An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an out-of-bounds read leading to a SEGV in bfd_getl32 in libbfd.c, when called from pex64_get_runtime_function in pei-x86_64.c. Reference: https://sourceware.org/bugzilla/show_bug.cgi?id=24235
Created binutils tracking bugs for this issue: Affects: fedora-all [bug 1680682]
Looks like an OOB read. ``` ==6638== Memcheck, a memory error detector ==6638== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==6638== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info ==6638== Command: objdump -x poc ==6638== poc: file format pei-x86-64 poc architecture: i386:x86-64, flags 0x0000000d: HAS_RELOC, HAS_LINENO, HAS_DEBUG start address 0x0000000000000000 Characteristics 0x1018 symbols stripped system file Time/Date Wed Dec 31 19:04:16 1969 Magic 0000 MajorLinkerVersion 0 MinorLinkerVersion 0 SizeOfCode 00000000 SizeOfInitializedData 00000000 SizeOfUninitializedData 00000000 AddressOfEntryPoint 0000000000000000 BaseOfCode 0000000000000000 ImageBase 0000000000000000 SectionAlignment 0000000000000000 FileAlignment 0000000000000000 MajorOSystemVersion 0 MinorOSystemVersion 0 MajorImageVersion 0 MinorImageVersion 0 MajorSubsystemVersion 0 MinorSubsystemVersion 0 Win32Version 00000000 SizeOfImage 00000000 SizeOfHeaders 00000000 CheckSum 00000000 Subsystem 00000000 (unspecified) DllCharacteristics 00000000 SizeOfStackReserve 0000000000000000 SizeOfStackCommit 0000000000000000 SizeOfHeapReserve 0000000000000000 SizeOfHeapCommit 0000000000000000 LoaderFlags 00000000 NumberOfRvaAndSizes 00000000 The Data Directory Entry 0 0000000000000000 00000000 Export Directory [.edata (or where ever we found it)] Entry 1 0000000000000000 00000000 Import Directory [parts of .idata] Entry 2 0000000000000000 00000000 Resource Directory [.rsrc] Entry 3 0000000000000000 00000000 Exception Directory [.pdata] Entry 4 0000000000000000 00000000 Security Directory Entry 5 0000000000000000 00000000 Base Relocation Directory [.reloc] Entry 6 0000000000000000 00000000 Debug Directory Entry 7 0000000000000000 00000000 Description Directory Entry 8 0000000000000000 00000000 Special Directory Entry 9 0000000000000000 00000000 Thread Storage Directory [.tls] Entry a 0000000000000000 00000000 Load Configuration Directory Entry b 0000000000000000 00000000 Bound Import Directory Entry c 0000000000000000 00000000 Import Address Table Directory Entry d 0000000000000000 00000000 Delay Import Directory Entry e 0000000000000000 00000000 CLR Runtime Header Entry f 0000000000000000 00000000 Reserved Warning: .pdata section size (153092096) is not a multiple of 12 Warning: .pdata section size (384) is smaller than virtual size (153092096) The Function Table (interpreted .pdata section contents) vma: BeginAddress EndAddress UnwindData 0000000000000100: 0000000000000000 0000000000000000 0000000000000180 000000000000010c: 0000000004000000 0000000000000000 0000000000bbdfff Dump of .pdata 0000000000000180 (rva: 00000180): 0000000000000000 - 0000000000000000 Version: 1, Flags: none Nbr codes: 0, Prologue size: 0x00, Frame offset: 0x8, Frame reg: none User data: 000: 01 00 00 64 00 00 00 00 00 00 00 00 00 00 00 00 010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 040: 00 00 00 00 00 00 00 00 00 00 00 64 00 00 00 00 050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0a0: 00 00 00 eb 00 00 00 00 00 00 00 00 ff 00 00 00 0b0: 00 00 00 00 00 00 00 00 00 00 80 00 00 00 00 00 0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f0: 00 00 00 00 00 00 00 00 00 00 00 00 0000000000bbdfff (rva: 00bbdfff): 0000000004000000 - 0000000000000000 ==6638== Invalid read of size 4 ==6638== at 0x5239E94: bfd_getl32 (libbfd.c:560) ==6638== by 0x52B9F85: pex64_get_runtime_function.isra.2 (pei-x86_64.c:94) ==6638== by 0x52BB15F: pex64_bfd_print_pdata_section (pei-x86_64.c:692) ==6638== by 0x52C4A8A: _bfd_pex64_print_private_bfd_data_common (pex64igen.c:2908) ==6638== by 0x52BD59C: pe_print_private_bfd_data (peicode.h:336) ==6638== by 0x114043: dump_bfd_private_header (objdump.c:2991) ==6638== by 0x114043: dump_bfd (objdump.c:3584) ==6638== by 0x114A87: display_object_bfd (objdump.c:3683) ==6638== by 0x114A87: display_any_bfd (objdump.c:3772) ==6638== by 0x116EF3: display_file (objdump.c:3793) ==6638== by 0x1108EC: main (objdump.c:4095) ==6638== Address 0x69180be is not stack'd, malloc'd or (recently) free'd ==6638== ==6638== ==6638== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==6638== Access not within mapped region at address 0x69180BE ==6638== at 0x5239E94: bfd_getl32 (libbfd.c:560) ==6638== by 0x52B9F85: pex64_get_runtime_function.isra.2 (pei-x86_64.c:94) ==6638== by 0x52BB15F: pex64_bfd_print_pdata_section (pei-x86_64.c:692) ==6638== by 0x52C4A8A: _bfd_pex64_print_private_bfd_data_common (pex64igen.c:2908) ==6638== by 0x52BD59C: pe_print_private_bfd_data (peicode.h:336) ==6638== by 0x114043: dump_bfd_private_header (objdump.c:2991) ==6638== by 0x114043: dump_bfd (objdump.c:3584) ==6638== by 0x114A87: display_object_bfd (objdump.c:3683) ==6638== by 0x114A87: display_any_bfd (objdump.c:3772) ==6638== by 0x116EF3: display_file (objdump.c:3793) ==6638== by 0x1108EC: main (objdump.c:4095) ==6638== If you believe this happened as a result of a stack ==6638== overflow in your program's main thread (unlikely but ==6638== possible), you can try to increase the size of the ==6638== main thread stack using the --main-stacksize= flag. ==6638== The main thread stack size used in this run was 8388608. shares information with ==6638== ==6638== HEAP SUMMARY: ==6638== in use at exit: 117,092 bytes in 51 blocks ==6638== total heap usage: 214 allocs, 163 frees, 183,209 bytes allocated ==6638== ==6638== LEAK SUMMARY: ==6638== definitely lost: 0 bytes in 0 blocks ==6638== indirectly lost: 0 bytes in 0 blocks ==6638== possibly lost: 0 bytes in 0 blocks ==6638== still reachable: 117,092 bytes in 51 blocks ==6638== suppressed: 0 bytes in 0 blocks ==6638== Rerun with --leak-check=full to see details of leaked memory ==6638== ==6638== For counts of detected and suppressed errors, rerun with: -v ==6638== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) Segmentation fault (core dumped) ```
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-9074