Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-9076: Out of memory in libbfd

An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in elf_read_notes in elf.c.

CVE
Open in Source
#linux#debian

Created attachment 11620 [details] OOM input

size also has the OOM issue described in https://sourceware.org/bugzilla/show_bug.cgi?id=24233

  • Intel Xeon Gold 5118 processors and 256 GB memory
  • Linux n18-065-139 4.19.0-1-amd64 #1 SMP Debian 4.19.12-1 (2018-12-22) x86_64 GNU/Linux
  • clang version 4.0.0 (tags/RELEASE_400/final)
  • version: commit c72e75a64030b0f6535a80481f37968ad55c333a (Feb 19 2019)
  • run: size input_file

==1671718==ERROR: AddressSanitizer failed to allocate 0xfffff80000 (1099511103488) bytes of LargeMmapAllocator (error code: 12) ==1671718==Process memory map follows: 0x000000400000-0x00000041d000 /mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size 0x00000041d000-0x0000008b3000 /mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size 0x0000008b3000-0x000000987000 /mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size 0x000000988000-0x000000989000 /mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size 0x000000989000-0x0000009e8000 /mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size 0x0000009e8000-0x000001654000
0x00007fff7000-0x00008fff7000
0x00008fff7000-0x02008fff7000
0x02008fff7000-0x10007fff8000
0x600000000000-0x602000000000
0x602000000000-0x602000010000
0x602000010000-0x602e00000000
0x602e00000000-0x602e00010000
0x602e00010000-0x603000000000
0x603000000000-0x603000010000
0x603000010000-0x603e00000000
0x603e00000000-0x603e00010000
0x603e00010000-0x604000000000
0x604000000000-0x604000010000
0x604000010000-0x604e00000000
0x604e00000000-0x604e00010000
0x604e00010000-0x607000000000
0x607000000000-0x607000010000
0x607000010000-0x607e00000000
0x607e00000000-0x607e00010000
0x607e00010000-0x608000000000
0x608000000000-0x608000010000
0x608000010000-0x608e00000000
0x608e00000000-0x608e00010000
0x608e00010000-0x60b000000000
0x60b000000000-0x60b000010000
0x60b000010000-0x60be00000000
0x60be00000000-0x60be00010000
0x60be00010000-0x60c000000000
0x60c000000000-0x60c000010000
0x60c000010000-0x60ce00000000
0x60ce00000000-0x60ce00010000
0x60ce00010000-0x60f000000000
0x60f000000000-0x60f000010000
0x60f000010000-0x60fe00000000
0x60fe00000000-0x60fe00010000
0x60fe00010000-0x610000000000
0x610000000000-0x610000010000
0x610000010000-0x610e00000000
0x610e00000000-0x610e00010000
0x610e00010000-0x611000000000
0x611000000000-0x611000010000
0x611000010000-0x611e00000000
0x611e00000000-0x611e00010000
0x611e00010000-0x612000000000
0x612000000000-0x612000010000
0x612000010000-0x612e00000000
0x612e00000000-0x612e00010000
0x612e00010000-0x614000000000
0x614000000000-0x614000010000
0x614000010000-0x614e00000000
0x614e00000000-0x614e00010000
0x614e00010000-0x616000000000
0x616000000000-0x616000010000
0x616000010000-0x616e00000000
0x616e00000000-0x616e00010000
0x616e00010000-0x618000000000
0x618000000000-0x618000010000
0x618000010000-0x618e00000000
0x618e00000000-0x618e00010000
0x618e00010000-0x61a000000000
0x61a000000000-0x61a000010000
0x61a000010000-0x61ae00000000
0x61ae00000000-0x61ae00010000
0x61ae00010000-0x61d000000000
0x61d000000000-0x61d000010000
0x61d000010000-0x61de00000000
0x61de00000000-0x61de00010000
0x61de00010000-0x61f000000000
0x61f000000000-0x61f000010000
0x61f000010000-0x61fe00000000
0x61fe00000000-0x61fe00010000
0x61fe00010000-0x621000000000
0x621000000000-0x621000010000
0x621000010000-0x621e00000000
0x621e00000000-0x621e00010000
0x621e00010000-0x624000000000
0x624000000000-0x624000010000
0x624000010000-0x624e00000000
0x624e00000000-0x624e00010000
0x624e00010000-0x640000000000
0x640000000000-0x640000003000
0x7f1585c66000-0x7f15866e0000 /usr/lib/locale/locale-archive 0x7f15866e0000-0x7f1586900000
0x7f1586a00000-0x7f1586b00000
0x7f1586b51000-0x7f1586b65000
0x7f1586b65000-0x7f1586b6c000 /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache 0x7f1586b6c000-0x7f1588f14000
0x7f1588f14000-0x7f1588f36000 /lib/x86_64-linux-gnu/libc-2.28.so 0x7f1588f36000-0x7f158907e000 /lib/x86_64-linux-gnu/libc-2.28.so 0x7f158907e000-0x7f15890ca000 /lib/x86_64-linux-gnu/libc-2.28.so 0x7f15890ca000-0x7f15890cb000 /lib/x86_64-linux-gnu/libc-2.28.so 0x7f15890cb000-0x7f15890cf000 /lib/x86_64-linux-gnu/libc-2.28.so 0x7f15890cf000-0x7f15890d1000 /lib/x86_64-linux-gnu/libc-2.28.so 0x7f15890d1000-0x7f15890d5000
0x7f15890d5000-0x7f15890d8000 /lib/x86_64-linux-gnu/libgcc_s.so.1 0x7f15890d8000-0x7f15890e9000 /lib/x86_64-linux-gnu/libgcc_s.so.1 0x7f15890e9000-0x7f15890ec000 /lib/x86_64-linux-gnu/libgcc_s.so.1 0x7f15890ec000-0x7f15890ed000 /lib/x86_64-linux-gnu/libgcc_s.so.1 0x7f15890ed000-0x7f15890ee000 /lib/x86_64-linux-gnu/libgcc_s.so.1 0x7f15890ee000-0x7f15890ef000 /lib/x86_64-linux-gnu/libgcc_s.so.1 0x7f15890ef000-0x7f15890f0000 /lib/x86_64-linux-gnu/libdl-2.28.so 0x7f15890f0000-0x7f15890f1000 /lib/x86_64-linux-gnu/libdl-2.28.so 0x7f15890f1000-0x7f15890f2000 /lib/x86_64-linux-gnu/libdl-2.28.so 0x7f15890f2000-0x7f15890f3000 /lib/x86_64-linux-gnu/libdl-2.28.so 0x7f15890f3000-0x7f15890f4000 /lib/x86_64-linux-gnu/libdl-2.28.so 0x7f15890f4000-0x7f1589101000 /lib/x86_64-linux-gnu/libm-2.28.so 0x7f1589101000-0x7f15891a0000 /lib/x86_64-linux-gnu/libm-2.28.so 0x7f15891a0000-0x7f1589275000 /lib/x86_64-linux-gnu/libm-2.28.so 0x7f1589275000-0x7f1589276000 /lib/x86_64-linux-gnu/libm-2.28.so 0x7f1589276000-0x7f1589277000 /lib/x86_64-linux-gnu/libm-2.28.so 0x7f1589277000-0x7f1589279000 /lib/x86_64-linux-gnu/librt-2.28.so 0x7f1589279000-0x7f158927d000 /lib/x86_64-linux-gnu/librt-2.28.so 0x7f158927d000-0x7f158927f000 /lib/x86_64-linux-gnu/librt-2.28.so 0x7f158927f000-0x7f1589280000 /lib/x86_64-linux-gnu/librt-2.28.so 0x7f1589280000-0x7f1589281000 /lib/x86_64-linux-gnu/librt-2.28.so 0x7f1589281000-0x7f1589287000 /lib/x86_64-linux-gnu/libpthread-2.28.so 0x7f1589287000-0x7f1589296000 /lib/x86_64-linux-gnu/libpthread-2.28.so 0x7f1589296000-0x7f158929c000 /lib/x86_64-linux-gnu/libpthread-2.28.so 0x7f158929c000-0x7f158929d000 /lib/x86_64-linux-gnu/libpthread-2.28.so 0x7f158929d000-0x7f158929e000 /lib/x86_64-linux-gnu/libpthread-2.28.so 0x7f158929e000-0x7f15892a2000
0x7f15892a2000-0x7f15892b1000
0x7f15892b1000-0x7f15892b2000 /lib/x86_64-linux-gnu/ld-2.28.so 0x7f15892b2000-0x7f15892d0000 /lib/x86_64-linux-gnu/ld-2.28.so 0x7f15892d0000-0x7f15892d8000 /lib/x86_64-linux-gnu/ld-2.28.so 0x7f15892d8000-0x7f15892d9000 /lib/x86_64-linux-gnu/ld-2.28.so 0x7f15892d9000-0x7f15892da000 /lib/x86_64-linux-gnu/ld-2.28.so 0x7f15892da000-0x7f15892db000
0x7fff515d3000-0x7fff515f4000 [stack] 0x7fff515f6000-0x7fff515f9000 [vvar] 0x7fff515f9000-0x7fff515fb000 [vdso] ==1671718==End of process memory map. ==1671718==AddressSanitizer CHECK failed: /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:120 "((0 && “unable to mmap”)) != (0)" (0x0, 0x0) #0 0x4cbc9f in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_rtl.cc:69:3 #1 0x4df5ff in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_termination.cc:79:5 #2 0x4d0c0e in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:120:3 #3 0x4d962b in __sanitizer::MmapOrDie(unsigned long, char const*, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:132:5 #4 0x421e04 in __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback>::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/…/sanitizer_common/sanitizer_allocator_secondary.h:41:9 #5 0x421bb8 in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<__asan::AP64>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<__asan::AP64> >, __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback> >::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<__asan::AP64> >*, unsigned long, unsigned long, bool, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/…/sanitizer_common/sanitizer_allocator_combined.h:70:24 #6 0x41f06f in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_allocator.cc:407:21 #7 0x4c43a0 in malloc /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:67:10 #8 0x526c75 in bfd_malloc /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/libbfd.c:275:9 #9 0x5cd904 in elf_read_notes /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/elf.c:11692:18 #10 0x5cd6cd in bfd_section_from_phdr /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/elf.c:3024:13 #11 0x5ade7a in bfd_elf64_core_file_p /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/elfcore.h:277:11 #12 0x5207e5 in bfd_check_format_matches /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/format.c:315:14 #13 0x4f23c1 in display_bfd /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:347:7 #14 0x4f1ed5 in display_file /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:434:5 #15 0x4f1aa5 in main /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:260:7 #16 0x7f1588f3809a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) #17 0x41d5e9 in _start (/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size+0x41d5e9)

Comment 1 Alan Modra 2019-02-19 22:51:52 UTC

This is a different testcase and different out of memory condition to pr24233. Unlike pr24233 we report an out of memory error. I think that is perfectly good behaviour for user input with silly sizes, in this case a NOTE section claiming to be 0xfffff7dd00 bytes in size. While we could test for silly section sizes by comparing against file size, that doesn’t work in all situations, eg. when section contents are encoded and the decoded size is much larger than the raw size.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE