The following bug was found with AFLFast, a fork of AFL, in a 24 hour fuzzing session on Binutils. Thanks also to Van-Thuan Pham.
There is a global buffer overflow (write of size 1) in the assembler for the following execution on Ubuntu 14.04 x86_64 for Binutils v2.26 and in trunk. Interestingly, it does not seg-fault on my machine.
$ printf "/" > test
$ ./as test
==141249==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000143fdbf at pc 0x000000407db7 bp 0x7ffd85bdacb0 sp 0x7ffd85bdaca8
WRITE of size 1 at 0x00000143fdbf thread T0
#0 0x407db6 in do_scrub_chars ../../gas/app.c:1193
#1 0x44351b in input_file_give_next_buffer ../../gas/input-file.c:243
#2 0x444a05 in input_scrub_next_buffer ../../gas/input-scrub.c:356
#3 0x460204 in read_a_source_file ../../gas/read.c:835
#4 0x40c417 in perform_an_assembly_pass ../../gas/as.c:1172
#5 0x40c86c in main ../../gas/as.c:1296
#6 0x7fb7630e5f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#7 0x403858 (/home/ubuntu/subjects/binutils-gdb/obj-asan/gas/as-new+0x403858)
0x00000143fdbf is located 55 bytes to the right of global variable 'saved_input_len' defined in '../../gas/app.c:218:15' (0x143fd80) of size 8
0x00000143fdbf is located 1 bytes to the left of global variable 'input_buffer' defined in '../../gas/app.c:219:13' (0x143fdc0) of size 32768
SUMMARY: AddressSanitizer: global-buffer-overflow ../../gas/app.c:1193 in do_scrub_chars
Valgrind does not complain.
The master branch has been updated by Nick Clifton <email@example.com>:
Author: Nick Clifton <firstname.lastname@example.org>
Date: Thu Dec 1 15:20:19 2016 +0000
Fix seg fault attempting to unget an EOF character.
* app.c (do_scrub_chars): Do not attempt to unget EOF.
Thanks for reporting this bug.
I have checked in a small patch to stop the assembler from attempting to push and end-of-file value back into the input stream, which should fix the bug.
This is CVE-2017-7223