A flaw was found in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory address dereference was discovered in read_reloc in reloc.c. The vulnerability causes a segmentation fault and application crash, which leads to denial of service, as demonstrated by objdump, because of missing _bfd_clear_contents bounds checking. References: https://sourceware.org/bugzilla/show_bug.cgi?id=23770 Upstream Patch: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0930cb3021b8078b34cf216e79eb8608d017864f
Created binutils tracking bugs for this issue: Affects: fedora-all [bug 1639914] Created mingw-binutils tracking bugs for this issue: Affects: epel-all [bug 1639912] Affects: fedora-all [bug 1639916]
Unable to reproduce on RHEL*.
Kept building this until I found a vulnerable version. I was only able to get this to reproduce in mainline and was NOT able to reproduce this in 2.31.1. Upstream report states "the latest binutils(v2.31.1)", so I was at least expecting a crash in that. Did a `git checkout a4cd947aca23d58966ead843e120f4c19db01030` to get to the target version the upstream fix mentions, and that did indeed crash. Seems like it was introduced then? Nevertheless, RHEL* still not affected. ``` [root@ binutils]# ./objdump -v GNU objdump (GNU Binutils) 2.31.51.20180914 Copyright (C) 2018 Free Software Foundation, Inc. This program is free software; you may redistribute it under the terms of the GNU General Public License version 3 or (at your option) any later version. This program has absolutely no warranty. [root@ binutils]# ./objdump -xg -W ~/poc ./objdump: /root/poc: unknown type [0x7000001] section `�������bss' /root/poc: file format elf64-little /root/poc architecture: UNKNOWN!, flags 0x00000011: HAS_RELOC, HAS_SYMS start address 0xff03010000000000 ...... lots of junk skipped here ...... Can't get contents for section '.debug_info'. Length: 44 Version: 2 Offset into .debug_info: 0x0 Pointer Size: 0 Segment Size: 0 ./objdump: Error: Invalid address size in .debug_aranges section! Contents of the .debug_info section: ./objdump: Warning: Invalid pointer size (0) in compunit header, using 4 instead Compilation Unit @ offset 0x0: Length: 0x10 (32-bit) Version: 21 Abbrev Offset: 0x0 Pointer Size: 4 ./objdump: Warning: CU at offset 0 contains corrupt or unsupported version number: 21. ./objdump: Warning: Invalid pointer size (0) in compunit header, using 4 instead Compilation Unit @ offset 0x14: Length: 0x2 (32-bit) Version: 48 Abbrev Offset: 0x14 Pointer Size: 4 ./objdump: Warning: CU at offset 14 contains corrupt or unsupported version number: 48. ./objdump: Warning: Invalid pointer size (23) in compunit header, using 4 instead Compilation Unit @ offset 0x1a: Length: 0x140000 (32-bit) Version: 0 Abbrev Offset: 0x11 Pointer Size: 4 ./objdump: Warning: Debug info is corrupted, .debug_info header at 0x1a has length 140000 Segmentation fault [root@ binutils]# ```