[Bug binutils/24644] New: OOM-Bug in _bfd_archive_64_bit_slurp

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/24644] New: OOM-Bug in _bfd_archive_64_bit_slurp_armap in

From:	alex at forallsecure dot com
Subject:	[Bug binutils/24644] New: OOM-Bug in _bfd_archive_64_bit_slurp_armap in bfd/archive64.c
Date:	Fri, 07 Jun 2019 04:14:18 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=24644

            Bug ID: 24644
           Summary: OOM-Bug in _bfd_archive_64_bit_slurp_armap in
                    bfd/archive64.c
           Product: binutils
           Version: 2.33 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: alex at forallsecure dot com
  Target Milestone: ---

Created attachment 11819
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11819&action=edit
Input to reproduce

_bfd_archive_64_bit_slurp_armap reads nsymz from the archive, which is user
controller. It then attempts to allocate an amount derived from nsymz, which
allows attackers to trigger excessive memory consumption. I'm attaching a
minimized input that triggers that issue. You can observe the behavior with
`ltrace ./objdump -x ./input 2>&1 | grep malloc` or by compiling objdump with
ASAN which produces the following stacktrace:

==39959==ERROR: AddressSanitizer: requested allocation size 0xa0a0a0a0a0a0a18
(0xa0a0a0a0a0a1a18 after adjustments for alignment, red zones etc.) exceeds
maximum supported size of 0x10000000000 (thread T0)
    #0 0x49665d in __interceptor_malloc
/b/swarming/w/ir/k/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:145:3
    #1 0x1148578 in _objalloc_alloc
/fas/apr/binutils-gdb/build-libfuzzer/libiberty/../../libiberty/objalloc.c:143:22
    #2 0x7f91d9 in bfd_alloc
/fas/apr/binutils-gdb/build-libfuzzer/bfd/../../bfd/opncls.c:949:9
    #3 0x7f8381 in bfd_zalloc
/fas/apr/binutils-gdb/build-libfuzzer/bfd/../../bfd/opncls.c:998:9
    #4 0x10c1636 in _bfd_archive_64_bit_slurp_armap
/fas/apr/binutils-gdb/build-libfuzzer/bfd/../../bfd/archive64.c:98:39
    #5 0x7d90c6 in bfd_slurp_armap
/fas/apr/binutils-gdb/build-libfuzzer/bfd/../../bfd/archive.c:1149:14
    #6 0x7d8a84 in bfd_generic_archive_p
/fas/apr/binutils-gdb/build-libfuzzer/bfd/../../bfd/archive.c:875:8
    #7 0x7f0da6 in bfd_check_format_matches
/fas/apr/binutils-gdb/build-libfuzzer/bfd/../../bfd/format.c:315:14

- binutils version: commit 12efd68d159444ad8dfe24e49965a228ba980b86 (Wed Jun 5
2019)
- OS: Ubuntu 18.04.2, running in a docker container on Mac OS
- Linux 4.9.125-linuxkit
- clang version 9.0.0


Found using ForAllSecure's Mayhem.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/24644] New: OOM-Bug in _bfd_archive_64_bit_slurp_armap in bfd/archive64.c, alex at forallsecure dot com <=
- [Bug binutils/24644] OOM-Bug in _bfd_archive_64_bit_slurp_armap in bfd/archive64.c, amodra at gmail dot com, 2019/06/07
- [Bug binutils/24644] OOM-Bug in _bfd_archive_64_bit_slurp_armap in bfd/archive64.c, alex at forallsecure dot com, 2019/06/07

Prev by Date: [Bug binutils/24643] New: arm/aarch64: SEGV in objdump -ld for static programs with split out debug symbols
Next by Date: [Bug binutils/24644] OOM-Bug in _bfd_archive_64_bit_slurp_armap in bfd/archive64.c
Previous by thread: [Bug binutils/24643] New: arm/aarch64: SEGV in objdump -ld for static programs with split out debug symbols
Next by thread: [Bug binutils/24644] OOM-Bug in _bfd_archive_64_bit_slurp_armap in bfd/archive64.c
Index(es):
- Date
- Thread