Bug 20898 - AS: Buffer Overflow when scrubing chars
Summary: AS: Buffer Overflow when scrubing chars
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: gas (show other bugs)
Version: 2.28
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-12-01 14:08 UTC by Marcel Böhme
Modified: 2017-04-13 06:11 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcel Böhme 2016-12-01 14:08:03 UTC 
Dear all,

The following bug was found with AFLFast, a fork of AFL, in a 24 hour fuzzing session on Binutils. Thanks also to Van-Thuan Pham.

There is a global buffer overflow (write of size 1) in the assembler for the following execution on Ubuntu 14.04 x86_64 for Binutils v2.26 and in trunk. Interestingly, it does not seg-fault on my machine.

$ printf "/" > test
$ ./as test

ASAN says:
==141249==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000143fdbf at pc 0x000000407db7 bp 0x7ffd85bdacb0 sp 0x7ffd85bdaca8
WRITE of size 1 at 0x00000143fdbf thread T0
    #0 0x407db6 in do_scrub_chars ../../gas/app.c:1193
    #1 0x44351b in input_file_give_next_buffer ../../gas/input-file.c:243
    #2 0x444a05 in input_scrub_next_buffer ../../gas/input-scrub.c:356
    #3 0x460204 in read_a_source_file ../../gas/read.c:835
    #4 0x40c417 in perform_an_assembly_pass ../../gas/as.c:1172
    #5 0x40c86c in main ../../gas/as.c:1296
    #6 0x7fb7630e5f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #7 0x403858  (/home/ubuntu/subjects/binutils-gdb/obj-asan/gas/as-new+0x403858)

0x00000143fdbf is located 55 bytes to the right of global variable 'saved_input_len' defined in '../../gas/app.c:218:15' (0x143fd80) of size 8
0x00000143fdbf is located 1 bytes to the left of global variable 'input_buffer' defined in '../../gas/app.c:219:13' (0x143fdc0) of size 32768
SUMMARY: AddressSanitizer: global-buffer-overflow ../../gas/app.c:1193 in do_scrub_chars

Valgrind does not complain.

Best regards,
- Marcel
Comment 1 Sourceware Commits 2016-12-01 15:21:20 UTC 
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=69ace2200106348a1b00d509a6a234337c104c17

commit 69ace2200106348a1b00d509a6a234337c104c17
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Dec 1 15:20:19 2016 +0000

    Fix seg fault attempting to unget an EOF character.
    
    	PR gas/20898
    	* app.c (do_scrub_chars): Do not attempt to unget EOF.
Comment 2 Nick Clifton 2016-12-01 15:31:49 UTC 
Hi Marcel,

  Thanks for reporting this bug.

  I have checked in a small patch to stop the assembler from attempting to push and end-of-file value back into the input stream, which should fix the bug.

Cheers
  Nick
Comment 3 Thuan Pham 2017-04-13 06:11:15 UTC 
This is CVE-2017-7223