[Bug binutils/22306] New: Invalid free() in slurp_symtab() [Heap corruption]

Mon, 16 Oct 2017 19:56:19 -0700 

https://sourceware.org/bugzilla/show_bug.cgi?id=22306

            Bug ID: 22306
           Summary: Invalid free() in slurp_symtab() [Heap corruption]
           Product: binutils
           Version: 2.30 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: mgcho.minic at gmail dot com
  Target Milestone: ---

Created attachment 10533
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10533&action=edit
poc for heap corruption

Triggered by "./objdump -x $POC"


The GDB debugging information is as follows:

(gdb) r -x $POC

(gdb) bt
#0  0xb7fd9ce5 in __kernel_vsyscall ()
#1  0xb7e2bea9 in __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#2  0xb7e2d407 in __GI_abort () at abort.c:89
#3  0xb7e6737c in __libc_message (do_abort=2, fmt=0xb7f5fdf4 "*** Error in
`%s': %s: 0x%s ***\n")
    at ../sysdeps/posix/libc_fatal.c:175
#4  0xb7e6d2f7 in malloc_printerr (action=<optimized out>, 
    str=0xb7f5fef0 "free(): invalid next size (fast)", ptr=<optimized out>, 
    ar_ptr=0xb7fb2780 <main_arena>) at malloc.c:5006
#5  0xb7e6dc31 in _int_free (av=0xb7fb2780 <main_arena>, p=<optimized out>,
have_lock=0)
    at malloc.c:3867
#6  0x080f3f55 in aout_get_external_symbols (abfd=0x81e9a08) at ./aoutx.h:1370
#7  0x080f3d15 in aout_32_slurp_symbol_table (abfd=0x81e9a08) at ./aoutx.h:1757
#8  0x080f4e30 in aout_32_get_symtab_upper_bound (abfd=0x81e9a08) at
./aoutx.h:2522
#9  0x0804aea7 in slurp_symtab (abfd=0x81e9a08) at ./objdump.c:615
#10 dump_bfd (abfd=0x81e9a08) at ./objdump.c:3523
#11 0x0804aa6e in display_object_bfd (abfd=0x81e9a08) at ./objdump.c:3611
#12 display_any_bfd (file=0x81e9a08, level=<optimized out>) at ./objdump.c:3700
#13 0x0804a4ea in display_file (filename=0xbffff30f "/tmp/heap-corruption", 
    target=<optimized out>, last_file=<optimized out>) at ./objdump.c:3721
#14 main (argc=<optimized out>, argv=<optimized out>) at ./objdump.c:4023


Credits:

This vulnerability was discovered by Mingi Cho and Taekyoung Kwon of the
Information Security Lab, Yonsei University. Please contact
mgcho.mi...@gmail.com and taekyo...@yonsei.ac.kr if you need more information
about the vulnerability and the lab.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

Reply via email to