Summary: | integer overflow in libiberty, heap overflow will be triggered | ||
---|---|---|---|
Product: | binutils | Reporter: | tfx <tfx_sec> |
Component: | binutils | Assignee: | Not yet assigned to anyone <unassigned> |
Status: | RESOLVED MOVED | ||
Severity: | critical | CC: | nickc, rschiron, tfx_sec, zhuyan34 |
Priority: | P2 | ||
Version: | 2.32 | ||
Target Milestone: | --- | ||
Host: | Target: | ||
Build: | Last reconfirmed: | ||
Attachments: |
nm -C POC
fix CVE-2018-20673 |
Description
tfx
2018-12-27 14:08:36 UTC
I use latest binutils with debug info. crash output show as follow. binutils/nm-new -C POC ================================================================= ==9029==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf3bfea80 at pc 0x083ba887 bp 0xffabcac8 sp 0xffabcac0 WRITE of size 4 at 0xf3bfea80 thread T0 #0 0x83ba886 in demangle_template ./binutils-gdb/libiberty/./cplus-dem.c:2249:23 #1 0x83b8c2e in demangle_signature ./binutils-gdb/libiberty/./cplus-dem.c:1709:18 #2 0x83b62da in internal_cplus_demangle ./binutils-gdb/libiberty/./cplus-dem.c:1258:14 #3 0x83b5143 in cplus_demangle ./binutils-gdb/libiberty/./cplus-dem.c:919:9 #4 0x815d092 in bfd_demangle ./binutils-gdb/bfd/bfd.c:2254:9 #5 0x81460a0 in print_symname ./binutils-gdb/binutils/nm.c:423:19 #6 0x8145035 in print_symbol_info_bsd ./binutils-gdb/binutils/nm.c:1565:3 #7 0x8149d87 in print_symbol ./binutils-gdb/binutils/nm.c:903:3 #8 0x8148828 in print_symbols ./binutils-gdb/binutils/nm.c:1102:7 #9 0x8146fdb in display_rel_file ./binutils-gdb/binutils/nm.c:1215:5 #10 0x8144a11 in display_file ./binutils-gdb/binutils/nm.c:1335:7 #11 0x814424f in main ./binutils-gdb/binutils/nm.c:1816:12 #12 0xf7d3f636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) #13 0x806be08 in _start (./binutils-gdb/binutils/nm-new+0x806be08) 0xf3bfea80 is located 0 bytes to the right of 251581056-byte region [0xe4c11800,0xf3bfea80) allocated by thread T0 here: #0 0x8112215 in malloc asan_malloc_linux.cc:146:3 #1 0x83e6659 in xmalloc ./binutils-gdb/libiberty/./xmalloc.c:147:12 #2 0x83b8c2e in demangle_signature ./binutils-gdb/libiberty/./cplus-dem.c:1709:18 #3 0x83b62da in internal_cplus_demangle ./binutils-gdb/libiberty/./cplus-dem.c:1258:14 #4 0x83b5143 in cplus_demangle ./binutils-gdb/libiberty/./cplus-dem.c:919:9 #5 0x815d092 in bfd_demangle ./binutils-gdb/bfd/bfd.c:2254:9 SUMMARY: AddressSanitizer: heap-buffer-overflow ./binutils-gdb/libiberty/./cplus-dem.c:2249:23 in demangle_template Shadow bytes around the buggy address: 0x3e77fd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e77fd10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e77fd20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e77fd30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e77fd40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x3e77fd50:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e77fd60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e77fd70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e77fd80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e77fd90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e77fda0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==9029==ABORTING Hi tfx, Thanks for reporting this problem. Unfortunately the cplus-dem.c source file is part of the libiberty library, which is maintained by gcc rather than the binutils. (It is used by the binutils, but not maintained by us). Please could you report this problem here: https://gcc.gnu.org/bugzilla/enter_bug.cgi?product=gcc Cheers Nick New bug was created in gcc project: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88783 Created attachment 11991 [details]
fix CVE-2018-20673
Add a check before using the variable r
Comment on attachment 11991 [details]
fix CVE-2018-20673
the binutils version is 2.31.1
|