https://sourceware.org/bugzilla/show_bug.cgi?id=19323
Kushal Shah changed:
What|Removed |Added
Status|RESOLVED|REOPENED
Resolution|INVALID |---
--- Comment #2 from Kushal Shah ---
Hi Alan,
I re-ran the PoC using both readelf and objdump and I saw that the "readelf"
tool returns an out-of-memory error and "objdump" crashes with a Segmentation
Fault and using Valgrind we can see that there is a Heap Overflow caused by
Objdump.
I am attaching both the "out-of-memory" error obtained using readelf and also
the gdb and valgrind output confirming the heap overflow vulnerability in
objdump.
I would also like to request you if you could share the out-of-memory error
output returned by objdump using the PoC and reproduction steps provided
previously?
Vulnerability Confirmation using GDB & Valgrind: -
##--Valgrind Output--##
# valgrind --tool=memcheck --leak-check=full --track-origins=yes
--show-reachable=yes --keep-stacktraces=alloc-and-free --num-callers=40
--track-fds=yes -v binutils-gdb/binutils/objdump -s /root/Desktop/file1
/dev/null
==13429== Invalid write of size 4
==13429==at 0x82499B7: bfd_elf32_swap_phdr_in (elfcode.h:367)
==13429==by 0x824D0B4: bfd_elf32_object_p (elfcode.h:782)
==13429==by 0x81E00F6: bfd_check_format_matches.part.1 (format.c:305)
==13429==by 0x806734F: display_object_bfd (objdump.c:3418)
==13429==by 0x806734F: display_any_bfd (objdump.c:3509)
==13429==by 0x8053ECA: display_file (objdump.c:3530)
==13429==by 0x8053ECA: main (objdump.c:3813)
==13429== Address 0x420bdf0 is 0 bytes after a block of size 4,064 alloc'd
==13429==at 0x40291CC: malloc (vg_replace_malloc.c:296)
==13429==by 0x851B130: objalloc_create (objalloc.c:95)
==13429==by 0x81F049B: _bfd_new_bfd (opncls.c:73)
==13429==by 0x81F049B: bfd_fopen (opncls.c:199)
==13429==by 0x81F049B: bfd_openr (opncls.c:287)
==13429==by 0x8053E83: display_file (objdump.c:3523)
==13429==by 0x8053E83: main (objdump.c:3813)
==13429==
==13429== Invalid write of size 4
==13429==at 0x82499FF: bfd_elf32_swap_phdr_in (elfcode.h:369)
==13429==by 0x824D0B4: bfd_elf32_object_p (elfcode.h:782)
==13429==by 0x81E00F6: bfd_check_format_matches.part.1 (format.c:305)
==13429==by 0x806734F: display_object_bfd (objdump.c:3418)
==13429==by 0x806734F: display_any_bfd (objdump.c:3509)
==13429==by 0x8053ECA: display_file (objdump.c:3530)
==13429==by 0x8053ECA: main (objdump.c:3813)
==13429== Address 0x420bdf4 is 4 bytes after a block of size 4,064 alloc'd
==13429==at 0x40291CC: malloc (vg_replace_malloc.c:296)
==13429==by 0x851B130: objalloc_create (objalloc.c:95)
==13429==by 0x81F049B: _bfd_new_bfd (opncls.c:73)
==13429==by 0x81F049B: bfd_fopen (opncls.c:199)
==13429==by 0x81F049B: bfd_openr (opncls.c:287)
==13429==by 0x8053E83: display_file (objdump.c:3523)
==13429==by 0x8053E83: main (objdump.c:3813)
==13429==
==13429== Invalid write of size 4
==13429==at 0x8249A0E: bfd_elf32_swap_phdr_in (elfcode.h:370)
==13429==by 0x824D0B4: bfd_elf32_object_p (elfcode.h:782)
==13429==by 0x81E00F6: bfd_check_format_matches.part.1 (format.c:305)
==13429==by 0x806734F: display_object_bfd (objdump.c:3418)
==13429==by 0x806734F: display_any_bfd (objdump.c:3509)
==13429==by 0x8053ECA: display_file (objdump.c:3530)
==13429==by 0x8053ECA: main (objdump.c:3813)
==13429== Address 0x420bdf8 is 8 bytes after a block of size 4,064 alloc'd
==13429==at 0x40291CC: malloc (vg_replace_malloc.c:296)
==13429==by 0x851B130: objalloc_create (objalloc.c:95)
==13429==by 0x81F049B: _bfd_new_bfd (opncls.c:73)
==13429==by 0x81F049B: bfd_fopen (opncls.c:199)
==13429==by 0x81F049B: bfd_openr (opncls.c:287)
==13429==by 0x8053E83: display_file (objdump.c:3523)
==13429==by 0x8053E83: main (objdump.c:3813)
==13429==
==13429== Invalid write of size 4
==13429==at 0x8249A1A: bfd_elf32_swap_phdr_in (elfcode.h:371)
==13429==by 0x824D0B4: bfd_elf32_object_p (elfcode.h:782)
==13429==by 0x81E00F6: bfd_check_format_matches.part.1 (format.c:305)
==13429==by 0x806734F: display_object_bfd (objdump.c:3418)
==13429==by 0x806734F: display_any_bfd (objdump.c:3509)
==13429==by 0x8053ECA: display_file (objdump.c:3530)
==13429==by 0x8053ECA: main (objdump.c:3813)
==13429== Address 0x420bdfc is 12 bytes after a block of size 4,064 alloc'd
==13429==at 0x40291CC: malloc (vg_replace_malloc.c:296)
==13429==by 0x851B130: objalloc_create (objalloc.c:95)
==13429==by 0x81F049B: _bfd_new_bfd (opncls.c:73)
==13429==by 0x81F049B: bfd_fopen (opncls.c:199)
==13429==by 0x81F049B: bfd_openr (opncls.c:287)
==13429==by 0x8053E83: display_file (objdump.c:3523)
==13429==by 0x8053E83: main (objdump.c:3813)