FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.

*   _To_: debian-lts-announce@lists.debian.org
*   _Subject_: \[SECURITY\] \[DLA 1831-1\] jackson-databind security update
*   _From_: Markus Koschany <apo@debian.org\>
*   _Date_: Fri, 21 Jun 2019 17:09:36 +0200
*   _Message-id_: <\[🔎\] 1dc2282f-a7aa-3af5-6e34-f2cbc537032d@debian.org\>
*   _Mail-followup-to_: debian-lts@lists.debian.org
*   _Reply-to_: debian-lts@lists.debian.org

\-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : jackson-databind
Version        : 2.4.2-2+deb8u7
CVE ID         : CVE-2019-12384 CVE-2019-12814
Debian Bug     : 930750

More Polymorphic Typing issues were discovered in jackson-databind. When
Default Typing is enabled (either globally or for a specific property)
for an externally exposed JSON endpoint and the service has JDOM 1.x or
2.x or logback-core jar in the classpath, an attacker can send a
specifically crafted JSON message that allows them to read arbitrary
local files on the server.

For Debian 8 "Jessie", these problems have been fixed in version
2.4.2-2+deb8u7.

We recommend that you upgrade your jackson-databind packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl0M8zBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeTY4Q/9FfVWKCgD0UUDIdGRmNRutcG6vrkmD30bUd88QVafXC+IKWnvM8T1QDUQ
eJrfEtI5Ao7EevfK5ark6XxYA1JVpqe4cLJtsV4/9VwgczJa2h4RNS52flDDPxZz
oumtjbUFRT98wkmJDXn/4GiEDvHCtX2RtdoNtT1EDqB1IjYO4TcBUjgsT4yAUB8u
kh4H8Md6ILeBV2+IUGg25oZypmp4ZQY/h1q4Hrfb9crLjLWkod/k1otAxrbJ10W0
Px2bb32MPVlYz+D8Q8YoMSoktuhwOjyi/DMHsIgeF2/h8qlLvrNe5AtX4VAcKc5z
mGlNum0M57HgfxOwcmqMFruEcqtU8FIpbUqqZm8K+wtp6x5kQnrZn/eGVG/bih7c
f9KDY2KixbSQZwW38FgQMZtbSbhF/Wsa0xHB1n0wXYLHsLlmaJiEmgVbAdcJQEi+
UHpw0MttJT9rXvYLfnK3+NseQ1e+V95m8lHb28z1cqXj4cdFKY14Nf4MpJw4EkXQ
3bvQeuzBaneQDjj1DDKalYSpjwtn1GO2kWfdAJqus8Qwe3aoWHy0TVtpCpQjJG9F
vyhwwK58dJTx+YfOJPe3eKPy0UNQrS1nLJYjlj6A2cGUcaj5+YK2zCes8r9WT5Id
oG1L7voMiTZVDiAs1Flo4PVO1fNI9VTSoTiEo3Ym4W1ksuvvZHY=
=MAUn
-----END PGP SIGNATURE-----

**Reply to:**

*   debian-lts-announce@lists.debian.org
*   Markus Koschany (on-list)
*   Markus Koschany (off-list)

*   Prev by Date: **\[SECURITY\] \[DLA 1789-2\] intel-microcode security update**
*   Next by Date: **\[SECURITY\] \[DLA 1832-1\] libvirt security update**
*   Previous by thread: **\[SECURITY\] \[DLA 1789-2\] intel-microcode security update**
*   Next by thread: **\[SECURITY\] \[DLA 1832-1\] libvirt security update**
*   Index(es):
    *   **Date**
    *   **Thread**

CVE-2019-12384: [SECURITY] [DLA 1831-1] jackson-databind security update

An issue was discovered in sd-bus in systemd 239. bus_process_object() in libsystemd/sd-bus/bus-objects.c allocates a variable-length stack buffer for temporarily storing the object path of incoming D-Bus messages. An unprivileged local user can exploit this by sending a specially crafted message to PID1, causing the stack pointer to jump over the stack guard pages into an unmapped memory region and trigger a denial of service (systemd PID1 crash and kernel panic).

**Debian Security Advisory**

Date Reported:

18 Feb 2019

Affected Packages:

systemd

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2019-6454.  

More information:

Chris Coulson discovered a flaw in systemd leading to denial of service. An unprivileged user could take advantage of this issue to crash PID1 by sending a specially crafted D-Bus message on the system bus.

For the stable distribution (stretch), this problem has been fixed in version 232-25+deb9u9.

We recommend that you upgrade your systemd packages.

For the detailed security status of systemd please refer to its security tracker page at: https://security-tracker.debian.org/tracker/systemd

CVE-2019-6454: Debian -- Security Information -- DSA-4393-1 systemd

Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (daemon crash) via a large crontab file because the calloc return value is not checked.

CVE-2019-9704: SECURITY: DoS: Fix unchecked return of calloc() (f2525567) · Commits · Debian / cron · GitLab

Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (use-after-free and daemon crash) because of a force_rescan_user error.

CVE-2019-9706: SECURITY: Fix for possible DoS by use-after-free (40791b93) · Commits · Debian / cron · GitLab

Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (memory consumption) via a large crontab file because an unlimited number of lines is accepted.

CVE-2019-9705: Enforce maximum crontab line count of 1000 (26814a26) · Commits · Debian / cron · GitLab

In Live555 before 2019.02.27, malformed headers lead to invalid memory access in the parseAuthorizationHeader function.

CVE-2019-9215

An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. It is a heap-based buffer over-read in d_expression_1 in cp-demangle.c after many recursive calls.

Created attachment 11612 \[details\]
inputs that trigger bugs

- Intel Xeon Gold 5118 processors and 256 GB memory
- Linux n18-065-139 4.19.0-1-amd64 #1 SMP Debian 4.19.12-1 (2018-12-22) x86\_64 GNU/Linux
- clang version 4.0.0 (tags/RELEASE\_400/final)
- version: commit commit 388a192d73df7439bf375d8b8042bb53a6be9c60
- run: nm -C input\_file   (We attached the inputs that trigger the bug)
- asan report:
==2003322==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e0000000d8 at pc 0x0000008957c6 bp 0x7ffdf2e36340 sp 0x7ffdf2e36338
READ of size 1 at 0x60e0000000d8 thread T0
    #0 0x8957c5 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3356:12
    #1 0x896370 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3449:16
    #2 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #3 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #4 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #5 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #6 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #7 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #8 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #9 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #10 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #11 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #12 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #13 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #14 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #15 0x896370 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3449:16
    #16 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #17 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #18 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #19 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #20 0x896370 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3449:16
    #21 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #22 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #23 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #24 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #25 0x89610c in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3416:18
    #26 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #27 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #28 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #29 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #30 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #31 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #32 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #33 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #34 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #35 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #36 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #37 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #38 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #39 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #40 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #41 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #42 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #43 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #44 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #45 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #46 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #47 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #48 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #49 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #50 0x896370 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3449:16
    #51 0x889158 in d\_expression /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3531:9
    #52 0x887a7d in d\_array\_type /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3011:13
    #53 0x883aa8 in cplus\_demangle\_type /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:2463:13
    #54 0x893cf5 in d\_parmlist /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:2908:14
    #55 0x88e7a5 in d\_bare\_function\_type /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:2962:8
    #56 0x8828eb in d\_encoding /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:1343:16
    #57 0x88200d in cplus\_demangle\_mangled\_name /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:1234:7
    #58 0x88c408 in d\_demangle\_callback /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:6292:7
    #59 0x88b8e6 in d\_demangle /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:6343:12
    #60 0x88b753 in cplus\_demangle\_v3 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:6500:10
    #61 0x87f020 in cplus\_demangle /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cplus-dem.c:165:13
    #62 0x517028 in bfd\_demangle /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/bfd.c:2254:9
    #63 0x4f4214 in print\_symname /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:423:19
    #64 0x4f2e4e in print\_symbol\_info\_bsd /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1565:3
    #65 0x4f9c36 in print\_symbol /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:903:3
    #66 0x4f7844 in print\_symbols /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1102:7
    #67 0x4f5d3a in display\_rel\_file /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1215:5
    #68 0x4f2356 in display\_file /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1335:7
    #69 0x4f1a97 in main /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1816:12
    #70 0x7f5777ae909a in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2409a)
    #71 0x41d5e9 in \_start (/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/nm+0x41d5e9)

0x60e0000000d8 is located 0 bytes to the right of 152-byte region \[0x60e000000040,0x60e0000000d8)
allocated by thread T0 here:
    #0 0x4c42dc in malloc /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan\_malloc\_linux.cc:66:3
    #1 0x52e4c5 in bfd\_malloc /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/libbfd.c:275:9
    #2 0x516f6d in bfd\_demangle /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/bfd.c:2246:24
    #3 0x4f4214 in print\_symname /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:423:19
    #4 0x4f2e4e in print\_symbol\_info\_bsd /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1565:3
    #5 0x4f9c36 in print\_symbol /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:903:3
    #6 0x4f7844 in print\_symbols /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1102:7
    #7 0x4f5d3a in display\_rel\_file /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1215:5
    #8 0x4f2356 in display\_file /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1335:7
    #9 0x4f1a97 in main /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1816:12
    #10 0x7f5777ae909a in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2409a)

SUMMARY: AddressSanitizer: heap-buffer-overflow /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3356:12 in d\_expression\_1
Shadow bytes around the buggy address:
  0x0c1c7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c1c7fff8010: 00 00 00 00 00 00 00 00 00 00 00\[fa\]fa fa fa fa
  0x0c1c7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2003322==ABORTING

Comment 1 Nick Clifton 2019-02-18 16:53:26 UTC

Hi spinpx,

  Thanks for reporting this bug.  Unfortunately the problem is in the 
  libiberty library which is maintained by the gcc project, rather than
  the binutils project.  So please could you report this bug here:

https://gcc.gnu.org/bugzilla/enter\_bug.cgi?product=gcc

Cheers
  Nick

Comment 3 spinpx 2019-02-19 09:08:00 UTC

It can be reproduced in commit c72e75a64030b0f6535a80481f37968ad55c333a (Feb 19 2019).

CVE-2019-9070: 24229 – nm: heap buffer overflow

An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in elf_read_notes in elf.c.

Created attachment 11620 \[details\]
OOM input

size also has the OOM issue described in
https://sourceware.org/bugzilla/show\_bug.cgi?id=24233

- Intel Xeon Gold 5118 processors and 256 GB memory
- Linux n18-065-139 4.19.0-1-amd64 #1 SMP Debian 4.19.12-1 (2018-12-22) x86\_64 GNU/Linux
- clang version 4.0.0 (tags/RELEASE\_400/final)
- version: commit c72e75a64030b0f6535a80481f37968ad55c333a (Feb 19 2019)
- run: size input\_file


==1671718==ERROR: AddressSanitizer failed to allocate 0xfffff80000 (1099511103488) bytes of LargeMmapAllocator (error code: 12)
==1671718==Process memory map follows:
	0x000000400000-0x00000041d000	/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size
	0x00000041d000-0x0000008b3000	/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size
	0x0000008b3000-0x000000987000	/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size
	0x000000988000-0x000000989000	/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size
	0x000000989000-0x0000009e8000	/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size
	0x0000009e8000-0x000001654000	
	0x00007fff7000-0x00008fff7000	
	0x00008fff7000-0x02008fff7000	
	0x02008fff7000-0x10007fff8000	
	0x600000000000-0x602000000000	
	0x602000000000-0x602000010000	
	0x602000010000-0x602e00000000	
	0x602e00000000-0x602e00010000	
	0x602e00010000-0x603000000000	
	0x603000000000-0x603000010000	
	0x603000010000-0x603e00000000	
	0x603e00000000-0x603e00010000	
	0x603e00010000-0x604000000000	
	0x604000000000-0x604000010000	
	0x604000010000-0x604e00000000	
	0x604e00000000-0x604e00010000	
	0x604e00010000-0x607000000000	
	0x607000000000-0x607000010000	
	0x607000010000-0x607e00000000	
	0x607e00000000-0x607e00010000	
	0x607e00010000-0x608000000000	
	0x608000000000-0x608000010000	
	0x608000010000-0x608e00000000	
	0x608e00000000-0x608e00010000	
	0x608e00010000-0x60b000000000	
	0x60b000000000-0x60b000010000	
	0x60b000010000-0x60be00000000	
	0x60be00000000-0x60be00010000	
	0x60be00010000-0x60c000000000	
	0x60c000000000-0x60c000010000	
	0x60c000010000-0x60ce00000000	
	0x60ce00000000-0x60ce00010000	
	0x60ce00010000-0x60f000000000	
	0x60f000000000-0x60f000010000	
	0x60f000010000-0x60fe00000000	
	0x60fe00000000-0x60fe00010000	
	0x60fe00010000-0x610000000000	
	0x610000000000-0x610000010000	
	0x610000010000-0x610e00000000	
	0x610e00000000-0x610e00010000	
	0x610e00010000-0x611000000000	
	0x611000000000-0x611000010000	
	0x611000010000-0x611e00000000	
	0x611e00000000-0x611e00010000	
	0x611e00010000-0x612000000000	
	0x612000000000-0x612000010000	
	0x612000010000-0x612e00000000	
	0x612e00000000-0x612e00010000	
	0x612e00010000-0x614000000000	
	0x614000000000-0x614000010000	
	0x614000010000-0x614e00000000	
	0x614e00000000-0x614e00010000	
	0x614e00010000-0x616000000000	
	0x616000000000-0x616000010000	
	0x616000010000-0x616e00000000	
	0x616e00000000-0x616e00010000	
	0x616e00010000-0x618000000000	
	0x618000000000-0x618000010000	
	0x618000010000-0x618e00000000	
	0x618e00000000-0x618e00010000	
	0x618e00010000-0x61a000000000	
	0x61a000000000-0x61a000010000	
	0x61a000010000-0x61ae00000000	
	0x61ae00000000-0x61ae00010000	
	0x61ae00010000-0x61d000000000	
	0x61d000000000-0x61d000010000	
	0x61d000010000-0x61de00000000	
	0x61de00000000-0x61de00010000	
	0x61de00010000-0x61f000000000	
	0x61f000000000-0x61f000010000	
	0x61f000010000-0x61fe00000000	
	0x61fe00000000-0x61fe00010000	
	0x61fe00010000-0x621000000000	
	0x621000000000-0x621000010000	
	0x621000010000-0x621e00000000	
	0x621e00000000-0x621e00010000	
	0x621e00010000-0x624000000000	
	0x624000000000-0x624000010000	
	0x624000010000-0x624e00000000	
	0x624e00000000-0x624e00010000	
	0x624e00010000-0x640000000000	
	0x640000000000-0x640000003000	
	0x7f1585c66000-0x7f15866e0000	/usr/lib/locale/locale-archive
	0x7f15866e0000-0x7f1586900000	
	0x7f1586a00000-0x7f1586b00000	
	0x7f1586b51000-0x7f1586b65000	
	0x7f1586b65000-0x7f1586b6c000	/usr/lib/x86\_64-linux-gnu/gconv/gconv-modules.cache
	0x7f1586b6c000-0x7f1588f14000	
	0x7f1588f14000-0x7f1588f36000	/lib/x86\_64-linux-gnu/libc-2.28.so
	0x7f1588f36000-0x7f158907e000	/lib/x86\_64-linux-gnu/libc-2.28.so
	0x7f158907e000-0x7f15890ca000	/lib/x86\_64-linux-gnu/libc-2.28.so
	0x7f15890ca000-0x7f15890cb000	/lib/x86\_64-linux-gnu/libc-2.28.so
	0x7f15890cb000-0x7f15890cf000	/lib/x86\_64-linux-gnu/libc-2.28.so
	0x7f15890cf000-0x7f15890d1000	/lib/x86\_64-linux-gnu/libc-2.28.so
	0x7f15890d1000-0x7f15890d5000	
	0x7f15890d5000-0x7f15890d8000	/lib/x86\_64-linux-gnu/libgcc\_s.so.1
	0x7f15890d8000-0x7f15890e9000	/lib/x86\_64-linux-gnu/libgcc\_s.so.1
	0x7f15890e9000-0x7f15890ec000	/lib/x86\_64-linux-gnu/libgcc\_s.so.1
	0x7f15890ec000-0x7f15890ed000	/lib/x86\_64-linux-gnu/libgcc\_s.so.1
	0x7f15890ed000-0x7f15890ee000	/lib/x86\_64-linux-gnu/libgcc\_s.so.1
	0x7f15890ee000-0x7f15890ef000	/lib/x86\_64-linux-gnu/libgcc\_s.so.1
	0x7f15890ef000-0x7f15890f0000	/lib/x86\_64-linux-gnu/libdl-2.28.so
	0x7f15890f0000-0x7f15890f1000	/lib/x86\_64-linux-gnu/libdl-2.28.so
	0x7f15890f1000-0x7f15890f2000	/lib/x86\_64-linux-gnu/libdl-2.28.so
	0x7f15890f2000-0x7f15890f3000	/lib/x86\_64-linux-gnu/libdl-2.28.so
	0x7f15890f3000-0x7f15890f4000	/lib/x86\_64-linux-gnu/libdl-2.28.so
	0x7f15890f4000-0x7f1589101000	/lib/x86\_64-linux-gnu/libm-2.28.so
	0x7f1589101000-0x7f15891a0000	/lib/x86\_64-linux-gnu/libm-2.28.so
	0x7f15891a0000-0x7f1589275000	/lib/x86\_64-linux-gnu/libm-2.28.so
	0x7f1589275000-0x7f1589276000	/lib/x86\_64-linux-gnu/libm-2.28.so
	0x7f1589276000-0x7f1589277000	/lib/x86\_64-linux-gnu/libm-2.28.so
	0x7f1589277000-0x7f1589279000	/lib/x86\_64-linux-gnu/librt-2.28.so
	0x7f1589279000-0x7f158927d000	/lib/x86\_64-linux-gnu/librt-2.28.so
	0x7f158927d000-0x7f158927f000	/lib/x86\_64-linux-gnu/librt-2.28.so
	0x7f158927f000-0x7f1589280000	/lib/x86\_64-linux-gnu/librt-2.28.so
	0x7f1589280000-0x7f1589281000	/lib/x86\_64-linux-gnu/librt-2.28.so
	0x7f1589281000-0x7f1589287000	/lib/x86\_64-linux-gnu/libpthread-2.28.so
	0x7f1589287000-0x7f1589296000	/lib/x86\_64-linux-gnu/libpthread-2.28.so
	0x7f1589296000-0x7f158929c000	/lib/x86\_64-linux-gnu/libpthread-2.28.so
	0x7f158929c000-0x7f158929d000	/lib/x86\_64-linux-gnu/libpthread-2.28.so
	0x7f158929d000-0x7f158929e000	/lib/x86\_64-linux-gnu/libpthread-2.28.so
	0x7f158929e000-0x7f15892a2000	
	0x7f15892a2000-0x7f15892b1000	
	0x7f15892b1000-0x7f15892b2000	/lib/x86\_64-linux-gnu/ld-2.28.so
	0x7f15892b2000-0x7f15892d0000	/lib/x86\_64-linux-gnu/ld-2.28.so
	0x7f15892d0000-0x7f15892d8000	/lib/x86\_64-linux-gnu/ld-2.28.so
	0x7f15892d8000-0x7f15892d9000	/lib/x86\_64-linux-gnu/ld-2.28.so
	0x7f15892d9000-0x7f15892da000	/lib/x86\_64-linux-gnu/ld-2.28.so
	0x7f15892da000-0x7f15892db000	
	0x7fff515d3000-0x7fff515f4000	\[stack\]
	0x7fff515f6000-0x7fff515f9000	\[vvar\]
	0x7fff515f9000-0x7fff515fb000	\[vdso\]
==1671718==End of process memory map.
==1671718==AddressSanitizer CHECK failed: /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer\_common/sanitizer\_common.cc:120 "((0 && "unable to mmap")) != (0)" (0x0, 0x0)
    #0 0x4cbc9f in \_\_asan::AsanCheckFailed(char const\*, int, char const\*, unsigned long long, unsigned long long) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan\_rtl.cc:69:3
    #1 0x4df5ff in \_\_sanitizer::CheckFailed(char const\*, int, char const\*, unsigned long long, unsigned long long) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer\_common/sanitizer\_termination.cc:79:5
    #2 0x4d0c0e in \_\_sanitizer::ReportMmapFailureAndDie(unsigned long, char const\*, char const\*, int, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer\_common/sanitizer\_common.cc:120:3
    #3 0x4d962b in \_\_sanitizer::MmapOrDie(unsigned long, char const\*, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer\_common/sanitizer\_posix.cc:132:5
    #4 0x421e04 in \_\_sanitizer::LargeMmapAllocator<\_\_asan::AsanMapUnmapCallback>::Allocate(\_\_sanitizer::AllocatorStats\*, unsigned long, unsigned long) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer\_common/sanitizer\_allocator\_secondary.h:41:9
    #5 0x421bb8 in \_\_sanitizer::CombinedAllocator<\_\_sanitizer::SizeClassAllocator64<\_\_asan::AP64>, \_\_sanitizer::SizeClassAllocatorLocalCache<\_\_sanitizer::SizeClassAllocator64<\_\_asan::AP64> >, \_\_sanitizer::LargeMmapAllocator<\_\_asan::AsanMapUnmapCallback> >::Allocate(\_\_sanitizer::SizeClassAllocatorLocalCache<\_\_sanitizer::SizeClassAllocator64<\_\_asan::AP64> >\*, unsigned long, unsigned long, bool, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer\_common/sanitizer\_allocator\_combined.h:70:24
    #6 0x41f06f in \_\_asan::Allocator::Allocate(unsigned long, unsigned long, \_\_sanitizer::BufferedStackTrace\*, \_\_asan::AllocType, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan\_allocator.cc:407:21
    #7 0x4c43a0 in malloc /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan\_malloc\_linux.cc:67:10
    #8 0x526c75 in bfd\_malloc /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/libbfd.c:275:9
    #9 0x5cd904 in elf\_read\_notes /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/elf.c:11692:18
    #10 0x5cd6cd in bfd\_section\_from\_phdr /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/elf.c:3024:13
    #11 0x5ade7a in bfd\_elf64\_core\_file\_p /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/elfcore.h:277:11
    #12 0x5207e5 in bfd\_check\_format\_matches /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/format.c:315:14
    #13 0x4f23c1 in display\_bfd /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:347:7
    #14 0x4f1ed5 in display\_file /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:434:5
    #15 0x4f1aa5 in main /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:260:7
    #16 0x7f1588f3809a in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2409a)
    #17 0x41d5e9 in \_start (/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size+0x41d5e9)

Comment 1 Alan Modra 2019-02-19 22:51:52 UTC

This is a different testcase and different out of memory condition to pr24233.  Unlike pr24233 we report an out of memory error.  I think that is perfectly good behaviour for user input with silly sizes, in this case a NOTE section claiming to be 0xfffff7dd00 bytes in size.  While we could test for silly section sizes by comparing against file size, that doesn't work in all situations, eg. when section contents are encoded and the decoded size is much larger than the raw size.

CVE-2019-9076: Out of memory in libbfd

An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in _bfd_elf_slurp_version_tables in elf.c.

Created attachment 11615 \[details\]
inputs that trigger bugs

- Intel Xeon Gold 5118 processors and 256 GB memory
- Linux n18-065-139 4.19.0-1-amd64 #1 SMP Debian 4.19.12-1 (2018-12-22) x86\_64 GNU/Linux
- clang version 4.0.0 (tags/RELEASE\_400/final)
- version: commit c72e75a64030b0f6535a80481f37968ad55c333a (Feb 19 2019)
- run objdump -x input\_file

- asan report
==1243005==ERROR: AddressSanitizer failed to allocate 0xffffffa000 (1099511603200) bytes of LargeMmapAllocator (error code: 12)
==1243005==Process memory map follows:
	0x000000400000-0x00000041d000	/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/objdump
	0x00000041d000-0x000000996000	/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/objdump
	0x000000996000-0x000000bc9000	/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/objdump
	0x000000bca000-0x000000bcb000	/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/objdump
	0x000000bcb000-0x000000c78000	/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/objdump
	0x000000c78000-0x0000018e9000	
	0x00007fff7000-0x00008fff7000	
	0x00008fff7000-0x02008fff7000	
	0x02008fff7000-0x10007fff8000	
	0x600000000000-0x602000000000	
	0x602000000000-0x602000010000	
	0x602000010000-0x602e00000000	
	0x602e00000000-0x602e00010000	
	0x602e00010000-0x603000000000	
	0x603000000000-0x603000010000	
	0x603000010000-0x603e00000000	
	0x603e00000000-0x603e00010000	
	0x603e00010000-0x604000000000	
	0x604000000000-0x604000010000	
	0x604000010000-0x604e00000000	
	0x604e00000000-0x604e00010000	
	0x604e00010000-0x606000000000	
	0x606000000000-0x606000010000	
	0x606000010000-0x606e00000000	
	0x606e00000000-0x606e00010000	
	0x606e00010000-0x607000000000	
	0x607000000000-0x607000010000	
	0x607000010000-0x607e00000000	
	0x607e00000000-0x607e00010000	
	0x607e00010000-0x608000000000	
	0x608000000000-0x608000010000	
	0x608000010000-0x608e00000000	
	0x608e00000000-0x608e00010000	
	0x608e00010000-0x60b000000000	
	0x60b000000000-0x60b000010000	
	0x60b000010000-0x60be00000000	
	0x60be00000000-0x60be00010000	
	0x60be00010000-0x60c000000000	
	0x60c000000000-0x60c000010000	
	0x60c000010000-0x60ce00000000	
	0x60ce00000000-0x60ce00010000	
	0x60ce00010000-0x60f000000000	
	0x60f000000000-0x60f000010000	
	0x60f000010000-0x60fe00000000	
	0x60fe00000000-0x60fe00010000	
	0x60fe00010000-0x610000000000	
	0x610000000000-0x610000010000	
	0x610000010000-0x610e00000000	
	0x610e00000000-0x610e00010000	
	0x610e00010000-0x611000000000	
	0x611000000000-0x611000010000	
	0x611000010000-0x611e00000000	
	0x611e00000000-0x611e00010000	
	0x611e00010000-0x612000000000	
	0x612000000000-0x612000010000	
	0x612000010000-0x612e00000000	
	0x612e00000000-0x612e00010000	
	0x612e00010000-0x614000000000	
	0x614000000000-0x614000010000	
	0x614000010000-0x614e00000000	
	0x614e00000000-0x614e00010000	
	0x614e00010000-0x616000000000	
	0x616000000000-0x616000010000	
	0x616000010000-0x616e00000000	
	0x616e00000000-0x616e00010000	
	0x616e00010000-0x618000000000	
	0x618000000000-0x618000010000	
	0x618000010000-0x618e00000000	
	0x618e00000000-0x618e00010000	
	0x618e00010000-0x619000000000	
	0x619000000000-0x619000010000	
	0x619000010000-0x619e00000000	
	0x619e00000000-0x619e00010000	
	0x619e00010000-0x61a000000000	
	0x61a000000000-0x61a000010000	
	0x61a000010000-0x61ae00000000	
	0x61ae00000000-0x61ae00010000	
	0x61ae00010000-0x61b000000000	
	0x61b000000000-0x61b000010000	
	0x61b000010000-0x61be00000000	
	0x61be00000000-0x61be00010000	
	0x61be00010000-0x61d000000000	
	0x61d000000000-0x61d000010000	
	0x61d000010000-0x61de00000000	
	0x61de00000000-0x61de00010000	
	0x61de00010000-0x61f000000000	
	0x61f000000000-0x61f000010000	
	0x61f000010000-0x61fe00000000	
	0x61fe00000000-0x61fe00010000	
	0x61fe00010000-0x621000000000	
	0x621000000000-0x621000010000	
	0x621000010000-0x621e00000000	
	0x621e00000000-0x621e00010000	
	0x621e00010000-0x624000000000	
	0x624000000000-0x624000010000	
	0x624000010000-0x624e00000000	
	0x624e00000000-0x624e00010000	
	0x624e00010000-0x62d000000000	
	0x62d000000000-0x62d000020000	
	0x62d000020000-0x62de00000000	
	0x62de00000000-0x62de00010000	
	0x62de00010000-0x640000000000	
	0x640000000000-0x640000003000	
	0x7f1ecf066000-0x7f1ecfae0000	/usr/lib/locale/locale-archive
	0x7f1ecfae0000-0x7f1ecfd00000	
	0x7f1ecfdec000-0x7f1ecff00000	
	0x7f1ecff01000-0x7f1ecff08000	/usr/lib/x86\_64-linux-gnu/gconv/gconv-modules.cache
	0x7f1ecff08000-0x7f1ed22c2000	
	0x7f1ed22c2000-0x7f1ed22e4000	/lib/x86\_64-linux-gnu/libc-2.28.so
	0x7f1ed22e4000-0x7f1ed242c000	/lib/x86\_64-linux-gnu/libc-2.28.so
	0x7f1ed242c000-0x7f1ed2478000	/lib/x86\_64-linux-gnu/libc-2.28.so
	0x7f1ed2478000-0x7f1ed2479000	/lib/x86\_64-linux-gnu/libc-2.28.so
	0x7f1ed2479000-0x7f1ed247d000	/lib/x86\_64-linux-gnu/libc-2.28.so
	0x7f1ed247d000-0x7f1ed247f000	/lib/x86\_64-linux-gnu/libc-2.28.so
	0x7f1ed247f000-0x7f1ed2483000	
	0x7f1ed2483000-0x7f1ed2486000	/lib/x86\_64-linux-gnu/libgcc\_s.so.1
	0x7f1ed2486000-0x7f1ed2497000	/lib/x86\_64-linux-gnu/libgcc\_s.so.1
	0x7f1ed2497000-0x7f1ed249a000	/lib/x86\_64-linux-gnu/libgcc\_s.so.1
	0x7f1ed249a000-0x7f1ed249b000	/lib/x86\_64-linux-gnu/libgcc\_s.so.1
	0x7f1ed249b000-0x7f1ed249c000	/lib/x86\_64-linux-gnu/libgcc\_s.so.1
	0x7f1ed249c000-0x7f1ed249d000	/lib/x86\_64-linux-gnu/libgcc\_s.so.1
	0x7f1ed249d000-0x7f1ed249e000	/lib/x86\_64-linux-gnu/libdl-2.28.so
	0x7f1ed249e000-0x7f1ed249f000	/lib/x86\_64-linux-gnu/libdl-2.28.so
	0x7f1ed249f000-0x7f1ed24a0000	/lib/x86\_64-linux-gnu/libdl-2.28.so
	0x7f1ed24a0000-0x7f1ed24a1000	/lib/x86\_64-linux-gnu/libdl-2.28.so
	0x7f1ed24a1000-0x7f1ed24a2000	/lib/x86\_64-linux-gnu/libdl-2.28.so
	0x7f1ed24a2000-0x7f1ed24af000	/lib/x86\_64-linux-gnu/libm-2.28.so
	0x7f1ed24af000-0x7f1ed254e000	/lib/x86\_64-linux-gnu/libm-2.28.so
	0x7f1ed254e000-0x7f1ed2623000	/lib/x86\_64-linux-gnu/libm-2.28.so
	0x7f1ed2623000-0x7f1ed2624000	/lib/x86\_64-linux-gnu/libm-2.28.so
	0x7f1ed2624000-0x7f1ed2625000	/lib/x86\_64-linux-gnu/libm-2.28.so
	0x7f1ed2625000-0x7f1ed2627000	/lib/x86\_64-linux-gnu/librt-2.28.so
	0x7f1ed2627000-0x7f1ed262b000	/lib/x86\_64-linux-gnu/librt-2.28.so
	0x7f1ed262b000-0x7f1ed262d000	/lib/x86\_64-linux-gnu/librt-2.28.so
	0x7f1ed262d000-0x7f1ed262e000	/lib/x86\_64-linux-gnu/librt-2.28.so
	0x7f1ed262e000-0x7f1ed262f000	/lib/x86\_64-linux-gnu/librt-2.28.so
	0x7f1ed262f000-0x7f1ed2635000	/lib/x86\_64-linux-gnu/libpthread-2.28.so
	0x7f1ed2635000-0x7f1ed2644000	/lib/x86\_64-linux-gnu/libpthread-2.28.so
	0x7f1ed2644000-0x7f1ed264a000	/lib/x86\_64-linux-gnu/libpthread-2.28.so
	0x7f1ed264a000-0x7f1ed264b000	/lib/x86\_64-linux-gnu/libpthread-2.28.so
	0x7f1ed264b000-0x7f1ed264c000	/lib/x86\_64-linux-gnu/libpthread-2.28.so
	0x7f1ed264c000-0x7f1ed2650000	
	0x7f1ed2650000-0x7f1ed265f000	
	0x7f1ed265f000-0x7f1ed2660000	/lib/x86\_64-linux-gnu/ld-2.28.so
	0x7f1ed2660000-0x7f1ed267e000	/lib/x86\_64-linux-gnu/ld-2.28.so
	0x7f1ed267e000-0x7f1ed2686000	/lib/x86\_64-linux-gnu/ld-2.28.so
	0x7f1ed2686000-0x7f1ed2687000	/lib/x86\_64-linux-gnu/ld-2.28.so
	0x7f1ed2687000-0x7f1ed2688000	/lib/x86\_64-linux-gnu/ld-2.28.so
	0x7f1ed2688000-0x7f1ed2689000	
	0x7ffc80989000-0x7ffc809aa000	\[stack\]
	0x7ffc809ea000-0x7ffc809ed000	\[vvar\]
	0x7ffc809ed000-0x7ffc809ef000	\[vdso\]
==1243005==End of process memory map.
==1243005==AddressSanitizer CHECK failed: /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer\_common/sanitizer\_common.cc:120 "((0 && "unable to mmap")) != (0)" (0x0, 0x0)
    #0 0x4cbcef in \_\_asan::AsanCheckFailed(char const\*, int, char const\*, unsigned long long, unsigned long long) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan\_rtl.cc:69:3
    #1 0x4df64f in \_\_sanitizer::CheckFailed(char const\*, int, char const\*, unsigned long long, unsigned long long) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer\_common/sanitizer\_termination.cc:79:5
    #2 0x4d0c5e in \_\_sanitizer::ReportMmapFailureAndDie(unsigned long, char const\*, char const\*, int, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer\_common/sanitizer\_common.cc:120:3
    #3 0x4d967b in \_\_sanitizer::MmapOrDie(unsigned long, char const\*, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer\_common/sanitizer\_posix.cc:132:5
    #4 0x421e54 in \_\_sanitizer::LargeMmapAllocator<\_\_asan::AsanMapUnmapCallback>::Allocate(\_\_sanitizer::AllocatorStats\*, unsigned long, unsigned long) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer\_common/sanitizer\_allocator\_secondary.h:41:9
    #5 0x421c08 in \_\_sanitizer::CombinedAllocator<\_\_sanitizer::SizeClassAllocator64<\_\_asan::AP64>, \_\_sanitizer::SizeClassAllocatorLocalCache<\_\_sanitizer::SizeClassAllocator64<\_\_asan::AP64> >, \_\_sanitizer::LargeMmapAllocator<\_\_asan::AsanMapUnmapCallback> >::Allocate(\_\_sanitizer::SizeClassAllocatorLocalCache<\_\_sanitizer::SizeClassAllocator64<\_\_asan::AP64> >\*, unsigned long, unsigned long, bool, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer\_common/sanitizer\_allocator\_combined.h:70:24
    #6 0x41f0bf in \_\_asan::Allocator::Allocate(unsigned long, unsigned long, \_\_sanitizer::BufferedStackTrace\*, \_\_asan::AllocType, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan\_allocator.cc:407:21
    #7 0x4c43f0 in malloc /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan\_malloc\_linux.cc:67:10
    #8 0x605fb5 in bfd\_malloc /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/libbfd.c:275:9
    #9 0x6a969b in \_bfd\_elf\_slurp\_version\_tables /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/elf.c:8556:31
    #10 0x6a696f in \_bfd\_elf\_print\_private\_bfd\_data /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/elf.c:1798:13
    #11 0x4f65d5 in dump\_bfd\_private\_header /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/objdump.c:3181:3
    #12 0x4f51f9 in dump\_bfd /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/objdump.c:3782:5
    #13 0x4f4c71 in display\_object\_bfd /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/objdump.c:3883:7
    #14 0x4f4b67 in display\_any\_bfd /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/objdump.c:3973:5
    #15 0x4f424a in display\_file /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/objdump.c:3994:3
    #16 0x4f3ab0 in main /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/objdump.c:4304:6
    #17 0x7f1ed22e609a in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2409a)
    #18 0x41d639 in \_start (/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/objdump+0x41d639)

Comment 1 Alan Modra 2019-02-19 11:32:50 UTC

This also doesn't reproduce for me.

Comment 2 Alan Modra 2019-02-19 11:57:06 UTC

The testcase has a VERDEFS section claiming to be 0xffffff7f00 in size.  I suppose we should inform the user that they hit an out-of-memory here rather than just silently ignoring the failure.

Comment 3 spinpx 2019-02-19 12:07:07 UTC

(In reply to Alan Modra from comment #2)
\> The testcase has a VERDEFS section claiming to be 0xffffff7f00 in size.  I
> suppose we should inform the user that they hit an out-of-memory here rather
> than just silently ignoring the failure.

Agree.

Comment 6 Alan Modra 2019-02-20 03:25:42 UTC

objdump now reports that something went wrong when printing private headers.

CVE-2019-9073: Out of memory in libbfd.c

An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in setup_group in elf.c.

size also has the OOM issue described in https://sourceware.org/bugzilla/show\_bug.cgi?id=24232

If the issue it in a library shared with nm and size and if other program use it,  it will cause DOS attacks.

- Intel Xeon Gold 5118 processors and 256 GB memory
- Linux n18-065-139 4.19.0-1-amd64 #1 SMP Debian 4.19.12-1 (2018-12-22) x86\_64 GNU/Linux
- clang version 4.0.0 (tags/RELEASE\_400/final)
- version: commit c72e75a64030b0f6535a80481f37968ad55c333a (Feb 19 2019)
- run: size input\_file


==1601289==ERROR: AddressSanitizer failed to allocate 0xfe01363000 (1090942021632) bytes of LargeMmapAllocator (error code: 12)
==1601289==Process memory map follows:
	0x000000400000-0x00000041d000	/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size
	0x00000041d000-0x0000008b3000	/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size
	0x0000008b3000-0x000000987000	/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size
	0x000000988000-0x000000989000	/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size
	0x000000989000-0x0000009e8000	/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size
	0x0000009e8000-0x000001654000	
	0x00007fff7000-0x00008fff7000	
	0x00008fff7000-0x02008fff7000	
	0x02008fff7000-0x10007fff8000	
	0x600000000000-0x602000000000	
	0x602000000000-0x602000010000	
	0x602000010000-0x602e00000000	
	0x602e00000000-0x602e00010000	
	0x602e00010000-0x603000000000	
	0x603000000000-0x603000010000	
	0x603000010000-0x603e00000000	
	0x603e00000000-0x603e00010000	
	0x603e00010000-0x604000000000	
	0x604000000000-0x604000010000	
	0x604000010000-0x604e00000000	
	0x604e00000000-0x604e00010000	
	0x604e00010000-0x606000000000	
	0x606000000000-0x606000010000	
	0x606000010000-0x606e00000000	
	0x606e00000000-0x606e00010000	
	0x606e00010000-0x607000000000	
	0x607000000000-0x607000010000	
	0x607000010000-0x607e00000000	
	0x607e00000000-0x607e00010000	
	0x607e00010000-0x608000000000	
	0x608000000000-0x608000010000	
	0x608000010000-0x608e00000000	
	0x608e00000000-0x608e00010000	
	0x608e00010000-0x60b000000000	
	0x60b000000000-0x60b000010000	
	0x60b000010000-0x60be00000000	
	0x60be00000000-0x60be00010000	
	0x60be00010000-0x60c000000000	
	0x60c000000000-0x60c000010000	
	0x60c000010000-0x60ce00000000	
	0x60ce00000000-0x60ce00010000	
	0x60ce00010000-0x60f000000000	
	0x60f000000000-0x60f000010000	
	0x60f000010000-0x60fe00000000	
	0x60fe00000000-0x60fe00010000	
	0x60fe00010000-0x610000000000	
	0x610000000000-0x610000010000	
	0x610000010000-0x610e00000000	
	0x610e00000000-0x610e00010000	
	0x610e00010000-0x611000000000	
	0x611000000000-0x611000010000	
	0x611000010000-0x611e00000000	
	0x611e00000000-0x611e00010000	
	0x611e00010000-0x612000000000	
	0x612000000000-0x612000010000	
	0x612000010000-0x612e00000000	
	0x612e00000000-0x612e00010000	
	0x612e00010000-0x614000000000	
	0x614000000000-0x614000010000	
	0x614000010000-0x614e00000000	
	0x614e00000000-0x614e00010000	
	0x614e00010000-0x616000000000	
	0x616000000000-0x616000010000	
	0x616000010000-0x616e00000000	
	0x616e00000000-0x616e00010000	
	0x616e00010000-0x618000000000	
	0x618000000000-0x618000010000	
	0x618000010000-0x618e00000000	
	0x618e00000000-0x618e00010000	
	0x618e00010000-0x619000000000	
	0x619000000000-0x619000010000	
	0x619000010000-0x619e00000000	
	0x619e00000000-0x619e00010000	
	0x619e00010000-0x61a000000000	
	0x61a000000000-0x61a000010000	
	0x61a000010000-0x61ae00000000	
	0x61ae00000000-0x61ae00010000	
	0x61ae00010000-0x61b000000000	
	0x61b000000000-0x61b000010000	
	0x61b000010000-0x61be00000000	
	0x61be00000000-0x61be00010000	
	0x61be00010000-0x61d000000000	
	0x61d000000000-0x61d000010000	
	0x61d000010000-0x61de00000000	
	0x61de00000000-0x61de00010000	
	0x61de00010000-0x61f000000000	
	0x61f000000000-0x61f000010000	
	0x61f000010000-0x61fe00000000	
	0x61fe00000000-0x61fe00010000	
	0x61fe00010000-0x621000000000	
	0x621000000000-0x621000010000	
	0x621000010000-0x621e00000000	
	0x621e00000000-0x621e00010000	
	0x621e00010000-0x624000000000	
	0x624000000000-0x624000010000	
	0x624000010000-0x624e00000000	
	0x624e00000000-0x624e00010000	
	0x624e00010000-0x640000000000	
	0x640000000000-0x640000003000	
	0x7f92d9266000-0x7f92d9ce0000	/usr/lib/locale/locale-archive
	0x7f92d9ce0000-0x7f92d9f00000	
	0x7f92da000000-0x7f92da100000	
	0x7f92da131000-0x7f92da145000	
	0x7f92da145000-0x7f92da14c000	/usr/lib/x86\_64-linux-gnu/gconv/gconv-modules.cache
	0x7f92da14c000-0x7f92dc4f4000	
	0x7f92dc4f4000-0x7f92dc516000	/lib/x86\_64-linux-gnu/libc-2.28.so
	0x7f92dc516000-0x7f92dc65e000	/lib/x86\_64-linux-gnu/libc-2.28.so
	0x7f92dc65e000-0x7f92dc6aa000	/lib/x86\_64-linux-gnu/libc-2.28.so
	0x7f92dc6aa000-0x7f92dc6ab000	/lib/x86\_64-linux-gnu/libc-2.28.so
	0x7f92dc6ab000-0x7f92dc6af000	/lib/x86\_64-linux-gnu/libc-2.28.so
	0x7f92dc6af000-0x7f92dc6b1000	/lib/x86\_64-linux-gnu/libc-2.28.so
	0x7f92dc6b1000-0x7f92dc6b5000	
	0x7f92dc6b5000-0x7f92dc6b8000	/lib/x86\_64-linux-gnu/libgcc\_s.so.1
	0x7f92dc6b8000-0x7f92dc6c9000	/lib/x86\_64-linux-gnu/libgcc\_s.so.1
	0x7f92dc6c9000-0x7f92dc6cc000	/lib/x86\_64-linux-gnu/libgcc\_s.so.1
	0x7f92dc6cc000-0x7f92dc6cd000	/lib/x86\_64-linux-gnu/libgcc\_s.so.1
	0x7f92dc6cd000-0x7f92dc6ce000	/lib/x86\_64-linux-gnu/libgcc\_s.so.1
	0x7f92dc6ce000-0x7f92dc6cf000	/lib/x86\_64-linux-gnu/libgcc\_s.so.1
	0x7f92dc6cf000-0x7f92dc6d0000	/lib/x86\_64-linux-gnu/libdl-2.28.so
	0x7f92dc6d0000-0x7f92dc6d1000	/lib/x86\_64-linux-gnu/libdl-2.28.so
	0x7f92dc6d1000-0x7f92dc6d2000	/lib/x86\_64-linux-gnu/libdl-2.28.so
	0x7f92dc6d2000-0x7f92dc6d3000	/lib/x86\_64-linux-gnu/libdl-2.28.so
	0x7f92dc6d3000-0x7f92dc6d4000	/lib/x86\_64-linux-gnu/libdl-2.28.so
	0x7f92dc6d4000-0x7f92dc6e1000	/lib/x86\_64-linux-gnu/libm-2.28.so
	0x7f92dc6e1000-0x7f92dc780000	/lib/x86\_64-linux-gnu/libm-2.28.so
	0x7f92dc780000-0x7f92dc855000	/lib/x86\_64-linux-gnu/libm-2.28.so
	0x7f92dc855000-0x7f92dc856000	/lib/x86\_64-linux-gnu/libm-2.28.so
	0x7f92dc856000-0x7f92dc857000	/lib/x86\_64-linux-gnu/libm-2.28.so
	0x7f92dc857000-0x7f92dc859000	/lib/x86\_64-linux-gnu/librt-2.28.so
	0x7f92dc859000-0x7f92dc85d000	/lib/x86\_64-linux-gnu/librt-2.28.so
	0x7f92dc85d000-0x7f92dc85f000	/lib/x86\_64-linux-gnu/librt-2.28.so
	0x7f92dc85f000-0x7f92dc860000	/lib/x86\_64-linux-gnu/librt-2.28.so
	0x7f92dc860000-0x7f92dc861000	/lib/x86\_64-linux-gnu/librt-2.28.so
	0x7f92dc861000-0x7f92dc867000	/lib/x86\_64-linux-gnu/libpthread-2.28.so
	0x7f92dc867000-0x7f92dc876000	/lib/x86\_64-linux-gnu/libpthread-2.28.so
	0x7f92dc876000-0x7f92dc87c000	/lib/x86\_64-linux-gnu/libpthread-2.28.so
	0x7f92dc87c000-0x7f92dc87d000	/lib/x86\_64-linux-gnu/libpthread-2.28.so
	0x7f92dc87d000-0x7f92dc87e000	/lib/x86\_64-linux-gnu/libpthread-2.28.so
	0x7f92dc87e000-0x7f92dc882000	
	0x7f92dc882000-0x7f92dc891000	
	0x7f92dc891000-0x7f92dc892000	/lib/x86\_64-linux-gnu/ld-2.28.so
	0x7f92dc892000-0x7f92dc8b0000	/lib/x86\_64-linux-gnu/ld-2.28.so
	0x7f92dc8b0000-0x7f92dc8b8000	/lib/x86\_64-linux-gnu/ld-2.28.so
	0x7f92dc8b8000-0x7f92dc8b9000	/lib/x86\_64-linux-gnu/ld-2.28.so
	0x7f92dc8b9000-0x7f92dc8ba000	/lib/x86\_64-linux-gnu/ld-2.28.so
	0x7f92dc8ba000-0x7f92dc8bb000	
	0x7ffced2e9000-0x7ffced30a000	\[stack\]
	0x7ffced35a000-0x7ffced35d000	\[vvar\]
	0x7ffced35d000-0x7ffced35f000	\[vdso\]
==1601289==End of process memory map.
==1601289==AddressSanitizer CHECK failed: /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer\_common/sanitizer\_common.cc:120 "((0 && "unable to mmap")) != (0)" (0x0, 0x0)
    #0 0x4cbc9f in \_\_asan::AsanCheckFailed(char const\*, int, char const\*, unsigned long long, unsigned long long) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan\_rtl.cc:69:3
    #1 0x4df5ff in \_\_sanitizer::CheckFailed(char const\*, int, char const\*, unsigned long long, unsigned long long) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer\_common/sanitizer\_termination.cc:79:5
    #2 0x4d0c0e in \_\_sanitizer::ReportMmapFailureAndDie(unsigned long, char const\*, char const\*, int, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer\_common/sanitizer\_common.cc:120:3
    #3 0x4d962b in \_\_sanitizer::MmapOrDie(unsigned long, char const\*, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer\_common/sanitizer\_posix.cc:132:5
    #4 0x421e04 in \_\_sanitizer::LargeMmapAllocator<\_\_asan::AsanMapUnmapCallback>::Allocate(\_\_sanitizer::AllocatorStats\*, unsigned long, unsigned long) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer\_common/sanitizer\_allocator\_secondary.h:41:9
    #5 0x421bb8 in \_\_sanitizer::CombinedAllocator<\_\_sanitizer::SizeClassAllocator64<\_\_asan::AP64>, \_\_sanitizer::SizeClassAllocatorLocalCache<\_\_sanitizer::SizeClassAllocator64<\_\_asan::AP64> >, \_\_sanitizer::LargeMmapAllocator<\_\_asan::AsanMapUnmapCallback> >::Allocate(\_\_sanitizer::SizeClassAllocatorLocalCache<\_\_sanitizer::SizeClassAllocator64<\_\_asan::AP64> >\*, unsigned long, unsigned long, bool, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer\_common/sanitizer\_allocator\_combined.h:70:24
    #6 0x41f06f in \_\_asan::Allocator::Allocate(unsigned long, unsigned long, \_\_sanitizer::BufferedStackTrace\*, \_\_asan::AllocType, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan\_allocator.cc:407:21
    #7 0x4c43a0 in malloc /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan\_malloc\_linux.cc:67:10
    #8 0x8affb0 in \_objalloc\_alloc /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/objalloc.c:143:22
    #9 0x52e450 in bfd\_alloc /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/opncls.c:949:9
    #10 0x52e51f in bfd\_alloc2 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/opncls.c:978:10
    #11 0x5b7e8c in setup\_group /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/elf.c:658:9
    #12 0x5b4472 in \_bfd\_elf\_make\_section\_from\_shdr /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/elf.c:1053:10
    #13 0x5c9f9b in bfd\_section\_from\_shdr /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/elf.c:2452:13
    #14 0x5c7f32 in bfd\_section\_from\_shdr /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/elf.c:2311:11
    #15 0x5a111f in bfd\_elf64\_object\_p /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/elfcode.h:818:7
    #16 0x5207e5 in bfd\_check\_format\_matches /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/format.c:315:14
    #17 0x4f22d5 in display\_bfd /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:331:7
    #18 0x4f1ed5 in display\_file /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:434:5
    #19 0x4f1aa5 in main /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:260:7
    #20 0x7f92dc51809a in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2409a)
    #21 0x41d5e9 in \_start (/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size+0x41d5e9)

Comment 2 Alan Modra 2019-02-19 22:37:51 UTC

This is exactly the same "bug" as 24232 but with a slightly different testcase.

\*\*\* This bug has been marked as a duplicate of bug 24232 \*\*\*

Tag

#debian