Created attachment 13851 [details] PoC and ASAN report I found an out-of-bounds write to the array 'info->xcoff_types' in the function 'stab_xcoff_builtin_type' (binutils/stabs.c). Processing of typenum -34 results in overwriting of adjacent field 'info->tags' at line 3668: info->xcoff_types[-typenum] = rettype; This eventually leads to a segmentation fault due to illegal memory reference performed by the function 'finish_stab'. ASAN catches this as heap-buffer-overflow. Steps to reproduce: Build current verison of binutils with ASAN: ./configure --disable-shared --disable-gdb --disable-gdbserver CFLAGS="-ggdb -Wno-error -fsanitize=address -fsanitize-recover=address" CXXFLAGS="-ggdb -Wno-error -fsanitize=address -fsanitize-recover=address" make all Run inputs under ASAN: binutils/objdump -g ~/oob_write The proof-of-concept and ASAN report are attached.
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=161e87d12167b1e36193385485c1f6ce92f74f02 commit 161e87d12167b1e36193385485c1f6ce92f74f02 Author: Alan Modra <amodra@gmail.com> Date: Wed Dec 15 11:48:42 2021 +1030 PR28694, Out-of-bounds write in stab_xcoff_builtin_type PR 28694 * stabs.c (stab_xcoff_builtin_type): Make typenum unsigned. Negate typenum earlier, simplifying bounds checking. Correct off-by-one indexing. Adjust switch cases.
Fixed.
CVE-2021-45078