** Description changed:
SIGSEGV and out-of-bounds write during processing file via objdump
# Description
During processing of the attached elf file via
```
objdump -S testcase
```
- an out-of-bounds write is triggered and causes a segmentation fault (SIGSEGV)
- This allows an attacker to perform a denial of service and possibly opens up
- other attack vectors if files from untrusted sources are processed.
+ an out-of-bounds write is triggered and causes a segmentation fault (SIGSEGV)
This allows an attacker to perform a denial of service and possibly opens up
other attack vectors if files from untrusted sources are processed.
For reproduction of the crash, I attached the following script(s):
- reproduce-ubuntu.sh : Reproduction on Ubuntu 20.04
Since I was unable to reproduce the bug upstream, I report it here.
If you need further assistance, please do not hesitate to ask.
# Ubuntu version
# apt show binutils
Package: binutils
Version: 2.34-6ubuntu1.3
Priority: optional
Build-Essential: yes
Section: devel
Origin: Ubuntu
Maintainer: Ubuntu Developers
Original-Maintainer: Matthias Klose
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 110 kB
Provides: binutils-gold, elf-binutils
Depends: binutils-common (= 2.34-6ubuntu1.3), libbinutils (=
2.34-6ubuntu1.3), binutils-x86-64-linux-gnu (= 2.34-6ubuntu1.3)
Suggests: binutils-doc (>= 2.34-6ubuntu1.3)
Conflicts: binutils-mingw-w64-i686 (<< 2.23.52.20130612-1+3),
binutils-mingw-w64-x86-64 (<< 2.23.52.20130612-1+3), binutils-multiarch (<<
2.27-8), modutils (<< 2.4.19-1)
Homepage: https://www.gnu.org/software/binutils/
Task: ubuntustudio-video, ubuntu-mate-core, ubuntu-mate-desktop
Download-Size: 3380 B
APT-Manual-Installed: yes
APT-Sources: http://archive.ubuntu.com/ubuntu focal-updates/main amd64
Packages
Description: GNU assembler, linker and binary utilities
# Ubuntu valgrind
==1== Memcheck, a memory error detector
==1== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==1== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==1== Command: objdump -S /testcase
==1==
objdump: warning: /testcase has a corrupt section with a size (3c3b031b01)
larger than the file size
objdump: /testcase: warning: loop in section dependencies detected
objdump: warning: /testcase has a corrupt section with a size (3c3b031b01)
larger than the file size
==1== Invalid write of size 4
==1==at 0x4A40248: bfd_section_from_shdr (in
/usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1==by 0x4A3BD4F: bfd_elf64_object_p (in
/usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1==by 0x4A1AB01: bfd_check_format_matches (in
/usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1==by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1==by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1==by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1==by 0x4B360B2: (below main) (libc-start.c:308)
==1== Address 0x4d469f4 is 1,940 bytes inside a block of size 4,064 free'd
==1==at 0x483CA3F: free (in
/usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1==by 0x4ABC85B: objalloc_free_block (in
/usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1==by 0x4A1AABF: bfd_check_format_matches (in
/usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1==by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1==by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1==by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1==by 0x4B360B2: (below main) (libc-start.c:308)
==1== Block was alloc'd at
==1==at 0x483B7F3: malloc (in
/usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1==by 0x4ABC65B: _objalloc_alloc (in
/usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1==by 0x4A227D4: bfd_alloc (in
/usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1==by 0x4A22CED: bfd_zalloc (in
/usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1==by 0x4A41DE9: _bfd_elf_new_section_hook (in
/usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1==by 0x4A2485E: ??? (in
/usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1==by 0x4A40CEB: _bfd_elf_make_section_from_shdr (in
/usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1==by 0x4A401DE: bfd_section_from_shdr (in
/usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1==by 0x4A3BD4F: bfd_elf64_object_p (in
/usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1==by 0x4A1AB01: bfd_check_format_matches (in
/usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1==by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1==by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1==
==1== Invalid write of size 4
==1==at 0x4A40248: bfd_section_from_shdr (in
/usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)