{"id":2300,"date":"2017-09-25T16:07:18","date_gmt":"2017-09-25T14:07:18","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=2300"},"modified":"2017-09-26T09:43:00","modified_gmt":"2017-09-26T07:43:00","slug":"binutils-heap-based-buffer-overflow-in-_bfd_x86_elf_get_synthetic_symtab-elfxx-x86-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2017\/09\/25\/binutils-heap-based-buffer-overflow-in-_bfd_x86_elf_get_synthetic_symtab-elfxx-x86-c\/","title":{"rendered":"binutils: heap-based buffer overflow in _bfd_x86_elf_get_synthetic_symtab (elfxx-x86.c)"},"content":{"rendered":"<p><strong>Description<\/strong>:<br \/>\n<a href=\"https:\/\/sourceware.org\/binutils\/\">binutils<\/a> is a set of tools necessary to build programs.<\/p>\n<p>The complete ASan output of the issue:<\/p>\n<pre><font size=\"2\"># nm -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D $FILE\r\n==40547==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a000000574 at pc 0x0000004c1ca8 bp 0x7ffc34f58d10 sp 0x7ffc34f584c0\r\nWRITE of size 6 at 0x61a000000574 thread T0\r\n    #0 0x4c1ca7 in __asan_memcpy \/var\/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-5.0.0\/work\/compiler-rt-5.0.0.src\/lib\/asan\/asan_interceptors.cc:466\r\n    #1 0x7f6df2a247e5 in _bfd_x86_elf_get_synthetic_symtab \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/bfd\/elfxx-x86.c:1946:3\r\n    #2 0x7f6df29f7b7a in elf_x86_64_get_synthetic_symtab \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/bfd\/elf64-x86-64.c:4963:10\r\n    #3 0x513df5 in display_rel_file \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/binutils\/nm.c:1155:21\r\n    #4 0x510f56 in display_file \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/binutils\/nm.c:1318:7\r\n    #5 0x50faae in main \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/binutils\/nm.c:1792:12\r\n    #6 0x7f6df19d1680 in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.23-r4\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #7 0x41ac18 in _init (\/usr\/x86_64-pc-linux-gnu\/binutils-bin\/git\/nm+0x41ac18)\r\n\r\n0x61a000000574 is located 0 bytes to the right of 1268-byte region [0x61a000000080,0x61a000000574)\r\nallocated by thread T0 here:\r\n    #0 0x4d8e08 in malloc \/var\/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-5.0.0\/work\/compiler-rt-5.0.0.src\/lib\/asan\/asan_malloc_linux.cc:67\r\n    #1 0x7f6df299dd5c in bfd_malloc \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/bfd\/libbfd.c:193:9\r\n    #2 0x7f6df299dd5c in bfd_zmalloc \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/bfd\/libbfd.c:278\r\n    #3 0x7f6df2a23e29 in _bfd_x86_elf_get_synthetic_symtab \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/bfd\/elfxx-x86.c:1829:26\r\n    #4 0x7f6df29f7b7a in elf_x86_64_get_synthetic_symtab \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/bfd\/elf64-x86-64.c:4963:10\r\n    #5 0x513df5 in display_rel_file \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/binutils\/nm.c:1155:21\r\n    #6 0x510f56 in display_file \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/binutils\/nm.c:1318:7\r\n    #7 0x50faae in main \/var\/tmp\/portage\/sys-devel\/binutils-9999\/work\/binutils\/binutils\/nm.c:1792:12\r\n    #8 0x7f6df19d1680 in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.23-r4\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/var\/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-5.0.0\/work\/compiler-rt-5.0.0.src\/lib\/asan\/asan_interceptors.cc:466 in __asan_memcpy\r\nShadow bytes around the buggy address:\r\n  0x0c347fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x0c347fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x0c347fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x0c347fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x0c347fff8090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n=&gt;0x0c347fff80a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[04]fa\r\n  0x0c347fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c347fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c347fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c347fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c347fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n  Addressable:           00\r\n  Partially addressable: 01 02 03 04 05 06 07 \r\n  Heap left redzone:       fa\r\n  Freed heap region:       fd\r\n  Stack left redzone:      f1\r\n  Stack mid redzone:       f2\r\n  Stack right redzone:     f3\r\n  Stack after return:      f5\r\n  Stack use after scope:   f8\r\n  Global redzone:          f9\r\n  Global init order:       f6\r\n  Poisoned by user:        f7\r\n  Container overflow:      fc\r\n  Array cookie:            ac\r\n  Intra object redzone:    bb\r\n  ASan internal:           fe\r\n  Left alloca redzone:     ca\r\n  Right alloca redzone:    cb\r\n==40547==ABORTING\r\n<\/font><\/pre>\n<p><strong>Affected version:<\/strong><br \/>\n2.29.51.20170921 and maybe past releases<\/p>\n<p><strong>Fixed version:<\/strong><br \/>\nN\/A<\/p>\n<p><strong>Commit fix:<\/strong><br \/>\n<a href=\"https:\/\/sourceware.org\/git\/gitweb.cgi?p=binutils-gdb.git;h=61e3bf5f83f7e505b6bc51ef65426e5b31e6e360\">https:\/\/sourceware.org\/git\/gitweb.cgi?p=binutils-gdb.git;h=61e3bf5f83f7e505b6bc51ef65426e5b31e6e360<\/a><br \/>\n<a href=\"https:\/\/sourceware.org\/git\/gitweb.cgi?p=binutils-gdb.git;h=56933f9e3e90eebf1018ed7417d6c1184b91db6b\">https:\/\/sourceware.org\/git\/gitweb.cgi?p=binutils-gdb.git;h=56933f9e3e90eebf1018ed7417d6c1184b91db6b<\/a><\/p>\n<p><strong>Credit:<\/strong><br \/>\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n<p><strong>CVE:<\/strong><br \/>\nCVE-2017-14729<\/p>\n<p><strong>Reproducer:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00367-binutils-heapoverflow-_bfd_x86_elf_get_synthetic_symtab\">https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00367-binutils-heapoverflow-_bfd_x86_elf_get_synthetic_symtab<\/a><\/p>\n<p><strong>Timeline:<\/strong><br \/>\n2017-09-21: bug discovered and reported to upstream<br \/>\n2017-09-22: upstream released a patch<br \/>\n2017-09-25: blog post about the issue<br \/>\n2017-09-25: CVE assigned<\/p>\n<p><strong>Note:<\/strong><br \/>\nThis bug was found with <a href=\"http:\/\/lcamtuf.coredump.cx\/afl\">American Fuzzy Lop<\/a>.<br \/>\nThis bug was identified with bare metal servers donated by <a href=\"https:\/\/www.packet.net\/\">Packet<\/a>. This work is also supported by the <a href=\"https:\/\/www.coreinfrastructure.org\">Core Infrastructure Initiative<\/a>.<\/p>\n<p><strong>Permalink:<\/strong><\/p>\n<blockquote data-secret=\"ixlFs0nxRD\" class=\"wp-embedded-content\"><p><a href=\"http:\/\/blogs.gentoo.org\/ago\/2017\/09\/25\/binutils-heap-based-buffer-overflow-in-_bfd_x86_elf_get_synthetic_symtab-elfxx-x86-c\/\">binutils: heap-based buffer overflow in _bfd_x86_elf_get_synthetic_symtab (elfxx-x86.c)<\/a><\/p><\/blockquote>\n<p><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" src=\"http:\/\/blogs.gentoo.org\/ago\/2017\/09\/25\/binutils-heap-based-buffer-overflow-in-_bfd_x86_elf_get_synthetic_symtab-elfxx-x86-c\/embed\/#?secret=ixlFs0nxRD\" data-secret=\"ixlFs0nxRD\" width=\"600\" height=\"338\" title=\"&#8220;binutils: heap-based buffer overflow in _bfd_x86_elf_get_synthetic_symtab (elfxx-x86.c)&#8221; &#8212; agostino&#039;s blog\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: binutils is a set of tools necessary to build programs. The complete ASan output of the issue: # nm -A -a -l -S -s &#8211;special-syms &#8211;synthetic &#8211;with-symbol-versions -D $FILE ==40547==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a000000574 at pc 0x0000004c1ca8 bp &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ago\/2017\/09\/25\/binutils-heap-based-buffer-overflow-in-_bfd_x86_elf_get_synthetic_symtab-elfxx-x86-c\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-B6","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/2300"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=2300"}],"version-history":[{"count":3,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/2300\/revisions"}],"predecessor-version":[{"id":2308,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/2300\/revisions\/2308"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=2300"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=2300"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=2300"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}