Bug 20898

Summary: AS: Buffer Overflow when scrubing chars
Product: binutils Reporter: Marcel Böhme <boehme.marcel>
Component: gasAssignee: Not yet assigned to anyone <unassigned>
Status: RESOLVED FIXED    
Severity: normal CC: nickc, thuanpv
Priority: P2    
Version: 2.28   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:

Description Marcel Böhme 2016-12-01 14:08:03 UTC 
Dear all,

The following bug was found with AFLFast, a fork of AFL, in a 24 hour fuzzing session on Binutils. Thanks also to Van-Thuan Pham.

There is a global buffer overflow (write of size 1) in the assembler for the following execution on Ubuntu 14.04 x86_64 for Binutils v2.26 and in trunk. Interestingly, it does not seg-fault on my machine.

$ printf "/" > test
$ ./as test

ASAN says:
==141249==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000143fdbf at pc 0x000000407db7 bp 0x7ffd85bdacb0 sp 0x7ffd85bdaca8
WRITE of size 1 at 0x00000143fdbf thread T0
    #0 0x407db6 in do_scrub_chars ../../gas/app.c:1193
    #1 0x44351b in input_file_give_next_buffer ../../gas/input-file.c:243
    #2 0x444a05 in input_scrub_next_buffer ../../gas/input-scrub.c:356
    #3 0x460204 in read_a_source_file ../../gas/read.c:835
    #4 0x40c417 in perform_an_assembly_pass ../../gas/as.c:1172
    #5 0x40c86c in main ../../gas/as.c:1296
    #6 0x7fb7630e5f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #7 0x403858  (/home/ubuntu/subjects/binutils-gdb/obj-asan/gas/as-new+0x403858)

0x00000143fdbf is located 55 bytes to the right of global variable 'saved_input_len' defined in '../../gas/app.c:218:15' (0x143fd80) of size 8
0x00000143fdbf is located 1 bytes to the left of global variable 'input_buffer' defined in '../../gas/app.c:219:13' (0x143fdc0) of size 32768
SUMMARY: AddressSanitizer: global-buffer-overflow ../../gas/app.c:1193 in do_scrub_chars

Valgrind does not complain.

Best regards,
- Marcel
Comment 1 Sourceware Commits 2016-12-01 15:21:20 UTC 
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=69ace2200106348a1b00d509a6a234337c104c17

commit 69ace2200106348a1b00d509a6a234337c104c17
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Dec 1 15:20:19 2016 +0000

    Fix seg fault attempting to unget an EOF character.
    
    	PR gas/20898
    	* app.c (do_scrub_chars): Do not attempt to unget EOF.
Comment 2 Nick Clifton 2016-12-01 15:31:49 UTC 
Hi Marcel,

  Thanks for reporting this bug.

  I have checked in a small patch to stop the assembler from attempting to push and end-of-file value back into the input stream, which should fix the bug.

Cheers
  Nick
Comment 3 Thuan Pham 2017-04-13 06:11:15 UTC 
This is CVE-2017-7223