[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/21663] New: There is integer Overflow in the objdump tool
|
From: |
v.owl337 at gmail dot com |
|
Subject: |
[Bug binutils/21663] New: There is integer Overflow in the objdump tool of the GNU Binutils. |
|
Date: |
Fri, 23 Jun 2017 14:37:15 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=21663
Bug ID: 21663
Summary: There is integer Overflow in the objdump tool of the
GNU Binutils.
Product: binutils
Version: 2.28
Status: UNCONFIRMED
Severity: critical
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: v.owl337 at gmail dot com
Target Milestone: ---
Created attachment 10215
--> https://sourceware.org/bugzilla/attachment.cgi?id=10215&action=edit
./objdump -S POC1
The asan debugging information is as follows:
$./objdump -S POC1
...
ASAN:SIGSEGV
=================================================================
==51582==ERROR: AddressSanitizer: SEGV on unknown address 0x255a0782 (pc
0x082abe10 bp 0xf3f01eb4 sp 0xffe74620 T0)
#0 0x82abe0f in elf_x86_64_get_plt_sym_val
/home/icy/real/binutils-2.28/bfd/elf64-x86-64.c:6669
#1 0x82f36fa in _bfd_elf_ifunc_get_synthetic_symtab
/home/icy/real/binutils-2.28/bfd/elf-ifunc.c:425
#2 0x82aacd9 in elf_x86_64_get_synthetic_symtab
/home/icy/real/binutils-2.28/bfd/elf64-x86-64.c:6700
#3 0x8069013 in dump_bfd objdump.c:3448
#4 0x806b0ce in display_object_bfd objdump.c:3526
#5 0x806b0ce in display_any_bfd objdump.c:3615
#6 0x8056562 in display_file objdump.c:3636
#7 0x8056562 in main objdump.c:3919
#8 0xf703679d in __libc_start_main (/lib32/libc.so.6+0x1879d)
#9 0x805944b (/home/icy/real/binutils-2.28/binutils/objdump+0x805944b)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/icy/real/binutils-2.28/bfd/elf64-x86-64.c:6669 elf_x86_64_get_plt_sym_val
==51582==ABORTING
This is an integer overflow in line elf64-86-64.c:6655 at function
elf_x86_64_get_plt_sym_val(). With the exact input we provided, line
elf64-86-64.c:6655 will run multiple
times, but in the 90th cycle,the value of reloc_index is calculated as
3338665986, which exceeds the maximum range of long.
6586 static bfd_vma *
6587 elf_x86_64_get_plt_sym_val (bfd *abfd, asymbol **dynsyms, asection *plt,
6588 asection *relplt)
6589 {
...
6651 if (p->howto->type != R_X86_64_JUMP_SLOT
6652 && p->howto->type != R_X86_64_IRELATIVE)
6653 continue;
6654
6655 reloc_index = H_GET_32 (abfd, (plt_contents + plt_offset
6656 + bed->plt_reloc_offset));
6657 if (reloc_index < count)
6658 {
6659 if (plt_bnd)
6660 {
...
Credits:
This vulnerability is detected by team OWL337, with our custom fuzzer collAFL.
Please contact address@hidden and address@hidden if you need
more info about the team, the tool or the vulnerability.
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/21663] New: There is integer Overflow in the objdump tool of the GNU Binutils.,
v.owl337 at gmail dot com <=