Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-9073: Out of memory in libbfd.c

An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in _bfd_elf_slurp_version_tables in elf.c.

CVE
Open in Source
#linux#debian

Created attachment 11615 [details] inputs that trigger bugs

  • Intel Xeon Gold 5118 processors and 256 GB memory

  • Linux n18-065-139 4.19.0-1-amd64 #1 SMP Debian 4.19.12-1 (2018-12-22) x86_64 GNU/Linux

  • clang version 4.0.0 (tags/RELEASE_400/final)

  • version: commit c72e75a64030b0f6535a80481f37968ad55c333a (Feb 19 2019)

  • run objdump -x input_file

  • asan report ==1243005==ERROR: AddressSanitizer failed to allocate 0xffffffa000 (1099511603200) bytes of LargeMmapAllocator (error code: 12) ==1243005==Process memory map follows: 0x000000400000-0x00000041d000 /mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/objdump 0x00000041d000-0x000000996000 /mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/objdump 0x000000996000-0x000000bc9000 /mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/objdump 0x000000bca000-0x000000bcb000 /mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/objdump 0x000000bcb000-0x000000c78000 /mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/objdump 0x000000c78000-0x0000018e9000
    0x00007fff7000-0x00008fff7000
    0x00008fff7000-0x02008fff7000
    0x02008fff7000-0x10007fff8000
    0x600000000000-0x602000000000
    0x602000000000-0x602000010000
    0x602000010000-0x602e00000000
    0x602e00000000-0x602e00010000
    0x602e00010000-0x603000000000
    0x603000000000-0x603000010000
    0x603000010000-0x603e00000000
    0x603e00000000-0x603e00010000
    0x603e00010000-0x604000000000
    0x604000000000-0x604000010000
    0x604000010000-0x604e00000000
    0x604e00000000-0x604e00010000
    0x604e00010000-0x606000000000
    0x606000000000-0x606000010000
    0x606000010000-0x606e00000000
    0x606e00000000-0x606e00010000
    0x606e00010000-0x607000000000
    0x607000000000-0x607000010000
    0x607000010000-0x607e00000000
    0x607e00000000-0x607e00010000
    0x607e00010000-0x608000000000
    0x608000000000-0x608000010000
    0x608000010000-0x608e00000000
    0x608e00000000-0x608e00010000
    0x608e00010000-0x60b000000000
    0x60b000000000-0x60b000010000
    0x60b000010000-0x60be00000000
    0x60be00000000-0x60be00010000
    0x60be00010000-0x60c000000000
    0x60c000000000-0x60c000010000
    0x60c000010000-0x60ce00000000
    0x60ce00000000-0x60ce00010000
    0x60ce00010000-0x60f000000000
    0x60f000000000-0x60f000010000
    0x60f000010000-0x60fe00000000
    0x60fe00000000-0x60fe00010000
    0x60fe00010000-0x610000000000
    0x610000000000-0x610000010000
    0x610000010000-0x610e00000000
    0x610e00000000-0x610e00010000
    0x610e00010000-0x611000000000
    0x611000000000-0x611000010000
    0x611000010000-0x611e00000000
    0x611e00000000-0x611e00010000
    0x611e00010000-0x612000000000
    0x612000000000-0x612000010000
    0x612000010000-0x612e00000000
    0x612e00000000-0x612e00010000
    0x612e00010000-0x614000000000
    0x614000000000-0x614000010000
    0x614000010000-0x614e00000000
    0x614e00000000-0x614e00010000
    0x614e00010000-0x616000000000
    0x616000000000-0x616000010000
    0x616000010000-0x616e00000000
    0x616e00000000-0x616e00010000
    0x616e00010000-0x618000000000
    0x618000000000-0x618000010000
    0x618000010000-0x618e00000000
    0x618e00000000-0x618e00010000
    0x618e00010000-0x619000000000
    0x619000000000-0x619000010000
    0x619000010000-0x619e00000000
    0x619e00000000-0x619e00010000
    0x619e00010000-0x61a000000000
    0x61a000000000-0x61a000010000
    0x61a000010000-0x61ae00000000
    0x61ae00000000-0x61ae00010000
    0x61ae00010000-0x61b000000000
    0x61b000000000-0x61b000010000
    0x61b000010000-0x61be00000000
    0x61be00000000-0x61be00010000
    0x61be00010000-0x61d000000000
    0x61d000000000-0x61d000010000
    0x61d000010000-0x61de00000000
    0x61de00000000-0x61de00010000
    0x61de00010000-0x61f000000000
    0x61f000000000-0x61f000010000
    0x61f000010000-0x61fe00000000
    0x61fe00000000-0x61fe00010000
    0x61fe00010000-0x621000000000
    0x621000000000-0x621000010000
    0x621000010000-0x621e00000000
    0x621e00000000-0x621e00010000
    0x621e00010000-0x624000000000
    0x624000000000-0x624000010000
    0x624000010000-0x624e00000000
    0x624e00000000-0x624e00010000
    0x624e00010000-0x62d000000000
    0x62d000000000-0x62d000020000
    0x62d000020000-0x62de00000000
    0x62de00000000-0x62de00010000
    0x62de00010000-0x640000000000
    0x640000000000-0x640000003000
    0x7f1ecf066000-0x7f1ecfae0000 /usr/lib/locale/locale-archive 0x7f1ecfae0000-0x7f1ecfd00000
    0x7f1ecfdec000-0x7f1ecff00000
    0x7f1ecff01000-0x7f1ecff08000 /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache 0x7f1ecff08000-0x7f1ed22c2000
    0x7f1ed22c2000-0x7f1ed22e4000 /lib/x86_64-linux-gnu/libc-2.28.so 0x7f1ed22e4000-0x7f1ed242c000 /lib/x86_64-linux-gnu/libc-2.28.so 0x7f1ed242c000-0x7f1ed2478000 /lib/x86_64-linux-gnu/libc-2.28.so 0x7f1ed2478000-0x7f1ed2479000 /lib/x86_64-linux-gnu/libc-2.28.so 0x7f1ed2479000-0x7f1ed247d000 /lib/x86_64-linux-gnu/libc-2.28.so 0x7f1ed247d000-0x7f1ed247f000 /lib/x86_64-linux-gnu/libc-2.28.so 0x7f1ed247f000-0x7f1ed2483000
    0x7f1ed2483000-0x7f1ed2486000 /lib/x86_64-linux-gnu/libgcc_s.so.1 0x7f1ed2486000-0x7f1ed2497000 /lib/x86_64-linux-gnu/libgcc_s.so.1 0x7f1ed2497000-0x7f1ed249a000 /lib/x86_64-linux-gnu/libgcc_s.so.1 0x7f1ed249a000-0x7f1ed249b000 /lib/x86_64-linux-gnu/libgcc_s.so.1 0x7f1ed249b000-0x7f1ed249c000 /lib/x86_64-linux-gnu/libgcc_s.so.1 0x7f1ed249c000-0x7f1ed249d000 /lib/x86_64-linux-gnu/libgcc_s.so.1 0x7f1ed249d000-0x7f1ed249e000 /lib/x86_64-linux-gnu/libdl-2.28.so 0x7f1ed249e000-0x7f1ed249f000 /lib/x86_64-linux-gnu/libdl-2.28.so 0x7f1ed249f000-0x7f1ed24a0000 /lib/x86_64-linux-gnu/libdl-2.28.so 0x7f1ed24a0000-0x7f1ed24a1000 /lib/x86_64-linux-gnu/libdl-2.28.so 0x7f1ed24a1000-0x7f1ed24a2000 /lib/x86_64-linux-gnu/libdl-2.28.so 0x7f1ed24a2000-0x7f1ed24af000 /lib/x86_64-linux-gnu/libm-2.28.so 0x7f1ed24af000-0x7f1ed254e000 /lib/x86_64-linux-gnu/libm-2.28.so 0x7f1ed254e000-0x7f1ed2623000 /lib/x86_64-linux-gnu/libm-2.28.so 0x7f1ed2623000-0x7f1ed2624000 /lib/x86_64-linux-gnu/libm-2.28.so 0x7f1ed2624000-0x7f1ed2625000 /lib/x86_64-linux-gnu/libm-2.28.so 0x7f1ed2625000-0x7f1ed2627000 /lib/x86_64-linux-gnu/librt-2.28.so 0x7f1ed2627000-0x7f1ed262b000 /lib/x86_64-linux-gnu/librt-2.28.so 0x7f1ed262b000-0x7f1ed262d000 /lib/x86_64-linux-gnu/librt-2.28.so 0x7f1ed262d000-0x7f1ed262e000 /lib/x86_64-linux-gnu/librt-2.28.so 0x7f1ed262e000-0x7f1ed262f000 /lib/x86_64-linux-gnu/librt-2.28.so 0x7f1ed262f000-0x7f1ed2635000 /lib/x86_64-linux-gnu/libpthread-2.28.so 0x7f1ed2635000-0x7f1ed2644000 /lib/x86_64-linux-gnu/libpthread-2.28.so 0x7f1ed2644000-0x7f1ed264a000 /lib/x86_64-linux-gnu/libpthread-2.28.so 0x7f1ed264a000-0x7f1ed264b000 /lib/x86_64-linux-gnu/libpthread-2.28.so 0x7f1ed264b000-0x7f1ed264c000 /lib/x86_64-linux-gnu/libpthread-2.28.so 0x7f1ed264c000-0x7f1ed2650000
    0x7f1ed2650000-0x7f1ed265f000
    0x7f1ed265f000-0x7f1ed2660000 /lib/x86_64-linux-gnu/ld-2.28.so 0x7f1ed2660000-0x7f1ed267e000 /lib/x86_64-linux-gnu/ld-2.28.so 0x7f1ed267e000-0x7f1ed2686000 /lib/x86_64-linux-gnu/ld-2.28.so 0x7f1ed2686000-0x7f1ed2687000 /lib/x86_64-linux-gnu/ld-2.28.so 0x7f1ed2687000-0x7f1ed2688000 /lib/x86_64-linux-gnu/ld-2.28.so 0x7f1ed2688000-0x7f1ed2689000
    0x7ffc80989000-0x7ffc809aa000 [stack] 0x7ffc809ea000-0x7ffc809ed000 [vvar] 0x7ffc809ed000-0x7ffc809ef000 [vdso] ==1243005==End of process memory map. ==1243005==AddressSanitizer CHECK failed: /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:120 "((0 && “unable to mmap”)) != (0)" (0x0, 0x0) #0 0x4cbcef in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_rtl.cc:69:3 #1 0x4df64f in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_termination.cc:79:5 #2 0x4d0c5e in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:120:3 #3 0x4d967b in __sanitizer::MmapOrDie(unsigned long, char const*, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:132:5 #4 0x421e54 in __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback>::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/…/sanitizer_common/sanitizer_allocator_secondary.h:41:9 #5 0x421c08 in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<__asan::AP64>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<__asan::AP64> >, __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback> >::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<__asan::AP64> >*, unsigned long, unsigned long, bool, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/…/sanitizer_common/sanitizer_allocator_combined.h:70:24 #6 0x41f0bf in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_allocator.cc:407:21 #7 0x4c43f0 in malloc /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:67:10 #8 0x605fb5 in bfd_malloc /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/libbfd.c:275:9 #9 0x6a969b in _bfd_elf_slurp_version_tables /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/elf.c:8556:31 #10 0x6a696f in _bfd_elf_print_private_bfd_data /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/elf.c:1798:13 #11 0x4f65d5 in dump_bfd_private_header /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/objdump.c:3181:3 #12 0x4f51f9 in dump_bfd /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/objdump.c:3782:5 #13 0x4f4c71 in display_object_bfd /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/objdump.c:3883:7 #14 0x4f4b67 in display_any_bfd /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/objdump.c:3973:5 #15 0x4f424a in display_file /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/objdump.c:3994:3 #16 0x4f3ab0 in main /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/objdump.c:4304:6 #17 0x7f1ed22e609a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) #18 0x41d639 in _start (/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/objdump+0x41d639)

Comment 1 Alan Modra 2019-02-19 11:32:50 UTC

This also doesn’t reproduce for me.

Comment 2 Alan Modra 2019-02-19 11:57:06 UTC

The testcase has a VERDEFS section claiming to be 0xffffff7f00 in size. I suppose we should inform the user that they hit an out-of-memory here rather than just silently ignoring the failure.

Comment 3 spinpx 2019-02-19 12:07:07 UTC

(In reply to Alan Modra from comment #2) > The testcase has a VERDEFS section claiming to be 0xffffff7f00 in size. I

suppose we should inform the user that they hit an out-of-memory here rather than just silently ignoring the failure.

Agree.

Comment 6 Alan Modra 2019-02-20 03:25:42 UTC

objdump now reports that something went wrong when printing private headers.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE