[PATCH] binutils: fix out-of-bounds write in stab_xcoff_builtin_type (bz 28694)
Pavel Mayorov
pmayorov@cloudlinux.com
Tue Dec 14 16:57:32 GMT 2021
I found an out-of-bounds write to the array 'info->xcoff_types' in the
function 'stab_xcoff_builtin_type' (binutils/stabs.c).
Processing of typenum -34 results in overwriting of adjacent field
'info->tags' at line 3668:
info->xcoff_types[-typenum] = rettype;
This eventually leads to a segmentation fault due to illegal memory
reference performed by the function 'finish_stab'. ASAN catches this
as heap-buffer-overflow.
To solve this problem, it is enough to correct the index by which the
array is accessed: decrease it by 1
---
binutils/stabs.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/binutils/stabs.c b/binutils/stabs.c
index 274bfb0e7fa..45ccbba4600 100644
--- a/binutils/stabs.c
+++ b/binutils/stabs.c
@@ -3500,14 +3500,16 @@ stab_xcoff_builtin_type (void *dhandle, struct
stab_handle *info,
{
debug_type rettype;
const char *name;
+ int index;
if (typenum >= 0 || typenum < -XCOFF_TYPE_COUNT)
{
fprintf (stderr, _("Unrecognized XCOFF type %d\n"), typenum);
return DEBUG_TYPE_NULL;
}
- if (info->xcoff_types[-typenum] != NULL)
- return info->xcoff_types[-typenum];
+ index = -typenum - 1;
+ if (info->xcoff_types[index] != NULL)
+ return info->xcoff_types[index];
switch (-typenum)
{
@@ -3665,7 +3667,7 @@ stab_xcoff_builtin_type (void *dhandle, struct
stab_handle *info,
rettype = debug_name_type (dhandle, name, rettype);
- info->xcoff_types[-typenum] = rettype;
+ info->xcoff_types[index] = rettype;
return rettype;
}
--
2.17.1
More information about the Binutils
mailing list