SIGSEGV in elf.c

Bug #1476790 reported by Francesco Mifsud
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
binutils (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

-=Binary=-
size

-=Package=-
binutils 2.25-10ubuntu1

-=Title=-
Program received signal SIGSEGV, Segmentation fault.

-=Input file=-
root@exploitdev-wily:~/Desktop/Reported crashes/size# xxd size-SIGSEGV
00000000: 7f45 4c46 0101 0130 3030 3030 3030 3030 .ELF...000000000
00000010: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
00000020: 4000 0000 3030 3030 3030 3030 0000 3030 @...00000000..00
00000030: 0000 0400 3030 3030 3030 3030 3030 3030 ....000000000000
00000040: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
00000050: 3030 3030 0700 0000 3030 3030 3030 3030 0000....00000000
00000060: 3030 3030 3030 3030 3000 0000 3030 3030 000000000...0000
00000070: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
00000080: 0000 0000 3030 3030 3030 3030 3030 3030 ....000000000000
00000090: 3000 0000 3030 3030 3030 3030 3030 3030 0...000000000000
000000a0: 3030 3030 3030 3030 0000 0000 3030 3030 00000000....0000
000000b0: 3030 3030 3030 3030 3000 0000 3030 3030 000000000...0000
000000c0: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
000000d0: 0000 0000 3030 3030 3030 3030 3030 3030 ....000000000000
000000e0: 3000 0000 1100 0000 3030 3030 3030 3030 0.......00000000
000000f0: 0002 0000 3019 0000 0000 0000 3030 3030 ....0.......0000
00000100: 3030 3030 0400 0000 3030 3030 3030 3030 0000....00000000
00000110: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
00000120: 0000 0000 3030 3030 3030 3030 3030 3030 ....000000000000
00000130: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
00000140: 3030 3030 3030 3030 0000 0000 3030 3030 00000000....0000
00000150: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
....
....
....
00001b00: 3030 3030 3030 3030 3130 3030 3030 3030 0000000010000000
00001b10: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
00001b20: 3030 3030 3030 3030 3030 3030 efbe adde 000000000000....

-=happens here=-
bfd_section_from_shdr (abfd=0x811a9f0, shindex=4) at elf.c:2030
2030 && (s = idx->shdr->bfd_section) != NULL

-=stacktrace=-
(gdb) backtrace
#0 bfd_section_from_shdr (abfd=0x811a9f0, shindex=4) at elf.c:2030
#1 0x08070b39 in bfd_elf32_object_p (abfd=0x811a9f0) at elfcode.h:800
#2 0x08055742 in bfd_check_format_matches (abfd=0x811a9f0, format=bfd_object, matching=0xbffff338) at format.c:305
#3 0x0804a8f0 in display_bfd (abfd=abfd@entry=0x811a9f0) at size.c:302
#4 0x0804aaaf in display_file (filename=0xbffff5d2 "size-SIGSEGV") at size.c:398
#5 0x08049fd4 in main (argc=2, argv=0xbffff434) at size.c:239

-=registers=-
(gdb) i r
eax 0x64b 1611
ecx 0x811d5a8 135386536
edx 0xdeadbeef -559038737 <===== CONTROL OVER EDX .. LAST 4 BYTES OF INPUT FILE
ebx 0x811a9f0 135375344
esp 0xbffff130 0xbffff130
ebp 0x811b4c8 0x811b4c8
esi 0x811cc48 135384136
edi 0x811d5d8 135386584
eip 0x807f268 0x807f268 <bfd_section_from_shdr+2920>
eflags 0x10282 [ SF IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
(gdb)

summary: - SEG FAULT in elf.c
+ SIGSEGV in elf.c
Revision history for this message
Francesco Mifsud (gradiusx) wrote :

size size-SIGSEGV to replicate

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Hello and thanks for reporting this bug! This issue has been fixed in the upstream binutils-gdb.git repo:

  https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commit;h=06614111d1be94b43ea8dd83805184d4e177bcea

  Subject: More fixes for memory access violations exposed by fuzzed binaries.

The upstream bug report, with many reproducers, is here:

  https://sourceware.org/bugzilla/show_bug.cgi?id=17512

I'm going to go ahead and make this bug public.

information type: Private Security → Public Security
Tyler Hicks (tyhicks)
Changed in binutils (Ubuntu):
status: New → Triaged
Revision history for this message
Tyler Hicks (tyhicks) wrote :

After reading through the "strings / libbfd crasher
" thread (part of which can be found here: http://openwall.com/lists/oss-security/2014/10/23/4), a CVE was not assigned to this issue.

I don't see how it could be anything more than a simple crasher and I don't believe it to be a real security concern. We will fix this in a future Ubuntu release but won't likely fix it in stable releases unless the impact is determined to be more severe.

Revision history for this message
Matthias Klose (doko) wrote :

fixed in 16.04 LTS

Changed in binutils (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.