GNU Binutils Memory Leak Vulnerability in DWARF Section Handler

A memory leak vulnerability has been identified in GNU Binutils version 2.44. The issue arises in the DWARF Section Handler, specifically within the 'process_debug_info' function of 'binutils/dwarf.c'. The vulnerability occurs when the code processes malformed or fuzzed DWARF sections, leading to multiple memory allocations without proper deallocation. This flaw allows for a gradual consumption of memory, potentially causing availability issues. The vulnerability must be exploited locally.

Impact

Exploitation of this vulnerability leads to a memory leak, where allocated memory is not properly released, causing increased memory usage over time.

Reproduction

The vulnerability can be reproduced using the 'objdump' utility included with GNU Binutils 2.44. When 'objdump' is run with the '--debugging' and '-D' options, and a crafted file that contains fuzzed DWARF data is specified, the memory leak can be observed. The 'LeakSanitizer' will report the leak, indicating that memory allocated for debug information was not freed, despite the 'AddressSanitizer' showing a similar leak of 8320 bytes.

Remediation

Users are advised to update to a version of GNU Binutils that includes the patch for this vulnerability. The patched version can be obtained from the GNU GitLab repository.