|Summary:||sys-devel/binutils: heap overflow|
|Product:||Gentoo Security||Reporter:||Tavis Ormandy (RETIRED) <taviso>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Whiteboard:||B2 [glsa] jaervosz|
|Package list:||Runtime testing required:||---|
|Bug Depends on:|
Description Tavis Ormandy (RETIRED) 2005-05-04 01:15:32 UTC
various applications dealing with binary files are vulnerable to a heap overflow, it's possible to integer overflow the argument to malloc by specifying a specific number of section headers that when multiplied with the size of the struct required to store the section headers, leading to a heap overflow. I believe this issue to be exploitable. The following packages are known to be vulnerable: sys-devel/binutils (objdump, strings (!!!), nm, etc) dev-libs/elfutils (eu-readelf, etc) app-editors/hteditor sys-devel/gdb There are probably more, an example (harmless) binary that triggers this bug is attached.
Comment 1 Tavis Ormandy (RETIRED) 2005-05-04 01:16:13 UTC
Created attachment 57996 [details] example malformed binary
Comment 2 solar (RETIRED) 2005-05-04 01:31:29 UTC
add execstack/prelink to the list
Comment 3 Tavis Ormandy (RETIRED) 2005-05-04 01:45:45 UTC
sys-apps/less uses strings in lesspipe.sh, convincing someone a binary is a text file (eg, calling it README.TXT) and getting someone to run less on it could trigger this vulnerability. try running less on the attached binary, then look at the console. /usr/bin/lesspipe.sh: line 10: 15082 Segmentation fault (core dumped) strings "$F"
Comment 4 solar (RETIRED) 2005-05-04 02:29:08 UTC
Only the first 78 bytes of the a.out matter. (head -c78 a.out) gdb crashes here. #0 0x081dbe78 in bfd_elf32_object_p (abfd=0x831e458) at elfcode.h:662 #1 0x081c856c in bfd_check_format_matches (abfd=0x831e458, format=bfd_object, matching=0x0) at format.c:228 #2 0x081c8324 in bfd_check_format (abfd=0x831e458, format=bfd_object) at format.c:91 #3 0x08079fd0 in exec_file_attach (filename=0xbfffe615 "a.out", from_tty=0x1) at exec.c:221 #4 0x0807e390 in do_captured_command (data=0xbfffe120) at top.c:554 #5 0x0807e2fc in do_catch_errors (uiout=0x831cdc8, data=0xbfffe0f8) at top.c:524 #6 0x0807e0a0 in catcher (func=0x807e2e0 <do_catch_errors>, func_uiout=0x831cdc8, func_args=0xbfffe0f8, func_val=0xbfffe104, func_caught=0xbfffe100, errstring=0x823e4c1 "", gdberrmsg=0x0, mask=0x6) at top.c:431 #7 0x0807e350 in catch_errors (func=0x807e36a <do_captured_command>, func_args=0xbfffe120, errstring=0x823e4c1 "", mask=0x6) at top.c:536 #8 0x0807e3dd in catch_command_errors (command=0x8079eae <exec_file_attach>, arg=0xbfffe615 "a.out", from_tty=0x1, mask=0x6) at top.c:574 #9 0x0807536d in captured_main (data=0xbfffe440) at main.c:645 #10 0x0807e2fc in do_catch_errors (uiout=0x82c8c80, data=0xbfffe3f8) at top.c:524 #11 0x0807e0a0 in catcher (func=0x807e2e0 <do_catch_errors>, func_uiout=0x82c8c80, func_args=0xbfffe3f8, func_val=0xbfffe404, func_caught=0xbfffe400, errstring=0x823a71a "", gdberrmsg=0x0, mask=0x6) at top.c:431 #12 0x0807e350 in catch_errors (func=0x80748e7 <captured_main>, func_args=0xbfffe440, errstring=0x823a71a "", mask=0x6) at top.c:536 #13 0x08075702 in gdb_main (args=0xbfffe440) at main.c:810 #14 0x080748a4 in main (argc=0x2, argv=0xbfffe4b4) at gdb.c:35
Comment 5 solar (RETIRED) 2005-05-04 02:38:36 UTC
eu-readelf crashes here. #0 0x40039490 in file_read_elf (fildes=0x805bb18, map_address=0x40016000, offset=0x0, maxsize=0x65, cmd=ELF_C_READ_MMAP, parent=0x0) at elf_begin.c:274 #1 0x400399dd in __libelf_read_mmaped_file (fildes=0x3, map_address=0x40016000, offset=0x0, maxsize=0x200, cmd=ELF_C_READ_MMAP, parent=0x0) at elf_begin.c:432 #2 0x40039ec8 in read_file (fildes=0x3, offset=0x0, maxsize=0x200, cmd=ELF_C_READ_MMAP, parent=0x0) at elf_begin.c:548 #3 0x4003a919 in elf_begin (fildes=0x3, cmd=ELF_C_READ_MMAP, ref=0x0) at elf_begin.c:1025 #4 0x08049ede in main (argc=0x3, argv=0xbfffe574) at readelf.c:208 ---------- All the elfutils die in file_read_elf()
Comment 6 Tavis Ormandy (RETIRED) 2005-05-04 12:37:33 UTC
Created attachment 58057 [details, diff] patch for binutils provided by Sebastian Krahmer of suse.
Comment 7 Tavis Ormandy (RETIRED) 2005-05-04 14:02:31 UTC
app-editors/hteditor-0.8.0-r1 has a patch that corrects this issue from dragonheart.
Comment 8 Tavis Ormandy (RETIRED) 2005-05-04 23:26:16 UTC
hteditor upstream have fixed the bug in their cvs repository, ChangeLog entry: http://cvs.sourceforge.net/viewcvs.py/hte/HT%20Editor/ChangeLog?r1=text&tr1=1.92&r2=text&tr2=1.91&diff_format=h
Comment 9 Tavis Ormandy (RETIRED) 2005-05-05 00:43:31 UTC
app-editors/hteditor-0.8.0-r2 was committed by dragonheart and contains a fix for this issue and an additional fix from cvs to prevent a buffer overflow when parsing PE executables.
Comment 10 Sune Kloppenborg Jeppesen 2005-05-05 07:04:48 UTC
handling app-editors/hteditor stable marking on bug #91569
Comment 11 solar (RETIRED) 2005-05-05 17:14:38 UTC
gdb-6.3-r3 patched up with suse bfd/elfcode patch. (no arch has marked the .gdbinit sec bug former-r2 as stable) gdb-6.0: -hppa ia64 gdb-6.1: s390 gdb-6.2: ppc gdb-6.2.1: mips gdb-6.2.1-r1: -sparc gdb-6.3: ppc64 alpha hppa amd64 arm x86 sparc gdb-6.3-r3: ~arm ~hppa ~x86 ~amd64 ~ppc ~alpha ~sparc ~ppc64 ~mips
Comment 12 SpanKY 2005-05-05 19:32:47 UTC
added the patch by Sebastian to binutils, but solar pointed out it's not a complete fix ... still possible to crash bfd
Comment 13 solar (RETIRED) 2005-05-05 23:45:32 UTC
Created attachment 58185 [details] execstack-prelink-debug.txt I don't use prelink or ES so somebody else will have to look into it further.. (It's non BFD based)
Comment 14 solar (RETIRED) 2005-05-06 00:09:19 UTC
Anybody dev thats on the binutils-ml want to report this and a few more bfd based crashes?
Comment 15 SpanKY 2005-05-06 05:36:50 UTC
sure i'll report it to binutils ... i wasnt sure if you were going to ;)
Comment 16 solar (RETIRED) 2005-05-08 07:13:17 UTC
Comment 17 Tavis Ormandy (RETIRED) 2005-05-09 05:59:53 UTC
Created attachment 58471 [details, diff] fix for crash on phdr == NULL
Comment 18 Tavis Ormandy (RETIRED) 2005-05-09 06:00:31 UTC
Created attachment 58472 [details] phdr == NULL testcase
Comment 19 Tavis Ormandy (RETIRED) 2005-05-09 06:33:58 UTC
Created attachment 58473 [details, diff] fix for crash on phdr or hdr == NULL
Comment 20 Tavis Ormandy (RETIRED) 2005-05-09 06:34:48 UTC
Created attachment 58474 [details] hdr == NULL testcase
Comment 21 Tavis Ormandy (RETIRED) 2005-05-09 08:00:14 UTC
Created attachment 58482 [details, diff] additional sanity checks fix additional crashes identified by solar.
Comment 22 Thierry Carrez (RETIRED) 2005-05-13 01:38:47 UTC
Using this as an audit tracker -> Component set to Auditing. Separate bugs have been opened for each of the affected software.
Comment 23 solar (RETIRED) 2005-05-13 07:06:55 UTC
A patched elfutils crashes(other?) with the following 52 byte ELF. "\x7f\x45\x4c\x46\x01\x02\x01\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
Comment 24 SpanKY 2005-05-16 20:06:20 UTC
binutils-18.104.22.168.2-r9 is now in portage patched if i see no issues, i'll update the other binutil versions
Comment 25 SpanKY 2005-05-25 15:32:39 UTC
upstream just posted another fix today heh
Comment 26 SpanKY 2005-05-28 01:37:31 UTC
following versions of binutils have been added (only versions which were actually KEYWORD-ed have been bumped) note, note all of these are candidates for stable, i'm just listing what has a revbump ... if i missed a version, tell me :p *binutils-22.214.171.124.8-r3 *binutils-126.96.36.199.1.1-r5 *binutils-188.8.131.52.3-r5 *binutils-184.108.40.206.2-r2 *binutils-220.127.116.11.2-r10 *binutils-2.16-r1
Comment 27 Sune Kloppenborg Jeppesen 2005-05-28 06:24:06 UTC
Arches please mark your version stable. Note: m68k does not have an arch alias and thus was not called.
Comment 28 Michael Hanselmann (hansmi) (RETIRED) 2005-05-28 13:00:35 UTC
Already marked stable by lu_zero.
Comment 29 Daniel Gryniewicz (RETIRED) 2005-05-28 13:58:58 UTC
stable on amd64
Comment 30 Markus Rothe (RETIRED) 2005-05-28 14:18:33 UTC
stable on ppc64
Comment 31 René Nussbaumer (RETIRED) 2005-05-28 15:20:12 UTC
Stable on hppa
Comment 32 Thierry Carrez (RETIRED) 2005-05-29 03:15:23 UTC
Keeping this bug for binutils... and marking the other one as dupe
Comment 33 Thierry Carrez (RETIRED) 2005-05-29 03:16:23 UTC
*** Bug 91813 has been marked as a duplicate of this bug. ***
Comment 34 Bryan Østergaard (RETIRED) 2005-05-29 05:51:56 UTC
Stable on alpha + ia64.
Comment 35 Gustavo Zacarias (RETIRED) 2005-05-31 13:22:23 UTC
binutils-18.104.22.168.2-r10 sparc stable.
Comment 36 Olivier Crete (RETIRED) 2005-05-31 15:50:33 UTC
binutils-22.214.171.124.2-r10.ebuild was marked stable by spanky..
Comment 37 Sune Kloppenborg Jeppesen 2005-06-01 08:31:43 UTC
GLSA 200506-01 mips, s390, sh please remember to mark stable.
Comment 38 Hardave Riar (RETIRED) 2005-07-07 15:42:43 UTC
binutils-126.96.36.199.2-r10 stable on mips.