Bug 28694

Summary: stabs.c: Out-of-bounds write in stab_xcoff_builtin_type
Product: binutils Reporter: Pavel Mayorov <pmayorov>
Component: binutilsAssignee: Alan Modra <amodra>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P2    
Version: 2.38   
Target Milestone: 2.38   
Host: Target:
Build: Last reconfirmed: 2021-12-15 00:00:00
Attachments: PoC and ASAN report

Description Pavel Mayorov 2021-12-14 14:02:59 UTC
Created attachment 13851 [details]
PoC and ASAN report

I found an out-of-bounds write to the array 'info->xcoff_types' in the function 'stab_xcoff_builtin_type' (binutils/stabs.c).

Processing of typenum -34 results in overwriting of adjacent field 'info->tags' at line 3668:
  info->xcoff_types[-typenum] = rettype;

This eventually leads to a segmentation fault due to illegal memory reference performed by the function 'finish_stab'. ASAN catches this as heap-buffer-overflow.

Steps to reproduce:

Build current verison of binutils with ASAN:
./configure --disable-shared --disable-gdb --disable-gdbserver CFLAGS="-ggdb -Wno-error -fsanitize=address -fsanitize-recover=address" CXXFLAGS="-ggdb -Wno-error -fsanitize=address -fsanitize-recover=address"
make all

Run inputs under ASAN:
binutils/objdump -g ~/oob_write

The proof-of-concept and ASAN report are attached.
Comment 1 cvs-commit@gcc.gnu.org 2021-12-15 01:30:27 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=161e87d12167b1e36193385485c1f6ce92f74f02

commit 161e87d12167b1e36193385485c1f6ce92f74f02
Author: Alan Modra <amodra@gmail.com>
Date:   Wed Dec 15 11:48:42 2021 +1030

    PR28694, Out-of-bounds write in stab_xcoff_builtin_type
    
            PR 28694
            * stabs.c (stab_xcoff_builtin_type): Make typenum unsigned.
            Negate typenum earlier, simplifying bounds checking.  Correct
            off-by-one indexing.  Adjust switch cases.
Comment 2 Alan Modra 2021-12-15 01:31:02 UTC
Fixed.
Comment 3 Pavel Mayorov 2021-12-16 07:47:04 UTC
CVE-2021-45078