:
Mingi Cho and Taekyoung Kwon of the Information Security Lab, Yonsei
University.
--
You are receiving this mail because:
You are on the CC list for the bug.
You are receiving this mail because:
You are on the CC list for the bug.