Bug 28694 - stabs.c: Out-of-bounds write in stab_xcoff_builtin_type
Summary: stabs.c: Out-of-bounds write in stab_xcoff_builtin_type
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.38
: P2 normal
Target Milestone: 2.38
Assignee: Alan Modra
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-12-14 14:02 UTC by Pavel Mayorov
Modified: 2021-12-16 07:47 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Last reconfirmed: 2021-12-15 00:00:00


Attachments
PoC and ASAN report (1.62 KB, application/x-zip-compressed)
2021-12-14 14:02 UTC, Pavel Mayorov
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Pavel Mayorov 2021-12-14 14:02:59 UTC
Created attachment 13851 [details]
PoC and ASAN report

I found an out-of-bounds write to the array 'info->xcoff_types' in the function 'stab_xcoff_builtin_type' (binutils/stabs.c).

Processing of typenum -34 results in overwriting of adjacent field 'info->tags' at line 3668:
  info->xcoff_types[-typenum] = rettype;

This eventually leads to a segmentation fault due to illegal memory reference performed by the function 'finish_stab'. ASAN catches this as heap-buffer-overflow.

Steps to reproduce:

Build current verison of binutils with ASAN:
./configure --disable-shared --disable-gdb --disable-gdbserver CFLAGS="-ggdb -Wno-error -fsanitize=address -fsanitize-recover=address" CXXFLAGS="-ggdb -Wno-error -fsanitize=address -fsanitize-recover=address"
make all

Run inputs under ASAN:
binutils/objdump -g ~/oob_write

The proof-of-concept and ASAN report are attached.
Comment 1 Sourceware Commits 2021-12-15 01:30:27 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=161e87d12167b1e36193385485c1f6ce92f74f02

commit 161e87d12167b1e36193385485c1f6ce92f74f02
Author: Alan Modra <amodra@gmail.com>
Date:   Wed Dec 15 11:48:42 2021 +1030

    PR28694, Out-of-bounds write in stab_xcoff_builtin_type
    
            PR 28694
            * stabs.c (stab_xcoff_builtin_type): Make typenum unsigned.
            Negate typenum earlier, simplifying bounds checking.  Correct
            off-by-one indexing.  Adjust switch cases.
Comment 2 Alan Modra 2021-12-15 01:31:02 UTC
Fixed.
Comment 3 Pavel Mayorov 2021-12-16 07:47:04 UTC
CVE-2021-45078