Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 91398 - sys-devel/binutils: heap overflow
Summary: sys-devel/binutils: heap overflow
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa] jaervosz
Keywords:
: 91813 (view as bug list)
Depends on:
Blocks: 91817
  Show dependency tree
 
Reported: 2005-05-04 01:15 UTC by Tavis Ormandy (RETIRED)
Modified: 2007-06-24 23:33 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
example malformed binary (a.out,512 bytes, application/octet-stream)
2005-05-04 01:16 UTC, Tavis Ormandy (RETIRED)
no flags Details
patch for binutils provided by Sebastian Krahmer of suse. (binutils-2.15.91.0.2-malloc-wrap.diff2,937 bytes, patch)
2005-05-04 12:37 UTC, Tavis Ormandy (RETIRED)
no flags Details | Diff
execstack-prelink-debug.txt (execstack-prelink-debug.txt,7.45 KB, text/plain)
2005-05-05 23:45 UTC, solar (RETIRED)
no flags Details
fix for crash on phdr == NULL (phdr-null.diff,515 bytes, patch)
2005-05-09 05:59 UTC, Tavis Ormandy (RETIRED)
no flags Details | Diff
phdr == NULL testcase (a.out.001,392 bytes, application/octet-stream)
2005-05-09 06:00 UTC, Tavis Ormandy (RETIRED)
no flags Details
fix for crash on phdr or hdr == NULL (phdr-or-hdr-null.diff,755 bytes, patch)
2005-05-09 06:33 UTC, Tavis Ormandy (RETIRED)
no flags Details | Diff
hdr == NULL testcase (a.out.002,392 bytes, application/octet-stream)
2005-05-09 06:34 UTC, Tavis Ormandy (RETIRED)
no flags Details
additional sanity checks (phdr-or-hdr-null.diff,1.12 KB, patch)
2005-05-09 08:00 UTC, Tavis Ormandy (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Tavis Ormandy (RETIRED) gentoo-dev 2005-05-04 01:15:32 UTC
various applications dealing with binary files are vulnerable to a heap overflow, it's possible to integer overflow the argument to malloc by specifying a specific number of section headers that when multiplied with the size of the struct required to store the section headers, leading to a heap overflow. 

I believe this issue to be exploitable.

The following packages are known to be vulnerable:

sys-devel/binutils (objdump, strings (!!!), nm, etc)
dev-libs/elfutils (eu-readelf, etc)
app-editors/hteditor
sys-devel/gdb

There are probably more, an example (harmless) binary  that triggers this bug is attached.
Comment 1 Tavis Ormandy (RETIRED) gentoo-dev 2005-05-04 01:16:13 UTC
Created attachment 57996 [details]
example malformed binary
Comment 2 solar (RETIRED) gentoo-dev 2005-05-04 01:31:29 UTC
add execstack/prelink to the list
Comment 3 Tavis Ormandy (RETIRED) gentoo-dev 2005-05-04 01:45:45 UTC
sys-apps/less uses strings in lesspipe.sh, convincing someone a binary is a text file (eg, calling it README.TXT) and getting someone to run less on it could trigger this vulnerability.

try running less on the attached binary, then look at the console.

/usr/bin/lesspipe.sh: line 10: 15082 Segmentation fault      (core dumped) strings "$F"
Comment 4 solar (RETIRED) gentoo-dev 2005-05-04 02:29:08 UTC
Only the first 78 bytes of the a.out matter. (head -c78 a.out)

gdb crashes here.

#0  0x081dbe78 in bfd_elf32_object_p (abfd=0x831e458) at elfcode.h:662
#1  0x081c856c in bfd_check_format_matches (abfd=0x831e458, format=bfd_object, matching=0x0) at format.c:228
#2  0x081c8324 in bfd_check_format (abfd=0x831e458, format=bfd_object) at format.c:91
#3  0x08079fd0 in exec_file_attach (filename=0xbfffe615 "a.out", from_tty=0x1) at exec.c:221
#4  0x0807e390 in do_captured_command (data=0xbfffe120) at top.c:554
#5  0x0807e2fc in do_catch_errors (uiout=0x831cdc8, data=0xbfffe0f8) at top.c:524
#6  0x0807e0a0 in catcher (func=0x807e2e0 <do_catch_errors>, func_uiout=0x831cdc8, func_args=0xbfffe0f8, func_val=0xbfffe104, func_caught=0xbfffe100, errstring=0x823e4c1 "", gdberrmsg=0x0, mask=0x6) at top.c:431
#7  0x0807e350 in catch_errors (func=0x807e36a <do_captured_command>, func_args=0xbfffe120, errstring=0x823e4c1 "", mask=0x6) at top.c:536
#8  0x0807e3dd in catch_command_errors (command=0x8079eae <exec_file_attach>, arg=0xbfffe615 "a.out", from_tty=0x1, mask=0x6) at top.c:574
#9  0x0807536d in captured_main (data=0xbfffe440) at main.c:645
#10 0x0807e2fc in do_catch_errors (uiout=0x82c8c80, data=0xbfffe3f8) at top.c:524
#11 0x0807e0a0 in catcher (func=0x807e2e0 <do_catch_errors>, func_uiout=0x82c8c80, func_args=0xbfffe3f8, func_val=0xbfffe404, func_caught=0xbfffe400, errstring=0x823a71a "", gdberrmsg=0x0, mask=0x6) at top.c:431
#12 0x0807e350 in catch_errors (func=0x80748e7 <captured_main>, func_args=0xbfffe440, errstring=0x823a71a "", mask=0x6) at top.c:536
#13 0x08075702 in gdb_main (args=0xbfffe440) at main.c:810
#14 0x080748a4 in main (argc=0x2, argv=0xbfffe4b4) at gdb.c:35
Comment 5 solar (RETIRED) gentoo-dev 2005-05-04 02:38:36 UTC
eu-readelf crashes here. 

#0  0x40039490 in file_read_elf (fildes=0x805bb18, map_address=0x40016000, offset=0x0, maxsize=0x65, cmd=ELF_C_READ_MMAP, parent=0x0) at elf_begin.c:274
#1  0x400399dd in __libelf_read_mmaped_file (fildes=0x3, map_address=0x40016000, offset=0x0, maxsize=0x200, cmd=ELF_C_READ_MMAP, parent=0x0) at elf_begin.c:432
#2  0x40039ec8 in read_file (fildes=0x3, offset=0x0, maxsize=0x200, cmd=ELF_C_READ_MMAP, parent=0x0) at elf_begin.c:548
#3  0x4003a919 in elf_begin (fildes=0x3, cmd=ELF_C_READ_MMAP, ref=0x0) at elf_begin.c:1025
#4  0x08049ede in main (argc=0x3, argv=0xbfffe574) at readelf.c:208

----------
All the elfutils die in file_read_elf()
Comment 6 Tavis Ormandy (RETIRED) gentoo-dev 2005-05-04 12:37:33 UTC
Created attachment 58057 [details, diff]
patch for binutils provided by Sebastian Krahmer of suse.
Comment 7 Tavis Ormandy (RETIRED) gentoo-dev 2005-05-04 14:02:31 UTC
app-editors/hteditor-0.8.0-r1 has a patch that corrects this issue from dragonheart.
Comment 8 Tavis Ormandy (RETIRED) gentoo-dev 2005-05-04 23:26:16 UTC
hteditor upstream have fixed the bug in their cvs repository, ChangeLog entry:

http://cvs.sourceforge.net/viewcvs.py/hte/HT%20Editor/ChangeLog?r1=text&tr1=1.92&r2=text&tr2=1.91&diff_format=h
Comment 9 Tavis Ormandy (RETIRED) gentoo-dev 2005-05-05 00:43:31 UTC
app-editors/hteditor-0.8.0-r2 was committed by dragonheart and contains a fix for this issue and an additional fix from cvs to prevent a buffer overflow when parsing PE executables.
Comment 10 Sune Kloppenborg Jeppesen gentoo-dev 2005-05-05 07:04:48 UTC
handling app-editors/hteditor stable marking on bug #91569
Comment 11 solar (RETIRED) gentoo-dev 2005-05-05 17:14:38 UTC
gdb-6.3-r3 patched up with suse bfd/elfcode patch.
(no arch has marked the .gdbinit sec bug former-r2 as stable)

gdb-6.0:  -hppa ia64
gdb-6.1:  s390
gdb-6.2:  ppc
gdb-6.2.1:  mips
gdb-6.2.1-r1:  -sparc
gdb-6.3:  ppc64 alpha hppa amd64 arm x86 sparc
gdb-6.3-r3:  ~arm ~hppa ~x86 ~amd64 ~ppc ~alpha ~sparc ~ppc64 ~mips
Comment 12 SpanKY gentoo-dev 2005-05-05 19:32:47 UTC
added the patch by Sebastian to binutils, but solar pointed out it's not a complete fix ... still possible to crash bfd
Comment 13 solar (RETIRED) gentoo-dev 2005-05-05 23:45:32 UTC
Created attachment 58185 [details]
execstack-prelink-debug.txt

I don't use prelink or ES so somebody else will have to look into it further..
(It's non BFD based)
Comment 14 solar (RETIRED) gentoo-dev 2005-05-06 00:09:19 UTC
Anybody dev thats on the binutils-ml want to report this and a few more bfd based crashes?
Comment 15 SpanKY gentoo-dev 2005-05-06 05:36:50 UTC
sure i'll report it to binutils ... i wasnt sure if you were going to ;)
Comment 17 Tavis Ormandy (RETIRED) gentoo-dev 2005-05-09 05:59:53 UTC
Created attachment 58471 [details, diff]
fix for crash on phdr == NULL
Comment 18 Tavis Ormandy (RETIRED) gentoo-dev 2005-05-09 06:00:31 UTC
Created attachment 58472 [details]
phdr == NULL testcase
Comment 19 Tavis Ormandy (RETIRED) gentoo-dev 2005-05-09 06:33:58 UTC
Created attachment 58473 [details, diff]
fix for crash on phdr or hdr == NULL
Comment 20 Tavis Ormandy (RETIRED) gentoo-dev 2005-05-09 06:34:48 UTC
Created attachment 58474 [details]
hdr == NULL testcase
Comment 21 Tavis Ormandy (RETIRED) gentoo-dev 2005-05-09 08:00:14 UTC
Created attachment 58482 [details, diff]
additional sanity checks

fix additional crashes identified by solar.
Comment 22 Thierry Carrez (RETIRED) gentoo-dev 2005-05-13 01:38:47 UTC
Using this as an audit tracker -> Component set to Auditing. Separate bugs have been opened for each of the affected software.
Comment 23 solar (RETIRED) gentoo-dev 2005-05-13 07:06:55 UTC
A patched elfutils crashes(other?) with the following 52 byte ELF.
"\x7f\x45\x4c\x46\x01\x02\x01\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
Comment 24 SpanKY gentoo-dev 2005-05-16 20:06:20 UTC
binutils-2.15.92.0.2-r9 is now in portage patched

if i see no issues, i'll update the other binutil versions
Comment 25 SpanKY gentoo-dev 2005-05-25 15:32:39 UTC
upstream just posted another fix today heh
Comment 26 SpanKY gentoo-dev 2005-05-28 01:37:31 UTC
following versions of binutils have been added (only versions which were
actually KEYWORD-ed have been bumped)

note, note all of these are candidates for stable, i'm just listing what has a
revbump ... if i missed a version, tell me :p

*binutils-2.14.90.0.8-r3
*binutils-2.15.90.0.1.1-r5
*binutils-2.15.90.0.3-r5
*binutils-2.15.91.0.2-r2
*binutils-2.15.92.0.2-r10
*binutils-2.16-r1
Comment 27 Sune Kloppenborg Jeppesen gentoo-dev 2005-05-28 06:24:06 UTC
Arches please mark your version stable.  
 
Note: m68k does not have an arch alias and thus was not called. 
Comment 28 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-05-28 13:00:35 UTC
Already marked stable by lu_zero.
Comment 29 Daniel Gryniewicz (RETIRED) gentoo-dev 2005-05-28 13:58:58 UTC
stable on amd64
Comment 30 Markus Rothe (RETIRED) gentoo-dev 2005-05-28 14:18:33 UTC
stable on ppc64
Comment 31 René Nussbaumer (RETIRED) gentoo-dev 2005-05-28 15:20:12 UTC
Stable on hppa
Comment 32 Thierry Carrez (RETIRED) gentoo-dev 2005-05-29 03:15:23 UTC
Keeping this bug for binutils... and marking the other one as dupe
Comment 33 Thierry Carrez (RETIRED) gentoo-dev 2005-05-29 03:16:23 UTC
*** Bug 91813 has been marked as a duplicate of this bug. ***
Comment 34 Bryan Østergaard (RETIRED) gentoo-dev 2005-05-29 05:51:56 UTC
Stable on alpha + ia64.
Comment 35 Gustavo Zacarias (RETIRED) gentoo-dev 2005-05-31 13:22:23 UTC
binutils-2.15.92.0.2-r10 sparc stable.
Comment 36 Olivier Crete (RETIRED) gentoo-dev 2005-05-31 15:50:33 UTC
binutils-2.15.92.0.2-r10.ebuild was marked stable by spanky.. 
Comment 37 Sune Kloppenborg Jeppesen gentoo-dev 2005-06-01 08:31:43 UTC
GLSA 200506-01 
 
mips, s390, sh please remember to mark stable. 
Comment 38 Hardave Riar (RETIRED) gentoo-dev 2005-07-07 15:42:43 UTC
binutils-2.15.92.0.2-r10 stable on mips.