Skip to content
Accueil » RESEARCH – OBJDUMP -CVE-2024-53589

RESEARCH – OBJDUMP -CVE-2024-53589

Buffer Overflow in GNU Binutils objdump tekhex Parser

  • Vulnerability Type: Buffer Overflow
  • Vendor: GNU Project
  • Product: GNU Binutils
  • Version Affected: 2.43 and potentially earlier versions
  • Fix Status: Fixed in commit e0323071916878e0634a6e24d8250e4faff67e88

Description

A buffer overflow vulnerability exists in GNU Binutils’ objdump utility when processing tekhex format files. The vulnerability occurs in the Binary File Descriptor (BFD) library’s tekhex parser during format identification. Specifically, the issue manifests when attempting to read 8 bytes at an address that precedes the global variable ‘_bfd_std_section’, resulting in an out-of-bounds read.

Technical Details

The vulnerability triggers a global buffer overflow with the following characteristics:

  1. Memory Access:
  • Type: READ operation
  • Size: 8 bytes
  • Location: 8 bytes before global variable ‘*bfd_std_section’
  • Variable Definition: Located in ‘section.c:777’

2. Memory Layout:

  • Vulnerable address is located:
    • 8 bytes before *bfd_std_section (size 1120 bytes)
    • 64 bytes after bfd_plugin_canonicalize_symtab.fake_common_section (size 280 bytes) 
bfd_get_next_section_by_name (section.c:940)
first_phase (tekhex.c:484)
pass_over (tekhex.c:554)
tekhex_object_p (tekhex.c:619)
bfd_check_format_matches (format.c:530)
display_object_bfd (objdump.c:5850)
display_any_bfd (objdump.c:5939)
display_file (objdump.c:5960)
main (objdump.c:6377)

The root cause stems from improper handling of the bfd_abs_section pointer in the first_phase function within tekhex.c. The code attempts to perform section traversal operations on bfd_abs_section_ptr without proper validation, leading to an invalid memory access.

Impact

An attacker can exploit this vulnerability by crafting a malicious tekhex file that, when processed by objdump, triggers an out-of-bounds read. This could potentially:

  1. Cause program crash through invalid memory access
  2. Lead to information disclosure, potentially exposing memory addresses that could be used to defeat ASLR
  3. Potentially allow for arbitrary code execution in specific circumstances

Reproduction

The issue can be reproduced by:

  1. Compiling binutils with Address Sanitizer (ASAN)
  2. Running objdump -a on a specially crafted tekhex file

Fix

The issue has been patched by adding proper validation checks in the first_phase function to guard against modification of _bfd_std_section[] entries. The fix specifically addresses the handling of bfd_abs_section in the tekhex parser.

References

  • Fixed in commit: e0323071916878e0634a6e24d8250e4faff67e88
  • Sourceware PR: 32347
  • Original discovery credit: Salim LARGO (2ourc3)