Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-9072: Out of memory in objalloc.c

An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in setup_group in elf.c.

CVE
Open in Source
#linux#debian

size also has the OOM issue described in https://sourceware.org/bugzilla/show_bug.cgi?id=24232

If the issue it in a library shared with nm and size and if other program use it, it will cause DOS attacks.

  • Intel Xeon Gold 5118 processors and 256 GB memory
  • Linux n18-065-139 4.19.0-1-amd64 #1 SMP Debian 4.19.12-1 (2018-12-22) x86_64 GNU/Linux
  • clang version 4.0.0 (tags/RELEASE_400/final)
  • version: commit c72e75a64030b0f6535a80481f37968ad55c333a (Feb 19 2019)
  • run: size input_file

==1601289==ERROR: AddressSanitizer failed to allocate 0xfe01363000 (1090942021632) bytes of LargeMmapAllocator (error code: 12) ==1601289==Process memory map follows: 0x000000400000-0x00000041d000 /mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size 0x00000041d000-0x0000008b3000 /mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size 0x0000008b3000-0x000000987000 /mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size 0x000000988000-0x000000989000 /mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size 0x000000989000-0x0000009e8000 /mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size 0x0000009e8000-0x000001654000
0x00007fff7000-0x00008fff7000
0x00008fff7000-0x02008fff7000
0x02008fff7000-0x10007fff8000
0x600000000000-0x602000000000
0x602000000000-0x602000010000
0x602000010000-0x602e00000000
0x602e00000000-0x602e00010000
0x602e00010000-0x603000000000
0x603000000000-0x603000010000
0x603000010000-0x603e00000000
0x603e00000000-0x603e00010000
0x603e00010000-0x604000000000
0x604000000000-0x604000010000
0x604000010000-0x604e00000000
0x604e00000000-0x604e00010000
0x604e00010000-0x606000000000
0x606000000000-0x606000010000
0x606000010000-0x606e00000000
0x606e00000000-0x606e00010000
0x606e00010000-0x607000000000
0x607000000000-0x607000010000
0x607000010000-0x607e00000000
0x607e00000000-0x607e00010000
0x607e00010000-0x608000000000
0x608000000000-0x608000010000
0x608000010000-0x608e00000000
0x608e00000000-0x608e00010000
0x608e00010000-0x60b000000000
0x60b000000000-0x60b000010000
0x60b000010000-0x60be00000000
0x60be00000000-0x60be00010000
0x60be00010000-0x60c000000000
0x60c000000000-0x60c000010000
0x60c000010000-0x60ce00000000
0x60ce00000000-0x60ce00010000
0x60ce00010000-0x60f000000000
0x60f000000000-0x60f000010000
0x60f000010000-0x60fe00000000
0x60fe00000000-0x60fe00010000
0x60fe00010000-0x610000000000
0x610000000000-0x610000010000
0x610000010000-0x610e00000000
0x610e00000000-0x610e00010000
0x610e00010000-0x611000000000
0x611000000000-0x611000010000
0x611000010000-0x611e00000000
0x611e00000000-0x611e00010000
0x611e00010000-0x612000000000
0x612000000000-0x612000010000
0x612000010000-0x612e00000000
0x612e00000000-0x612e00010000
0x612e00010000-0x614000000000
0x614000000000-0x614000010000
0x614000010000-0x614e00000000
0x614e00000000-0x614e00010000
0x614e00010000-0x616000000000
0x616000000000-0x616000010000
0x616000010000-0x616e00000000
0x616e00000000-0x616e00010000
0x616e00010000-0x618000000000
0x618000000000-0x618000010000
0x618000010000-0x618e00000000
0x618e00000000-0x618e00010000
0x618e00010000-0x619000000000
0x619000000000-0x619000010000
0x619000010000-0x619e00000000
0x619e00000000-0x619e00010000
0x619e00010000-0x61a000000000
0x61a000000000-0x61a000010000
0x61a000010000-0x61ae00000000
0x61ae00000000-0x61ae00010000
0x61ae00010000-0x61b000000000
0x61b000000000-0x61b000010000
0x61b000010000-0x61be00000000
0x61be00000000-0x61be00010000
0x61be00010000-0x61d000000000
0x61d000000000-0x61d000010000
0x61d000010000-0x61de00000000
0x61de00000000-0x61de00010000
0x61de00010000-0x61f000000000
0x61f000000000-0x61f000010000
0x61f000010000-0x61fe00000000
0x61fe00000000-0x61fe00010000
0x61fe00010000-0x621000000000
0x621000000000-0x621000010000
0x621000010000-0x621e00000000
0x621e00000000-0x621e00010000
0x621e00010000-0x624000000000
0x624000000000-0x624000010000
0x624000010000-0x624e00000000
0x624e00000000-0x624e00010000
0x624e00010000-0x640000000000
0x640000000000-0x640000003000
0x7f92d9266000-0x7f92d9ce0000 /usr/lib/locale/locale-archive 0x7f92d9ce0000-0x7f92d9f00000
0x7f92da000000-0x7f92da100000
0x7f92da131000-0x7f92da145000
0x7f92da145000-0x7f92da14c000 /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache 0x7f92da14c000-0x7f92dc4f4000
0x7f92dc4f4000-0x7f92dc516000 /lib/x86_64-linux-gnu/libc-2.28.so 0x7f92dc516000-0x7f92dc65e000 /lib/x86_64-linux-gnu/libc-2.28.so 0x7f92dc65e000-0x7f92dc6aa000 /lib/x86_64-linux-gnu/libc-2.28.so 0x7f92dc6aa000-0x7f92dc6ab000 /lib/x86_64-linux-gnu/libc-2.28.so 0x7f92dc6ab000-0x7f92dc6af000 /lib/x86_64-linux-gnu/libc-2.28.so 0x7f92dc6af000-0x7f92dc6b1000 /lib/x86_64-linux-gnu/libc-2.28.so 0x7f92dc6b1000-0x7f92dc6b5000
0x7f92dc6b5000-0x7f92dc6b8000 /lib/x86_64-linux-gnu/libgcc_s.so.1 0x7f92dc6b8000-0x7f92dc6c9000 /lib/x86_64-linux-gnu/libgcc_s.so.1 0x7f92dc6c9000-0x7f92dc6cc000 /lib/x86_64-linux-gnu/libgcc_s.so.1 0x7f92dc6cc000-0x7f92dc6cd000 /lib/x86_64-linux-gnu/libgcc_s.so.1 0x7f92dc6cd000-0x7f92dc6ce000 /lib/x86_64-linux-gnu/libgcc_s.so.1 0x7f92dc6ce000-0x7f92dc6cf000 /lib/x86_64-linux-gnu/libgcc_s.so.1 0x7f92dc6cf000-0x7f92dc6d0000 /lib/x86_64-linux-gnu/libdl-2.28.so 0x7f92dc6d0000-0x7f92dc6d1000 /lib/x86_64-linux-gnu/libdl-2.28.so 0x7f92dc6d1000-0x7f92dc6d2000 /lib/x86_64-linux-gnu/libdl-2.28.so 0x7f92dc6d2000-0x7f92dc6d3000 /lib/x86_64-linux-gnu/libdl-2.28.so 0x7f92dc6d3000-0x7f92dc6d4000 /lib/x86_64-linux-gnu/libdl-2.28.so 0x7f92dc6d4000-0x7f92dc6e1000 /lib/x86_64-linux-gnu/libm-2.28.so 0x7f92dc6e1000-0x7f92dc780000 /lib/x86_64-linux-gnu/libm-2.28.so 0x7f92dc780000-0x7f92dc855000 /lib/x86_64-linux-gnu/libm-2.28.so 0x7f92dc855000-0x7f92dc856000 /lib/x86_64-linux-gnu/libm-2.28.so 0x7f92dc856000-0x7f92dc857000 /lib/x86_64-linux-gnu/libm-2.28.so 0x7f92dc857000-0x7f92dc859000 /lib/x86_64-linux-gnu/librt-2.28.so 0x7f92dc859000-0x7f92dc85d000 /lib/x86_64-linux-gnu/librt-2.28.so 0x7f92dc85d000-0x7f92dc85f000 /lib/x86_64-linux-gnu/librt-2.28.so 0x7f92dc85f000-0x7f92dc860000 /lib/x86_64-linux-gnu/librt-2.28.so 0x7f92dc860000-0x7f92dc861000 /lib/x86_64-linux-gnu/librt-2.28.so 0x7f92dc861000-0x7f92dc867000 /lib/x86_64-linux-gnu/libpthread-2.28.so 0x7f92dc867000-0x7f92dc876000 /lib/x86_64-linux-gnu/libpthread-2.28.so 0x7f92dc876000-0x7f92dc87c000 /lib/x86_64-linux-gnu/libpthread-2.28.so 0x7f92dc87c000-0x7f92dc87d000 /lib/x86_64-linux-gnu/libpthread-2.28.so 0x7f92dc87d000-0x7f92dc87e000 /lib/x86_64-linux-gnu/libpthread-2.28.so 0x7f92dc87e000-0x7f92dc882000
0x7f92dc882000-0x7f92dc891000
0x7f92dc891000-0x7f92dc892000 /lib/x86_64-linux-gnu/ld-2.28.so 0x7f92dc892000-0x7f92dc8b0000 /lib/x86_64-linux-gnu/ld-2.28.so 0x7f92dc8b0000-0x7f92dc8b8000 /lib/x86_64-linux-gnu/ld-2.28.so 0x7f92dc8b8000-0x7f92dc8b9000 /lib/x86_64-linux-gnu/ld-2.28.so 0x7f92dc8b9000-0x7f92dc8ba000 /lib/x86_64-linux-gnu/ld-2.28.so 0x7f92dc8ba000-0x7f92dc8bb000
0x7ffced2e9000-0x7ffced30a000 [stack] 0x7ffced35a000-0x7ffced35d000 [vvar] 0x7ffced35d000-0x7ffced35f000 [vdso] ==1601289==End of process memory map. ==1601289==AddressSanitizer CHECK failed: /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:120 "((0 && “unable to mmap”)) != (0)" (0x0, 0x0) #0 0x4cbc9f in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_rtl.cc:69:3 #1 0x4df5ff in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_termination.cc:79:5 #2 0x4d0c0e in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:120:3 #3 0x4d962b in __sanitizer::MmapOrDie(unsigned long, char const*, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:132:5 #4 0x421e04 in __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback>::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/…/sanitizer_common/sanitizer_allocator_secondary.h:41:9 #5 0x421bb8 in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<__asan::AP64>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<__asan::AP64> >, __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback> >::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<__asan::AP64> >*, unsigned long, unsigned long, bool, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/…/sanitizer_common/sanitizer_allocator_combined.h:70:24 #6 0x41f06f in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_allocator.cc:407:21 #7 0x4c43a0 in malloc /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:67:10 #8 0x8affb0 in _objalloc_alloc /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/objalloc.c:143:22 #9 0x52e450 in bfd_alloc /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/opncls.c:949:9 #10 0x52e51f in bfd_alloc2 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/opncls.c:978:10 #11 0x5b7e8c in setup_group /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/elf.c:658:9 #12 0x5b4472 in _bfd_elf_make_section_from_shdr /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/elf.c:1053:10 #13 0x5c9f9b in bfd_section_from_shdr /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/elf.c:2452:13 #14 0x5c7f32 in bfd_section_from_shdr /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/elf.c:2311:11 #15 0x5a111f in bfd_elf64_object_p /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/elfcode.h:818:7 #16 0x5207e5 in bfd_check_format_matches /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/format.c:315:14 #17 0x4f22d5 in display_bfd /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:331:7 #18 0x4f1ed5 in display_file /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:434:5 #19 0x4f1aa5 in main /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:260:7 #20 0x7f92dc51809a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) #21 0x41d5e9 in _start (/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size+0x41d5e9)

Comment 2 Alan Modra 2019-02-19 22:37:51 UTC

This is exactly the same “bug” as 24232 but with a slightly different testcase.

*** This bug has been marked as a duplicate of bug 24232 ***

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE