GNU Binutils used by millions of softwares, expose a new vulnerability

A collection of programming language tools built by the GNU group is the GNU Binutils (GNU Binary Utilities or binutils).

This software is primarily used to process object files in various formats and includes object files and archives with linkers, assemblers and other resources. A protection flaw occurs for GNU Binutils libbfd.

The vulnerability emerges from a bfd hash lookup concern after free use. It may cause a denial of service from a generated file, as seen in nm-new.

As we can see:

A use after free was discovered in nm-new (the latest commit c98a454) in bfd_hash_lookup(), that can cause a denial of service, via a crafted file.
To reproduce: nm-new -C PoC
ASAN says:
READ of size 19 at 0x7f865818780e thread T0
    #0 0x7f86570dd2c4  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x472c4)
    #1 0x429e27 in bfd_hash_lookup ../../bfd/hash.c:475
    #2 0x4339e7 in bfd_get_section_by_name ../../bfd/section.c:899
    #3 0x5a0076 in _bfd_pei_swap_sym_in /home/dungnguyen/fuzz/binutils-gdb/obj-asan/bfd/peXXigen.c:170
    #4 0x5dbef1 in coff_get_normalized_symtab ../../bfd/coffgen.c:1816
    #5 0x59c981 in coff_slurp_symbol_table ../../bfd/coffcode.h:4531
    #6 0x5d2898 in coff_get_symtab_upper_bound ../../bfd/coffgen.c:411
    #7 0x43609c in _bfd_generic_read_minisymbols ../../bfd/syms.c:802
    #8 0x4072f1 in display_rel_file ../../binutils/nm.c:1126
    #9 0x4081c5 in display_file ../../binutils/nm.c:1393
    #10 0x409c6a in main ../../binutils/nm.c:1874
    #11 0x7f8656ae882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #12 0x402ce8 in _start (/home/dungnguyen/PoCs/readelf_f717994/nm+0x402ce8)
0x7f865818780e is located 14 bytes inside of 235653-byte region [0x7f8658187800,0x7f86581c1085)
freed by thread T0 here:
    #0 0x7f865712e32a in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9832a)
    #1 0x5db9ba in _bfd_coff_free_symbols ../../bfd/coffgen.c:1756
    #2 0x5d1ef4 in coff_real_object_p ../../bfd/coffgen.c:302
    #3 0x592c2c in pe_bfd_object_p ../../bfd/peicode.h:1504
    #4 0x428442 in bfd_check_format_matches ../../bfd/format.c:343
    #5 0x408168 in display_file ../../binutils/nm.c:1389
    #6 0x409c6a in main ../../binutils/nm.c:1874
    #7 0x7f8656ae882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
previously allocated by thread T0 here:
    #0 0x7f865712e662 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98662)
    #1 0x42be64 in bfd_malloc ../../bfd/libbfd.c:275
    #2 0x5db59b in _bfd_coff_read_string_table ../../bfd/coffgen.c:1714
    #3 0x5d2cb7 in _bfd_coff_internal_syment_name ../../bfd/coffgen.c:464
    #4 0x5a0014 in _bfd_pei_swap_sym_in /home/dungnguyen/fuzz/binutils-gdb/obj-asan/bfd/peXXigen.c:161
    #5 0x59327b in handle_COMDAT ../../bfd/coffcode.h:925
    #6 0x59406c in styp_to_sec_flags ../../bfd/coffcode.h:1306
    #7 0x5d0c9a in make_a_section_from_file ../../bfd/coffgen.c:130
    #8 0x5d1ec8 in coff_real_object_p ../../bfd/coffgen.c:297
    #9 0x592c2c in pe_bfd_object_p ../../bfd/peicode.h:1504
    #10 0x428442 in bfd_check_format_matches ../../bfd/format.c:343
    #11 0x408168 in display_file ../../binutils/nm.c:1389
    #12 0x409c6a in main ../../binutils/nm.c:1874
    #13 0x7f8656ae882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

References: