https://sourceware.org/bugzilla/show_bug.cgi?id=19323
Kushal Shah <kshah at fortinet dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|INVALID |--- --- Comment #2 from Kushal Shah <kshah at fortinet dot com> --- Hi Alan, I re-ran the PoC using both readelf and objdump and I saw that the "readelf" tool returns an out-of-memory error and "objdump" crashes with a Segmentation Fault and using Valgrind we can see that there is a Heap Overflow caused by Objdump. I am attaching both the "out-of-memory" error obtained using readelf and also the gdb and valgrind output confirming the heap overflow vulnerability in objdump. I would also like to request you if you could share the out-of-memory error output returned by objdump using the PoC and reproduction steps provided previously? Vulnerability Confirmation using GDB & Valgrind: - ##########----------Valgrind Output----------########## # valgrind --tool=memcheck --leak-check=full --track-origins=yes --show-reachable=yes --keep-stacktraces=alloc-and-free --num-callers=40 --track-fds=yes -v binutils-gdb/binutils/objdump -s /root/Desktop/file1 /dev/null ==13429== Invalid write of size 4 ==13429== at 0x82499B7: bfd_elf32_swap_phdr_in (elfcode.h:367) ==13429== by 0x824D0B4: bfd_elf32_object_p (elfcode.h:782) ==13429== by 0x81E00F6: bfd_check_format_matches.part.1 (format.c:305) ==13429== by 0x806734F: display_object_bfd (objdump.c:3418) ==13429== by 0x806734F: display_any_bfd (objdump.c:3509) ==13429== by 0x8053ECA: display_file (objdump.c:3530) ==13429== by 0x8053ECA: main (objdump.c:3813) ==13429== Address 0x420bdf0 is 0 bytes after a block of size 4,064 alloc'd ==13429== at 0x40291CC: malloc (vg_replace_malloc.c:296) ==13429== by 0x851B130: objalloc_create (objalloc.c:95) ==13429== by 0x81F049B: _bfd_new_bfd (opncls.c:73) ==13429== by 0x81F049B: bfd_fopen (opncls.c:199) ==13429== by 0x81F049B: bfd_openr (opncls.c:287) ==13429== by 0x8053E83: display_file (objdump.c:3523) ==13429== by 0x8053E83: main (objdump.c:3813) ==13429== ==13429== Invalid write of size 4 ==13429== at 0x82499FF: bfd_elf32_swap_phdr_in (elfcode.h:369) ==13429== by 0x824D0B4: bfd_elf32_object_p (elfcode.h:782) ==13429== by 0x81E00F6: bfd_check_format_matches.part.1 (format.c:305) ==13429== by 0x806734F: display_object_bfd (objdump.c:3418) ==13429== by 0x806734F: display_any_bfd (objdump.c:3509) ==13429== by 0x8053ECA: display_file (objdump.c:3530) ==13429== by 0x8053ECA: main (objdump.c:3813) ==13429== Address 0x420bdf4 is 4 bytes after a block of size 4,064 alloc'd ==13429== at 0x40291CC: malloc (vg_replace_malloc.c:296) ==13429== by 0x851B130: objalloc_create (objalloc.c:95) ==13429== by 0x81F049B: _bfd_new_bfd (opncls.c:73) ==13429== by 0x81F049B: bfd_fopen (opncls.c:199) ==13429== by 0x81F049B: bfd_openr (opncls.c:287) ==13429== by 0x8053E83: display_file (objdump.c:3523) ==13429== by 0x8053E83: main (objdump.c:3813) ==13429== ==13429== Invalid write of size 4 ==13429== at 0x8249A0E: bfd_elf32_swap_phdr_in (elfcode.h:370) ==13429== by 0x824D0B4: bfd_elf32_object_p (elfcode.h:782) ==13429== by 0x81E00F6: bfd_check_format_matches.part.1 (format.c:305) ==13429== by 0x806734F: display_object_bfd (objdump.c:3418) ==13429== by 0x806734F: display_any_bfd (objdump.c:3509) ==13429== by 0x8053ECA: display_file (objdump.c:3530) ==13429== by 0x8053ECA: main (objdump.c:3813) ==13429== Address 0x420bdf8 is 8 bytes after a block of size 4,064 alloc'd ==13429== at 0x40291CC: malloc (vg_replace_malloc.c:296) ==13429== by 0x851B130: objalloc_create (objalloc.c:95) ==13429== by 0x81F049B: _bfd_new_bfd (opncls.c:73) ==13429== by 0x81F049B: bfd_fopen (opncls.c:199) ==13429== by 0x81F049B: bfd_openr (opncls.c:287) ==13429== by 0x8053E83: display_file (objdump.c:3523) ==13429== by 0x8053E83: main (objdump.c:3813) ==13429== ==13429== Invalid write of size 4 ==13429== at 0x8249A1A: bfd_elf32_swap_phdr_in (elfcode.h:371) ==13429== by 0x824D0B4: bfd_elf32_object_p (elfcode.h:782) ==13429== by 0x81E00F6: bfd_check_format_matches.part.1 (format.c:305) ==13429== by 0x806734F: display_object_bfd (objdump.c:3418) ==13429== by 0x806734F: display_any_bfd (objdump.c:3509) ==13429== by 0x8053ECA: display_file (objdump.c:3530) ==13429== by 0x8053ECA: main (objdump.c:3813) ==13429== Address 0x420bdfc is 12 bytes after a block of size 4,064 alloc'd ==13429== at 0x40291CC: malloc (vg_replace_malloc.c:296) ==13429== by 0x851B130: objalloc_create (objalloc.c:95) ==13429== by 0x81F049B: _bfd_new_bfd (opncls.c:73) ==13429== by 0x81F049B: bfd_fopen (opncls.c:199) ==13429== by 0x81F049B: bfd_openr (opncls.c:287) ==13429== by 0x8053E83: display_file (objdump.c:3523) ==13429== by 0x8053E83: main (objdump.c:3813) ==13429== ==13429== Invalid write of size 4 ==13429== at 0x8249938: bfd_elf32_swap_phdr_in (elfcode.h:356) ==13429== by 0x824D0B4: bfd_elf32_object_p (elfcode.h:782) ==13429== by 0x81E00F6: bfd_check_format_matches.part.1 (format.c:305) ==13429== by 0x806734F: display_object_bfd (objdump.c:3418) ==13429== by 0x806734F: display_any_bfd (objdump.c:3509) ==13429== by 0x8053ECA: display_file (objdump.c:3530) ==13429== by 0x8053ECA: main (objdump.c:3813) ==13429== Address 0x420be00 is 16 bytes after a block of size 4,064 alloc'd ==13429== at 0x40291CC: malloc (vg_replace_malloc.c:296) ==13429== by 0x851B130: objalloc_create (objalloc.c:95) ==13429== by 0x81F049B: _bfd_new_bfd (opncls.c:73) ==13429== by 0x81F049B: bfd_fopen (opncls.c:199) ==13429== by 0x81F049B: bfd_openr (opncls.c:287) ==13429== by 0x8053E83: display_file (objdump.c:3523) ==13429== by 0x8053E83: main (objdump.c:3813) ==13429== ==13429== Invalid write of size 4 ==13429== at 0x8249946: bfd_elf32_swap_phdr_in (elfcode.h:357) ==13429== by 0x824D0B4: bfd_elf32_object_p (elfcode.h:782) ==13429== by 0x81E00F6: bfd_check_format_matches.part.1 (format.c:305) ==13429== by 0x806734F: display_object_bfd (objdump.c:3418) ==13429== by 0x806734F: display_any_bfd (objdump.c:3509) ==13429== by 0x8053ECA: display_file (objdump.c:3530) ==13429== by 0x8053ECA: main (objdump.c:3813) ==13429== Address 0x420be04 is 20 bytes after a block of size 4,064 in arena "client" ==13429== valgrind: m_mallocfree.c:304 (get_bszB_as_is): Assertion 'bszB_lo == bszB_hi' failed. valgrind: Heap block lo/hi size mismatch: lo = 4112, hi = 6. This is probably caused by your program erroneously writing past the end of a heap block and corrupting heap metadata. ##########----------Valgrind Output----------########## ##########----------GDB Output----------########## #gdb --args binutils-gdb/binutils/objdump -s /root/Desktop/file1 /dev/null 0xb7c1d927 <__GI__IO_fread+7> mov 0x34(%esp),%edi │ │0xb7c1d92b <__GI__IO_fread+11> imul 0x38(%esp),%edi │ │0xb7c1d930 <__GI__IO_fread+16> call 0xb7cdd14b <__x86.get_pc_thunk.bx> │ │0xb7c1d935 <__GI__IO_fread+21> add $0x1426cb,%ebx │ │0xb7c1d93b <__GI__IO_fread+27> mov 0x3c(%esp),%esi │ │0xb7c1d93f <__GI__IO_fread+31> test %edi,%edi │ │0xb7c1d941 <__GI__IO_fread+33> je 0xb7c1d9e0 <__GI__IO_fread+192> │ │0xb7c1d947 <__GI__IO_fread+39> mov (%esi),%eax │ │0xb7c1d949 <__GI__IO_fread+41> and $0x8000,%eax │ │0xb7c1d94e <__GI__IO_fread+46> jne 0xb7c1d985 <__GI__IO_fread+101> │ │0xb7c1d950 <__GI__IO_fread+48> mov 0x48(%esi),%edx │ │0xb7c1d953 <__GI__IO_fread+51> mov %gs:0x8,%ebp │ >│0xb7c1d95a <__GI__IO_fread+58> cmp 0x8(%edx),%ebp ----------------------------------->Crash happens here. │0xb7c1d95d <__GI__IO_fread+61> je 0xb7c1d981 <__GI__IO_fread+97> │ │0xb7c1d95f <__GI__IO_fread+63> mov $0x1,%ecx │ │0xb7c1d964 <__GI__IO_fread+68> cmpl $0x0,%gs:0xc │ │0xb7c1d96c <__GI__IO_fread+76> je 0xb7c1d96f <__GI__IO_fread+79> │ │0xb7c1d96e <__GI__IO_fread+78> lock cmpxchg %ecx,(%edx) │ │0xb7c1d972 <__GI__IO_fread+82> jne 0xb7c1da23 <_L_lock_53> │ │0xb7c1d978 <__GI__IO_fread+88> mov 0x48(%esi),%eax │ │0xb7c1d97b <__GI__IO_fread+91> mov 0x48(%esi),%edx │ │0xb7c1d97e <__GI__IO_fread+94> mov %ebp,0x8(%eax) │ │0xb7c1d981 <__GI__IO_fread+97> addl $0x1,0x4(%edx) │ │0xb7c1d985 <__GI__IO_fread+101> mov 0x30(%esp),%eax │ │0xb7c1d989 <__GI__IO_fread+105> mov %edi,0x8(%esp) │ │0xb7c1d98d <__GI__IO_fread+109> mov %esi,(%esp) │ │0xb7c1d990 <__GI__IO_fread+112> mov %eax,0x4(%esp) │ │0xb7c1d994 <__GI__IO_fread+116> call 0xb7c2a090 <__GI__IO_sgetn> │ │0xb7c1d999 <__GI__IO_fread+121> testl $0x8000,(%esi) (gdb) r Starting program: /usr/bin/objdump -s /root/Desktop/file1 /dev/null Program received signal SIGSEGV, Segmentation fault. 0xb7c1d95a in __GI__IO_fread (buf=0xbffff21c, size=1, count=32, fp=0x80a4528) at iofread.c:41 (gdb) bt bt #0 0xb7c1d95a in __GI__IO_fread (buf=0xbffff21c, size=1, count=32, fp=0x80a4528) at iofread.c:41 #1 0xb7dac6e3 in ?? () from /usr/lib/libbfd-2.25-system.so #2 0xb7dab879 in bfd_bread () from /usr/lib/libbfd-2.25-system.so #3 0xb7dd6ce4 in bfd_elf32_object_p () from /usr/lib/libbfd-2.25-system.so #4 0xb7db11b7 in bfd_check_format_matches () from /usr/lib/libbfd-2.25-system.so #5 0x0804fa60 in ?? () #6 0x08051e11 in ?? () #7 0x0804c1b6 in ?? () #8 0xb7bd3a63 in __libc_start_main (main=0x804ba20, argc=4, argv=0xbffff4d4, init=0x8080e20, fini=0x8080e90, rtld_fini=0xb7fedc90 <_dl_fini>, stack_end=0xbffff4cc) at libc-start.c:287 #9 0x0804c340 in ?? () (gdb) x $edx 0x6469676b: Cannot access memory at address 0x6469676b (gdb) x $ebp x $ebp 0xb7bb9940: 0xb7bb9940 (gdb) x $esi x $esi 0x80a4528: 0x00000000 (gdb) x $eax x $eax 0x0: Cannot access memory at address 0x0 (gdb) x $eip x $eip 0xb7c1d95a <__GI__IO_fread+58>: 0x74086a3b (gdb) ##########----------GDB Output----------########## "ReadElf" Output showing out-of-memory error: - ##########----------ReadElf Output----------########## readelf -a /root/Desktop/file1 ELF Header: Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 Class: ELF32 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: DYN (Shared object file) Machine: Intel 80386 Version: 0x1 Entry point address: 0x753 Start of program headers: 52 (bytes into file) Start of section headers: 4364 (bytes into file) Flags: 0x0 Size of this header: 52 (bytes) Size of program headers: 32 (bytes) Number of program headers: 65535 (-2147483648) Size of section headers: 40 (bytes) Number of section headers: 27 Section header string table index: 26 Section Headers: [Nr] Name Type Addr Off Size ES Flg Lk Inf Al [ 0] NULL 00000000 000000 000000 00 0 2147483648 0 [ 1] .interp PROGBITS 00000154 000154 000013 00 A 0 0 1 [ 2] .note.ABI-tag NOTE 00000168 000168 000020 00 A 0 0 4 [ 3] .note.gnu.build-i NOTE 00000188 000188 000024 00 A 0 0 4 [ 4] .gnu.hash GNU_HASH 000001ac 0001ac 000034 04 A 5 0 4 [ 5] .dynsym DYNSYM 000001e0 0001e0 000130 10 A 6 1 4 [ 6] .dynstr STRTAB 00000310 000310 00012c 00 A 0 0 1 [ 7] .gnu.version VERSYM 0000043c 00043c 000026 02 A 5 0 2 [ 8] .gnu.version_r VERNEED 00000464 000464 000050 00 A 6 1 4 [ 9] .rel.dyn REL 000004b4 0004b4 000050 08 A 5 0 4 [10] .rel.plt REL 00000504 000504 000048 08 AI 5 12 4 [11] .init PROGBITS 0000054c 00054c 000023 00 AX 0 0 4 [12] .plt PROGBITS 00000570 000570 0000a0 04 AX 0 0 16 [13] .text PROGBITS 00000610 000610 000354 00 AX 0 0 16 [14] .fini PROGBITS 00000964 000964 000014 00 AX 0 0 4 [15] .rodata PROGBITS 00000978 000978 00003a 00 A 0 0 4 [16] .eh_frame_hdr PROGBITS 000009b4 0009b4 000034 00 A 0 0 4 [17] .eh_frame PROGBITS 000009e8 0009e8 0000f4 00 A 0 0 4 [18] .init_array INIT_ARRAY 00001ea8 000ea8 000004 00 WA 0 0 4 [19] .fini_array FINI_ARRAY 00001eac 000eac 000004 00 WA 0 0 4 [20] .jcr PROGBITS 00001eb0 000eb0 000004 00 WA 0 0 4 [21] .dynamic DYNAMIC 00001eb4 000eb4 000100 08 WA 6 0 4 [22] .got PROGBITS 00001fb4 000fb4 00004c 04 WA 0 0 4 [23] .data PROGBITS 00002000 001000 000008 00 WA 0 0 4 [24] .bss NOBITS 00002008 001008 000004 00 WA 0 0 1 [25] .gnu_debuglink PROGBITS 00000000 001008 000010 00 0 0 1 [26] .shstrtab STRTAB 00000000 001018 0000f3 00 0 0 1 Key to Flags: W (write), A (alloc), X (execute), M (merge), S (strings) I (info), L (link order), G (group), T (TLS), E (exclude), x (unknown) O (extra OS processing required) o (OS specific), p (processor specific) There are no section groups in this file. readelf: Error: Out of memory reading 2147483648 program headers Relocation section '.rel.dyn' at offset 0x4b4 contains 10 entries: Offset Info Type Sym.Value Sym. Name 00001ea8 00000008 R_386_RELATIVE 00001eac 00000008 R_386_RELATIVE 00001ff4 00000008 R_386_RELATIVE 00002004 00000008 R_386_RELATIVE 00001fe4 00000106 R_386_GLOB_DAT 00000000 _ITM_deregisterTMClone 00001fe8 00000206 R_386_GLOB_DAT 00000000 stderr 00001fec 00000406 R_386_GLOB_DAT 00000000 __cxa_finalize 00001ff0 00000706 R_386_GLOB_DAT 00000000 __gmon_start__ 00001ff8 00000906 R_386_GLOB_DAT 00000000 _Jv_RegisterClasses 00001ffc 00000b06 R_386_GLOB_DAT 00000000 _ITM_registerTMCloneTa Relocation section '.rel.plt' at offset 0x504 contains 9 entries: Offset Info Type Sym.Value Sym. Name 00001fc0 00000307 R_386_JUMP_SLOT 00000000 __stack_chk_fail 00001fc4 00000407 R_386_JUMP_SLOT 00000000 __cxa_finalize 00001fc8 00000507 R_386_JUMP_SLOT 00000000 perror 00001fcc 00000607 R_386_JUMP_SLOT 00000000 setgid 00001fd0 00000707 R_386_JUMP_SLOT 00000000 __gmon_start__ 00001fd4 00000807 R_386_JUMP_SLOT 00000000 __libc_start_main 00001fd8 00000a07 R_386_JUMP_SLOT 00000000 __fprintf_chk 00001fdc 00000c07 R_386_JUMP_SLOT 00000000 strtol 00001fe0 00000d07 R_386_JUMP_SLOT 00000000 getgrnam The decoding of unwind sections for machine type Intel 80386 is not currently supported. Symbol table '.dynsym' contains 19 entries: Num: Value Size Type Bind Vis Ndx Name 0: 00000000 0 NOTYPE LOCAL DEFAULT UND 1: 00000000 0 NOTYPE WEAK DEFAULT UND _ITM_deregisterTMCloneTab 2: 00000000 0 OBJECT GLOBAL DEFAULT UND stderr 3: 00000000 0 FUNC GLOBAL DEFAULT UND __stack_chk_fail 4: 00000000 0 FUNC WEAK DEFAULT UND __cxa_finalize 5: 00000000 0 FUNC GLOBAL DEFAULT UND perror 6: 00000000 0 FUNC GLOBAL DEFAULT UND setgid 7: 00000000 0 NOTYPE WEAK DEFAULT UND __gmon_start__ 8: 00000000 0 FUNC GLOBAL DEFAULT UND __libc_start_main 9: 00000000 0 NOTYPE WEAK DEFAULT UND _Jv_RegisterClasses 10: 00000000 0 FUNC GLOBAL DEFAULT UND __fprintf_chk 11: 00000000 0 NOTYPE WEAK DEFAULT UND _ITM_registerTMCloneTable 12: 00000000 0 FUNC GLOBAL DEFAULT UND strtol 13: 00000000 0 FUNC GLOBAL DEFAULT UND getgrnam 14: 00002008 0 NOTYPE GLOBAL DEFAULT 23 _edata 15: 0000200c 0 NOTYPE GLOBAL DEFAULT 24 _end 16: 0000097c 4 OBJECT GLOBAL DEFAULT 15 _IO_stdin_used 17: 00002008 0 NOTYPE GLOBAL DEFAULT 24 __bss_start 18: 00000610 323 FUNC GLOBAL DEFAULT 13 main Version symbols section '.gnu.version' contains 19 entries: Addr: 000000000000043c Offset: 0x00043c Link: 5 (.dynsym) readelf: Error: Out of memory reading 2147483648 program headers readelf: Warning: Cannot interpret virtual addresses without program headers. 000:457f 464c 101 1 (*global*) 004: 0 (*local*) 0 (*local*) 0 (*local*) 0 (*local*) 008: 3 3 1 (*global*) 0 (*local*) 00c: 753 0 (*local*) 34 0 (*local*) 010:110c 0 (*local*) 0 (*local*) Version needs section '.gnu.version_r' contains 1 entries: Addr: 0x0000000000000464 Offset: 0x000464 Link: 6 (.dynstr) 000000: Version: 1 File: libc.so.6 Cnt: 4 0x0010: Name: GLIBC_2.3.4 Flags: none Version: 5 0x0020: Name: GLIBC_2.1.3 Flags: none Version: 4 0x0030: Name: GLIBC_2.4 Flags: none Version: 3 0x0040: Name: GLIBC_2.0 Flags: none Version: 2 Displaying notes found at file offset 0x00000168 with length 0x00000020: Owner Data size Description GNU 0x00000010 NT_GNU_ABI_TAG (ABI version tag) OS: Linux, ABI: 2.6.32 Displaying notes found at file offset 0x00000188 with length 0x00000024: Owner Data size Description GNU 0x00000014 NT_GNU_BUILD_ID (unique build ID bitstring) Build ID: 877dd3f1ef18a2dc8185514f69586d496a1b187e ##########----------ReadElf Output----------########## -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils