Created attachment 10316 [details] Binary POC (zipped) Hello, American fuzzy lop detects a stack buffer overflow in pr_int_type - prdbg.c:586. pr_int_type stores the ab variable on the stack, and writes a string into it without verifying its length. static bfd_boolean pr_int_type (void *p, unsigned int size, bfd_boolean unsignedp) { char ab[10]; // !!! sprintf (ab, "%sint%d", unsignedp ? "u" : "", size * 8); } E.g: In the attached POC when size has value 177777 and unsignedp 1, sprintf writes 11 chars into ab: tot len = len("int") + len("u") + len(str(size * 8)) # stacktrace WRITE of size 12 at 0x7ffea8f9b42a thread T0 #0 0x4a0b01 in vsprintf (/tmp/binutils/master/build/bin/objdump+0x4a0b01) #1 0x4a0d62 in __interceptor_sprintf (/tmp/binutils/master/build/bin/objdump+0x4a0d62) #2 0x5756a1 in pr_int_type /tmp/binutils/master/binutils-gdb/binutils/prdbg.c:586:3 #3 0x58fd8c in debug_write_type /tmp/binutils/master/binutils-gdb/binutils/debug.c:2491:14 #4 0x591968 in debug_write_type /tmp/binutils/master/binutils-gdb/binutils/debug.c:2588:9 #5 0x58df6c in debug_write_name /tmp/binutils/master/binutils-gdb/binutils/debug.c:2382:13 #6 0x58da8c in debug_write /tmp/binutils/master/binutils-gdb/binutils/debug.c:2350:14 #7 0x5752ef in print_debugging_info /tmp/binutils/master/binutils-gdb/binutils/prdbg.c:316:20 #8 0x50fbc7 in dump_bfd /tmp/binutils/master/binutils-gdb/binutils/./objdump.c:3555:9 #9 0x50f201 in display_object_bfd /tmp/binutils/master/binutils-gdb/binutils/./objdump.c:3603:7 #10 0x50f0e9 in display_any_bfd /tmp/binutils/master/binutils-gdb/binutils/./objdump.c:3692:5 #11 0x50ebe8 in display_file /tmp/binutils/master/binutils-gdb/binutils/./objdump.c:3713:3 #12 0x50e430 in main /tmp/binutils/master/binutils-gdb/binutils/./objdump.c:4015:6 #13 0x7f022cccb2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) #14 0x419d79 in _start (/tmp/binutils/master/build/bin/objdump+0x419d79) # GIT version (master branch) - git://sourceware.org/git/binutils-gdb.git a66930b357fee4ae716bfc8816e78c0f9c024005 # Command line to reproduce the issue $ ./objdump -e poc.bin
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cea7a285058bcba5a54d6493d6914c720f5c40a8 commit cea7a285058bcba5a54d6493d6914c720f5c40a8 Author: Nick Clifton <nickc@redhat.com> Date: Tue Aug 8 11:57:22 2017 +0100 Fix address violation bugs when writing beyond the end of a local string buffer. PR 21909 * prdbg.c (pr_int_type): Increase size of local string buffer. (pr_float_type): Likewise. (pr_bool_type): Likewise.
Hi Martino, Thanks for reporting this bug. I have checked in a patch to increase the size of the local string buffers in the pr_<type> functions so this problem should now be fixed. Cheers Nick
The binutils-2_29-branch branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=64aa1246572306b72dc479b46d13ff749b0c3236 commit 64aa1246572306b72dc479b46d13ff749b0c3236 Author: Nick Clifton <nickc@redhat.com> Date: Tue Sep 5 15:32:04 2017 +0100 Import patches from mainline to fix minor binutils bugs: PR 21861 * winduni.c (codepages): Use cp1252 for codepage 0. PR 21813 * rddbg.c (read_symbol_stabs_debugging_info): Check for an empty string whilst concatenating symbol names. PR 21909 * prdbg.c (pr_int_type): Increase size of local string buffer. (pr_float_type): Likewise. (pr_bool_type): Likewise. PR 21820 * readelf.c (dump_section_as_strings): Do not fail if the section was empty. (dump_section_as_bytes): Likewise. PR 21990 * readelf.c (process_version_sections <SHT_GNU_verneed>): Check for invalid vn_next field before adding to idx. Use unsigned long for index vars. Move index checks. <SHT_GNU_verdef>: Likewise for vd_next. PR 21994 * readelf.c (process_version_sections <SHT_GNU_verdef>): Check vd_aux and vda_next for sanity. Delete "end". Correct overflow checks. (process_version_sections <SHT_GNU_verneed>): Correct overflow check. Don't report invalid vna_next on overflow. Do report invalid vna_next on size less than aux info.