GNU Binutils 2.30 CVE-2018-10535 Denial of Service

Authors:Guodong Zhu         Risk:High

CVE:CVE-2018-10535         0day:Denial of Service

0day -id:0DAY-176123        Date:2018-04-30


The ignore_section_sym function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, does not validate the output_section pointer in the case of a symtab entry with a “SECTION” type that has a “0” value, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file, as demonstrated by objcopy.


When processing a symtab entry with “SECTION” type and “0” value, objcopy fails to check pointer sym->section->output_section before calling ignore_section_sym in bfd/elf.c function “elf_map_symbols()”. The value of output_section can be 0x0.

# ------------
# Cmdline:
$ objcopy /tmp/objcopy_crash.input /dev/null

# ------------
# gdb output
Program received signal SIGSEGV, Segmentation fault.
0x000000000045f66c in ignore_section_sym (abfd=0x788290, sym=0x78faf0) at ../../bfd/elf.c:4033
4033                   || (sym->section->output_section->owner == abfd
(gdb) bt
#0  0x000000000045f66c in ignore_section_sym (abfd=0x788290, sym=0x78faf0) at ../../bfd/elf.c:4033
#1  0x000000000045f7fc in elf_map_symbols (abfd=0x788290, pnum_locals=0x7fffffffdc98) at ../../bfd/elf.c:4082
#2  0x0000000000468d91 in swap_out_syms (abfd=0x788290, sttp=0x7fffffffdda8, relocatable_p=1) at ../../bfd/elf.c:7760
#3  0x000000000045fdac in _bfd_elf_compute_section_file_positions (abfd=0x788290, link_info=0x0) at ../../bfd/elf.c:4236
#4  0x0000000000465380 in _bfd_elf_write_object_contents (abfd=0x788290) at ../../bfd/elf.c:6368
#5  0x00000000004331ce in bfd_close (abfd=0x788290) at ../../bfd/opncls.c:731
#6  0x0000000000409021 in copy_file (
    input_filename=0x7fffffffe507 "/tmp/objcopy_crash.input",
    output_filename=0x7fffffffe548 "/dev/null", input_target=0x0, output_target=0x532953 "elf32-i386", input_arch=0x0)
    at ../../binutils/objcopy.c:3539
#7  0x000000000040d048 in copy_main (argc=3, argv=0x7fffffffe218) at ../../binutils/objcopy.c:5484
#8  0x000000000040d384 in main (argc=3, argv=0x7fffffffe218) at ../../binutils/objcopy.c:5588
(gdb) info registers
rax            0x0      0
rbx            0x0      0
rcx            0x1      1
rdx            0x7860d0 7889104
rsi            0x78fb30 7928624
rdi            0x7882c0 7897792
rbp            0x7fffffffdbe0   0x7fffffffdbe0
rsp            0x7fffffffdbe0   0x7fffffffdbe0
r8             0x7ffff7bce188   140737349738888
r9             0x1      1
r10            0x1      1
r11            0x246    582
r12            0x4025c0 4203968
r13            0x7fffffffe220   140737488347680
r14            0x0      0
r15            0x0      0
rip            0x45f66c 0x45f66c <ignore_section_sym+181>
eflags         0x10287  [ CF PF SF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
(gdb) info proc mapping
process 7026
Mapped address spaces:

          Start Addr           End Addr       Size     Offset objfile
            0x400000           0x566000   0x166000        0x0 /tmp/objcopy
            0x765000           0x777000    0x12000   0x165000 /tmp/objcopy
            0x777000           0x77e000     0x7000   0x177000 /tmp/objcopy
            0x77e000           0x7a4000    0x26000        0x0 [heap]
      0x7ffff7809000     0x7ffff79c9000   0x1c0000        0x0 /lib/x86_64-linux-gnu/
      0x7ffff79c9000     0x7ffff7bc9000   0x200000   0x1c0000 /lib/x86_64-linux-gnu/
      0x7ffff7bc9000     0x7ffff7bcd000     0x4000   0x1c0000 /lib/x86_64-linux-gnu/
      0x7ffff7bcd000     0x7ffff7bcf000     0x2000   0x1c4000 /lib/x86_64-linux-gnu/
      0x7ffff7bcf000     0x7ffff7bd3000     0x4000        0x0
      0x7ffff7bd3000     0x7ffff7bd6000     0x3000        0x0 /lib/x86_64-linux-gnu/
      0x7ffff7bd6000     0x7ffff7dd5000   0x1ff000     0x3000 /lib/x86_64-linux-gnu/
      0x7ffff7dd5000     0x7ffff7dd6000     0x1000     0x2000 /lib/x86_64-linux-gnu/
      0x7ffff7dd6000     0x7ffff7dd7000     0x1000     0x3000 /lib/x86_64-linux-gnu/
      0x7ffff7dd7000     0x7ffff7dfd000    0x26000        0x0 /lib/x86_64-linux-gnu/
      0x7ffff7e49000     0x7ffff7fe1000   0x198000        0x0 /usr/lib/locale/locale-archive
      0x7ffff7fe1000     0x7ffff7fe5000     0x4000        0x0
      0x7ffff7ff0000     0x7ffff7ff7000     0x7000        0x0 /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache
      0x7ffff7ff7000     0x7ffff7ffa000     0x3000        0x0 [vvar]
      0x7ffff7ffa000     0x7ffff7ffc000     0x2000        0x0 [vdso]
      0x7ffff7ffc000     0x7ffff7ffd000     0x1000    0x25000 /lib/x86_64-linux-gnu/
      0x7ffff7ffd000     0x7ffff7ffe000     0x1000    0x26000 /lib/x86_64-linux-gnu/
      0x7ffff7ffe000     0x7ffff7fff000     0x1000        0x0
      0x7ffffffde000     0x7ffffffff000    0x21000        0x0 [stack]
  0xffffffffff600000 0xffffffffff601000     0x1000        0x0 [vsyscall]

# ------------
# Environment
$ uname -a
Linux 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.3 LTS
Release:        16.04
Codename:       xenial

# ------------------------------
# Tested on the following two objcopy versions
# 1.
$ git rev-parse HEAD
# 2.
$ /usr/bin/objcopy --version
GNU objcopy (GNU Binutils for Ubuntu) 2.26.1
Copyright (C) 2015 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.

# ------------------------------
This bug was found by Guodong Zhu and Kang Li with Team Seri0us at 360.


Leave a Reply