21909 – Stack buffer overflow in pr_int_type - prdbg.c:586

Bug 21909 - Stack buffer overflow in pr_int_type - prdbg.c:586

Summary: Stack buffer overflow in pr_int_type - prdbg.c:586

Status:	RESOLVED FIXED

Alias:	None

Product:	binutils
Classification:	Unclassified
Component:	binutils (show other bugs)
Version:	2.30

Importance:	P2 normal
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-08-05 12:05 UTC by martino.sani
Modified:	2017-09-05 14:33 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
Binary POC (zipped) (12.33 KB, application/zip) 2017-08-05 12:05 UTC, martino.sani	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description martino.sani 2017-08-05 12:05:36 UTC

Created attachment 10316 [details]
Binary POC (zipped)

Hello,

American fuzzy lop detects a stack buffer overflow in pr_int_type - prdbg.c:586.

pr_int_type stores the ab variable on the stack, and writes a string into it without verifying its length.

static bfd_boolean
pr_int_type (void *p, unsigned int size, bfd_boolean unsignedp)
{
  char ab[10];

  // !!!
  sprintf (ab, "%sint%d", unsignedp ? "u" : "", size * 8);
}

E.g: In the attached POC when size has value 177777 and unsignedp 1, sprintf writes 11 chars into ab:
tot len = len("int") + len("u") + len(str(size * 8))

# stacktrace

WRITE of size 12 at 0x7ffea8f9b42a thread T0                                                                              
    #0 0x4a0b01 in vsprintf (/tmp/binutils/master/build/bin/objdump+0x4a0b01)                               
    #1 0x4a0d62 in __interceptor_sprintf (/tmp/binutils/master/build/bin/objdump+0x4a0d62)                  
    #2 0x5756a1 in pr_int_type /tmp/binutils/master/binutils-gdb/binutils/prdbg.c:586:3                     
    #3 0x58fd8c in debug_write_type /tmp/binutils/master/binutils-gdb/binutils/debug.c:2491:14              
    #4 0x591968 in debug_write_type /tmp/binutils/master/binutils-gdb/binutils/debug.c:2588:9               
    #5 0x58df6c in debug_write_name /tmp/binutils/master/binutils-gdb/binutils/debug.c:2382:13              
    #6 0x58da8c in debug_write /tmp/binutils/master/binutils-gdb/binutils/debug.c:2350:14                   
    #7 0x5752ef in print_debugging_info /tmp/binutils/master/binutils-gdb/binutils/prdbg.c:316:20           
    #8 0x50fbc7 in dump_bfd /tmp/binutils/master/binutils-gdb/binutils/./objdump.c:3555:9                   
    #9 0x50f201 in display_object_bfd /tmp/binutils/master/binutils-gdb/binutils/./objdump.c:3603:7         
    #10 0x50f0e9 in display_any_bfd /tmp/binutils/master/binutils-gdb/binutils/./objdump.c:3692:5           
    #11 0x50ebe8 in display_file /tmp/binutils/master/binutils-gdb/binutils/./objdump.c:3713:3              
    #12 0x50e430 in main /tmp/binutils/master/binutils-gdb/binutils/./objdump.c:4015:6                      
    #13 0x7f022cccb2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)                                     
    #14 0x419d79 in _start (/tmp/binutils/master/build/bin/objdump+0x419d79)

# GIT version (master branch) - git://sourceware.org/git/binutils-gdb.git 
a66930b357fee4ae716bfc8816e78c0f9c024005

# Command line to reproduce the issue
$ ./objdump -e poc.bin

Comment 1 Sourceware Commits 2017-08-08 10:58:35 UTC

The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cea7a285058bcba5a54d6493d6914c720f5c40a8

commit cea7a285058bcba5a54d6493d6914c720f5c40a8
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Aug 8 11:57:22 2017 +0100

    Fix address violation bugs when writing beyond the end of a local string buffer.
    
    	PR 21909
    	* prdbg.c (pr_int_type): Increase size of local string buffer.
    	(pr_float_type): Likewise.
    	(pr_bool_type): Likewise.

Comment 2 Nick Clifton 2017-08-08 11:00:50 UTC

Hi Martino,

  Thanks for reporting this bug.  I have checked in a patch to increase the
  size of the local string buffers in the pr_<type> functions so this
  problem should now be fixed.

Cheers
  Nick

Comment 3 Sourceware Commits 2017-09-05 14:33:26 UTC

The binutils-2_29-branch branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=64aa1246572306b72dc479b46d13ff749b0c3236

commit 64aa1246572306b72dc479b46d13ff749b0c3236
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Sep 5 15:32:04 2017 +0100

    Import patches from mainline to fix minor binutils bugs:
    
    	PR 21861
    	* winduni.c (codepages): Use cp1252 for codepage 0.
    
    	PR 21813
    	* rddbg.c (read_symbol_stabs_debugging_info): Check for an empty
    	string whilst concatenating symbol names.
    
    	PR 21909
    	* prdbg.c (pr_int_type): Increase size of local string buffer.
    	(pr_float_type): Likewise.
    	(pr_bool_type): Likewise.
    
    	PR 21820
    	* readelf.c (dump_section_as_strings): Do not fail if the section
    	was empty.
    	(dump_section_as_bytes): Likewise.
    
    	PR 21990
    	* readelf.c (process_version_sections <SHT_GNU_verneed>): Check
    	for invalid vn_next field before adding to idx.  Use unsigned
    	long for index vars.  Move index checks.
    	<SHT_GNU_verdef>: Likewise for vd_next.
    
    	PR 21994
    	* readelf.c (process_version_sections <SHT_GNU_verdef>): Check
    	vd_aux and vda_next for sanity.  Delete "end".  Correct overflow
    	checks.
    	(process_version_sections <SHT_GNU_verneed>): Correct overflow
    	check.  Don't report invalid vna_next on overflow.  Do report
    	invalid vna_next on size less than aux info.