root@ubuntu:/home/hjy/Desktop# objdump -S stack_overflow_getsym ================================================================= ==1744==ERROR: AddressSanitizer: stack-buffer-overflow on address 0xbfc8b8af at pc 0x830a926 bp 0xbfc8b688 sp 0xbfc8b67c READ of size 1 at 0xbfc8b8af thread T0 #0 0x830a925 in getsym /home/hjy/Desktop/binutils-2.29/bfd/tekhex.c:311 #1 0x830a925 in first_phase /home/hjy/Desktop/binutils-2.29/bfd/tekhex.c:444 #2 0x830ad63 in pass_over /home/hjy/Desktop/binutils-2.29/bfd/tekhex.c:554 #3 0x830b3d9 in tekhex_object_p /home/hjy/Desktop/binutils-2.29/bfd/tekhex.c:619 #4 0x82bd375 in bfd_check_format_matches /home/hjy/Desktop/binutils-2.29/bfd/format.c:311 #5 0x806e0e1 in display_object_bfd objdump.c:3601 #6 0x806e0e1 in display_any_bfd objdump.c:3692 #7 0x805837d in display_file objdump.c:3713 #8 0x805837d in main objdump.c:4015 #9 0xb70f9a82 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19a82) #10 0x805af8f (/usr/local/bin/objdump+0x805af8f) Address 0xbfc8b8af is located in stack of thread T0 at offset 287 in frame #0 0x830a95f in pass_over /home/hjy/Desktop/binutils-2.29/bfd/tekhex.c:512 This frame has 1 object(s): [32, 287) 'src' <== Memory access at offset 287 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /home/hjy/Desktop/binutils-2.29/bfd/tekhex.c:311 getsym Shadow bytes around the buggy address: 0x37f916c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x37f916d0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 0x37f916e0: 00 00 01 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00 0x37f916f0: 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 0x37f91700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x37f91710: 00 00 00 00 00[07]f3 f3 f3 f3 f3 f3 f3 f3 00 00 0x37f91720: 00 00 00 00 00 00 f1 f1 f1 f1 04 f4 f4 f4 f3 f3 0x37f91730: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x37f91740: 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 04 f3 f3 0x37f91750: f3 f3 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 0x37f91760: 04 f4 f4 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==1744==ABORTING My version is 2.29,and my platform is ubuntu x86.
Hi Zhihua, Please could you upload the reproducer ? Cheers Nick
Created attachment 10350 [details] nm -n stack_overflow_getsym / objdump -S
I am sorry, I remember I have uploaded, but not.
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=de25939739ffe9a9ad7cec07a35bb2a1e430fe39 commit de25939739ffe9a9ad7cec07a35bb2a1e430fe39 Author: Nick Clifton <nickc@redhat.com> Date: Fri Aug 18 08:45:12 2017 +0100 Fix buffer overrun parsing a corrupt tekhex binary. PR binutils/21962 * tekhex.c (getsym): Fix check for source pointer walking off the end of the input buffer.
The binutils-2_29-branch branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ebe412a7186f1acbc5753d3236f3cab4999f7b90 commit ebe412a7186f1acbc5753d3236f3cab4999f7b90 Author: Nick Clifton <nickc@redhat.com> Date: Fri Aug 18 08:47:16 2017 +0100 Fix buffer overrun when parsing a corrupt tekhex binary. PR binutils/21962 * tekhex.c (getsym): Fix check for source pointer walking off the end of the input buffer.
Hi Zhihua, Thanks for the testcase. The bug was a simple case of an incorrect test for a pointer running off the end of an input buffer, and so I have checked in a small patch (to mainline and the 2.29 branch) that fixes it. Cheers Nick
This vulnerability has been assigned for CVE-2017-12967,discovered by zhihua.yao@dbappsecurity.com.cn