21962 – stack overflow in getsym

Bug 21962 - stack overflow in getsym

Summary: stack overflow in getsym

Status:	RESOLVED FIXED

Alias:	None

Product:	binutils
Classification:	Unclassified
Component:	binutils (show other bugs)
Version:	unspecified

Importance:	P2 critical
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-08-17 06:07 UTC by Zhihua Yao
Modified:	2017-08-21 00:50 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
nm -n stack_overflow_getsym / objdump -S (32 bytes, text/plain) 2017-08-18 00:22 UTC, Zhihua Yao	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Zhihua Yao 2017-08-17 06:07:57 UTC

root@ubuntu:/home/hjy/Desktop# objdump -S stack_overflow_getsym 
=================================================================
==1744==ERROR: AddressSanitizer: stack-buffer-overflow on address 0xbfc8b8af at pc 0x830a926 bp 0xbfc8b688 sp 0xbfc8b67c
READ of size 1 at 0xbfc8b8af thread T0
    #0 0x830a925 in getsym /home/hjy/Desktop/binutils-2.29/bfd/tekhex.c:311
    #1 0x830a925 in first_phase /home/hjy/Desktop/binutils-2.29/bfd/tekhex.c:444
    #2 0x830ad63 in pass_over /home/hjy/Desktop/binutils-2.29/bfd/tekhex.c:554
    #3 0x830b3d9 in tekhex_object_p /home/hjy/Desktop/binutils-2.29/bfd/tekhex.c:619
    #4 0x82bd375 in bfd_check_format_matches /home/hjy/Desktop/binutils-2.29/bfd/format.c:311
    #5 0x806e0e1 in display_object_bfd objdump.c:3601
    #6 0x806e0e1 in display_any_bfd objdump.c:3692
    #7 0x805837d in display_file objdump.c:3713
    #8 0x805837d in main objdump.c:4015
    #9 0xb70f9a82 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19a82)
    #10 0x805af8f (/usr/local/bin/objdump+0x805af8f)

Address 0xbfc8b8af is located in stack of thread T0 at offset 287 in frame
    #0 0x830a95f in pass_over /home/hjy/Desktop/binutils-2.29/bfd/tekhex.c:512

  This frame has 1 object(s):
    [32, 287) 'src' <== Memory access at offset 287 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/hjy/Desktop/binutils-2.29/bfd/tekhex.c:311 getsym
Shadow bytes around the buggy address:
  0x37f916c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x37f916d0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x37f916e0: 00 00 01 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00
  0x37f916f0: 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00
  0x37f91700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x37f91710: 00 00 00 00 00[07]f3 f3 f3 f3 f3 f3 f3 f3 00 00
  0x37f91720: 00 00 00 00 00 00 f1 f1 f1 f1 04 f4 f4 f4 f3 f3
  0x37f91730: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x37f91740: 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 04 f3 f3
  0x37f91750: f3 f3 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x37f91760: 04 f4 f4 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==1744==ABORTING


My version is 2.29,and my platform is ubuntu x86.

Comment 1 Nick Clifton 2017-08-17 11:27:15 UTC

Hi Zhihua,

Please could you upload the reproducer ?

Cheers
  Nick

Comment 2 Zhihua Yao 2017-08-18 00:22:06 UTC

Created attachment 10350 [details]
nm -n stack_overflow_getsym  / objdump -S

Comment 3 Zhihua Yao 2017-08-18 00:23:10 UTC

I am sorry, I remember I have uploaded, but not.

Comment 4 Sourceware Commits 2017-08-18 07:47:42 UTC

The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=de25939739ffe9a9ad7cec07a35bb2a1e430fe39

commit de25939739ffe9a9ad7cec07a35bb2a1e430fe39
Author: Nick Clifton <nickc@redhat.com>
Date:   Fri Aug 18 08:45:12 2017 +0100

    Fix buffer overrun parsing a corrupt tekhex binary.
    
    	PR binutils/21962
    	* tekhex.c (getsym): Fix check for source pointer walking off the
    	end of the input buffer.

Comment 5 Sourceware Commits 2017-08-18 07:50:27 UTC

The binutils-2_29-branch branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ebe412a7186f1acbc5753d3236f3cab4999f7b90

commit ebe412a7186f1acbc5753d3236f3cab4999f7b90
Author: Nick Clifton <nickc@redhat.com>
Date:   Fri Aug 18 08:47:16 2017 +0100

    Fix buffer overrun when parsing a corrupt tekhex binary.
    
    	PR binutils/21962
    	* tekhex.c (getsym): Fix check for source pointer walking off the
    	end of the input buffer.

Comment 6 Nick Clifton 2017-08-18 07:53:06 UTC

Hi Zhihua,

  Thanks for the testcase.  The bug was a simple case of an incorrect test
  for a pointer running off the end of an input buffer, and so I have checked
  in a small patch (to mainline and the 2.29 branch) that fixes it.

Cheers
  Nick

Comment 7 Zhihua Yao 2017-08-21 00:50:49 UTC

This vulnerability has been assigned for CVE-2017-12967,discovered by zhihua.yao@dbappsecurity.com.cn