Bug 1680665 (CVE-2019-9074) - CVE-2019-9074 binutils: out-of-bound read in function bfd_getl32 in libbfd.c
Summary: CVE-2019-9074 binutils: out-of-bound read in function bfd_getl32 in libbfd.c
Keywords:
Status: NEW
Alias: CVE-2019-9074
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1680682 1691042 1691043
Blocks: 1680680
TreeView+ depends on / blocked
 
Reported: 2019-02-25 13:42 UTC by Dhananjay Arunesh
Modified: 2019-09-29 15:08 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Dhananjay Arunesh 2019-02-25 13:42:05 UTC
An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an out-of-bounds read leading to a SEGV in bfd_getl32 in libbfd.c, when called from pex64_get_runtime_function in pei-x86_64.c.

Reference:
https://sourceware.org/bugzilla/show_bug.cgi?id=24235

Comment 1 Dhananjay Arunesh 2019-02-25 14:13:22 UTC
Created binutils tracking bugs for this issue:

Affects: fedora-all [bug 1680682]

Comment 2 Scott Gayou 2019-03-20 17:25:45 UTC
Looks like an OOB read.

```
==6638== Memcheck, a memory error detector
==6638== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==6638== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==6638== Command: objdump -x poc
==6638== 

poc:     file format pei-x86-64
poc
architecture: i386:x86-64, flags 0x0000000d:
HAS_RELOC, HAS_LINENO, HAS_DEBUG
start address 0x0000000000000000

Characteristics 0x1018
	symbols stripped
	system file

Time/Date		Wed Dec 31 19:04:16 1969
Magic			0000
MajorLinkerVersion	0
MinorLinkerVersion	0
SizeOfCode		00000000
SizeOfInitializedData	00000000
SizeOfUninitializedData	00000000
AddressOfEntryPoint	0000000000000000
BaseOfCode		0000000000000000
ImageBase		0000000000000000
SectionAlignment	0000000000000000
FileAlignment		0000000000000000
MajorOSystemVersion	0
MinorOSystemVersion	0
MajorImageVersion	0
MinorImageVersion	0
MajorSubsystemVersion	0
MinorSubsystemVersion	0
Win32Version		00000000
SizeOfImage		00000000
SizeOfHeaders		00000000
CheckSum		00000000
Subsystem		00000000	(unspecified)
DllCharacteristics	00000000
SizeOfStackReserve	0000000000000000
SizeOfStackCommit	0000000000000000
SizeOfHeapReserve	0000000000000000
SizeOfHeapCommit	0000000000000000
LoaderFlags		00000000
NumberOfRvaAndSizes	00000000

The Data Directory
Entry 0 0000000000000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 0000000000000000 00000000 Import Directory [parts of .idata]
Entry 2 0000000000000000 00000000 Resource Directory [.rsrc]
Entry 3 0000000000000000 00000000 Exception Directory [.pdata]
Entry 4 0000000000000000 00000000 Security Directory
Entry 5 0000000000000000 00000000 Base Relocation Directory [.reloc]
Entry 6 0000000000000000 00000000 Debug Directory
Entry 7 0000000000000000 00000000 Description Directory
Entry 8 0000000000000000 00000000 Special Directory
Entry 9 0000000000000000 00000000 Thread Storage Directory [.tls]
Entry a 0000000000000000 00000000 Load Configuration Directory
Entry b 0000000000000000 00000000 Bound Import Directory
Entry c 0000000000000000 00000000 Import Address Table Directory
Entry d 0000000000000000 00000000 Delay Import Directory
Entry e 0000000000000000 00000000 CLR Runtime Header
Entry f 0000000000000000 00000000 Reserved
Warning: .pdata section size (153092096) is not a multiple of 12
Warning: .pdata section size (384) is smaller than virtual size (153092096)

The Function Table (interpreted .pdata section contents)
vma:			BeginAddress	 EndAddress	  UnwindData
 0000000000000100:	0000000000000000 0000000000000000 0000000000000180
 000000000000010c:	0000000004000000 0000000000000000 0000000000bbdfff

Dump of .pdata
 0000000000000180 (rva: 00000180): 0000000000000000 - 0000000000000000
	Version: 1, Flags: none
	Nbr codes: 0, Prologue size: 0x00, Frame offset: 0x8, Frame reg: none
	User data:
	  000: 01 00 00 64 00 00 00 00 00 00 00 00 00 00 00 00
	  010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	  020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	  030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	  040: 00 00 00 00 00 00 00 00 00 00 00 64 00 00 00 00
	  050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	  060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	  070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	  080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	  090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	  0a0: 00 00 00 eb 00 00 00 00 00 00 00 00 ff 00 00 00
	  0b0: 00 00 00 00 00 00 00 00 00 00 80 00 00 00 00 00
	  0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	  0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	  0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	  0f0: 00 00 00 00 00 00 00 00 00 00 00 00
 0000000000bbdfff (rva: 00bbdfff): 0000000004000000 - 0000000000000000
==6638== Invalid read of size 4
==6638==    at 0x5239E94: bfd_getl32 (libbfd.c:560)
==6638==    by 0x52B9F85: pex64_get_runtime_function.isra.2 (pei-x86_64.c:94)
==6638==    by 0x52BB15F: pex64_bfd_print_pdata_section (pei-x86_64.c:692)
==6638==    by 0x52C4A8A: _bfd_pex64_print_private_bfd_data_common (pex64igen.c:2908)
==6638==    by 0x52BD59C: pe_print_private_bfd_data (peicode.h:336)
==6638==    by 0x114043: dump_bfd_private_header (objdump.c:2991)
==6638==    by 0x114043: dump_bfd (objdump.c:3584)
==6638==    by 0x114A87: display_object_bfd (objdump.c:3683)
==6638==    by 0x114A87: display_any_bfd (objdump.c:3772)
==6638==    by 0x116EF3: display_file (objdump.c:3793)
==6638==    by 0x1108EC: main (objdump.c:4095)
==6638==  Address 0x69180be is not stack'd, malloc'd or (recently) free'd
==6638== 
==6638== 
==6638== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==6638==  Access not within mapped region at address 0x69180BE
==6638==    at 0x5239E94: bfd_getl32 (libbfd.c:560)
==6638==    by 0x52B9F85: pex64_get_runtime_function.isra.2 (pei-x86_64.c:94)
==6638==    by 0x52BB15F: pex64_bfd_print_pdata_section (pei-x86_64.c:692)
==6638==    by 0x52C4A8A: _bfd_pex64_print_private_bfd_data_common (pex64igen.c:2908)
==6638==    by 0x52BD59C: pe_print_private_bfd_data (peicode.h:336)
==6638==    by 0x114043: dump_bfd_private_header (objdump.c:2991)
==6638==    by 0x114043: dump_bfd (objdump.c:3584)
==6638==    by 0x114A87: display_object_bfd (objdump.c:3683)
==6638==    by 0x114A87: display_any_bfd (objdump.c:3772)
==6638==    by 0x116EF3: display_file (objdump.c:3793)
==6638==    by 0x1108EC: main (objdump.c:4095)
==6638==  If you believe this happened as a result of a stack
==6638==  overflow in your program's main thread (unlikely but
==6638==  possible), you can try to increase the size of the
==6638==  main thread stack using the --main-stacksize= flag.
==6638==  The main thread stack size used in this run was 8388608.
	 shares information with ==6638== 
==6638== HEAP SUMMARY:
==6638==     in use at exit: 117,092 bytes in 51 blocks
==6638==   total heap usage: 214 allocs, 163 frees, 183,209 bytes allocated
==6638== 
==6638== LEAK SUMMARY:
==6638==    definitely lost: 0 bytes in 0 blocks
==6638==    indirectly lost: 0 bytes in 0 blocks
==6638==      possibly lost: 0 bytes in 0 blocks
==6638==    still reachable: 117,092 bytes in 51 blocks
==6638==         suppressed: 0 bytes in 0 blocks
==6638== Rerun with --leak-check=full to see details of leaked memory
==6638== 
==6638== For counts of detected and suppressed errors, rerun with: -v
==6638== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)
```


Note You need to log in before you can comment on or make changes to this bug.