Created attachment 13851 [details]
PoC and ASAN report
I found an out-of-bounds write to the array 'info->xcoff_types' in the function 'stab_xcoff_builtin_type' (binutils/stabs.c).
Processing of typenum -34 results in overwriting of adjacent field 'info->tags' at line 3668:
info->xcoff_types[-typenum] = rettype;
This eventually leads to a segmentation fault due to illegal memory reference performed by the function 'finish_stab'. ASAN catches this as heap-buffer-overflow.
Steps to reproduce:
Build current verison of binutils with ASAN:
./configure --disable-shared --disable-gdb --disable-gdbserver CFLAGS="-ggdb -Wno-error -fsanitize=address -fsanitize-recover=address" CXXFLAGS="-ggdb -Wno-error -fsanitize=address -fsanitize-recover=address"
Run inputs under ASAN:
binutils/objdump -g ~/oob_write
The proof-of-concept and ASAN report are attached.
The master branch has been updated by Alan Modra <firstname.lastname@example.org>:
Author: Alan Modra <email@example.com>
Date: Wed Dec 15 11:48:42 2021 +1030
PR28694, Out-of-bounds write in stab_xcoff_builtin_type
* stabs.c (stab_xcoff_builtin_type): Make typenum unsigned.
Negate typenum earlier, simplifying bounds checking. Correct
off-by-one indexing. Adjust switch cases.