Bug 21909 - Stack buffer overflow in pr_int_type - prdbg.c:586
Summary: Stack buffer overflow in pr_int_type - prdbg.c:586
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.30
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-05 12:05 UTC by martino.sani
Modified: 2017-09-05 14:33 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
Binary POC (zipped) (12.33 KB, application/zip)
2017-08-05 12:05 UTC, martino.sani
Details

Note You need to log in before you can comment on or make changes to this bug.
Description martino.sani 2017-08-05 12:05:36 UTC
Created attachment 10316 [details]
Binary POC (zipped)

Hello,

American fuzzy lop detects a stack buffer overflow in pr_int_type - prdbg.c:586.

pr_int_type stores the ab variable on the stack, and writes a string into it without verifying its length.

static bfd_boolean
pr_int_type (void *p, unsigned int size, bfd_boolean unsignedp)
{
  char ab[10];

  // !!!
  sprintf (ab, "%sint%d", unsignedp ? "u" : "", size * 8);
}

E.g: In the attached POC when size has value 177777 and unsignedp 1, sprintf writes 11 chars into ab:
tot len = len("int") + len("u") + len(str(size * 8))

# stacktrace

WRITE of size 12 at 0x7ffea8f9b42a thread T0                                                                              
    #0 0x4a0b01 in vsprintf (/tmp/binutils/master/build/bin/objdump+0x4a0b01)                               
    #1 0x4a0d62 in __interceptor_sprintf (/tmp/binutils/master/build/bin/objdump+0x4a0d62)                  
    #2 0x5756a1 in pr_int_type /tmp/binutils/master/binutils-gdb/binutils/prdbg.c:586:3                     
    #3 0x58fd8c in debug_write_type /tmp/binutils/master/binutils-gdb/binutils/debug.c:2491:14              
    #4 0x591968 in debug_write_type /tmp/binutils/master/binutils-gdb/binutils/debug.c:2588:9               
    #5 0x58df6c in debug_write_name /tmp/binutils/master/binutils-gdb/binutils/debug.c:2382:13              
    #6 0x58da8c in debug_write /tmp/binutils/master/binutils-gdb/binutils/debug.c:2350:14                   
    #7 0x5752ef in print_debugging_info /tmp/binutils/master/binutils-gdb/binutils/prdbg.c:316:20           
    #8 0x50fbc7 in dump_bfd /tmp/binutils/master/binutils-gdb/binutils/./objdump.c:3555:9                   
    #9 0x50f201 in display_object_bfd /tmp/binutils/master/binutils-gdb/binutils/./objdump.c:3603:7         
    #10 0x50f0e9 in display_any_bfd /tmp/binutils/master/binutils-gdb/binutils/./objdump.c:3692:5           
    #11 0x50ebe8 in display_file /tmp/binutils/master/binutils-gdb/binutils/./objdump.c:3713:3              
    #12 0x50e430 in main /tmp/binutils/master/binutils-gdb/binutils/./objdump.c:4015:6                      
    #13 0x7f022cccb2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)                                     
    #14 0x419d79 in _start (/tmp/binutils/master/build/bin/objdump+0x419d79)

# GIT version (master branch) - git://sourceware.org/git/binutils-gdb.git 
a66930b357fee4ae716bfc8816e78c0f9c024005

# Command line to reproduce the issue
$ ./objdump -e poc.bin
Comment 1 cvs-commit@gcc.gnu.org 2017-08-08 10:58:35 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cea7a285058bcba5a54d6493d6914c720f5c40a8

commit cea7a285058bcba5a54d6493d6914c720f5c40a8
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Aug 8 11:57:22 2017 +0100

    Fix address violation bugs when writing beyond the end of a local string buffer.
    
    	PR 21909
    	* prdbg.c (pr_int_type): Increase size of local string buffer.
    	(pr_float_type): Likewise.
    	(pr_bool_type): Likewise.
Comment 2 Nick Clifton 2017-08-08 11:00:50 UTC
Hi Martino,

  Thanks for reporting this bug.  I have checked in a patch to increase the
  size of the local string buffers in the pr_<type> functions so this
  problem should now be fixed.

Cheers
  Nick
Comment 3 cvs-commit@gcc.gnu.org 2017-09-05 14:33:26 UTC
The binutils-2_29-branch branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=64aa1246572306b72dc479b46d13ff749b0c3236

commit 64aa1246572306b72dc479b46d13ff749b0c3236
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Sep 5 15:32:04 2017 +0100

    Import patches from mainline to fix minor binutils bugs:
    
    	PR 21861
    	* winduni.c (codepages): Use cp1252 for codepage 0.
    
    	PR 21813
    	* rddbg.c (read_symbol_stabs_debugging_info): Check for an empty
    	string whilst concatenating symbol names.
    
    	PR 21909
    	* prdbg.c (pr_int_type): Increase size of local string buffer.
    	(pr_float_type): Likewise.
    	(pr_bool_type): Likewise.
    
    	PR 21820
    	* readelf.c (dump_section_as_strings): Do not fail if the section
    	was empty.
    	(dump_section_as_bytes): Likewise.
    
    	PR 21990
    	* readelf.c (process_version_sections <SHT_GNU_verneed>): Check
    	for invalid vn_next field before adding to idx.  Use unsigned
    	long for index vars.  Move index checks.
    	<SHT_GNU_verdef>: Likewise for vd_next.
    
    	PR 21994
    	* readelf.c (process_version_sections <SHT_GNU_verdef>): Check
    	vd_aux and vda_next for sanity.  Delete "end".  Correct overflow
    	checks.
    	(process_version_sections <SHT_GNU_verneed>): Correct overflow
    	check.  Don't report invalid vna_next on overflow.  Do report
    	invalid vna_next on size less than aux info.