[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/21909] New: Stack buffer overflow in pr_int_type - prdbg.c
From: |
martino.sani at gmail dot com |
Subject: |
[Bug binutils/21909] New: Stack buffer overflow in pr_int_type - prdbg.c:586 |
Date: |
Sat, 05 Aug 2017 12:05:36 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=21909
Bug ID: 21909
Summary: Stack buffer overflow in pr_int_type - prdbg.c:586
Product: binutils
Version: 2.30 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: martino.sani at gmail dot com
Target Milestone: ---
Created attachment 10316
--> https://sourceware.org/bugzilla/attachment.cgi?id=10316&action=edit
Binary POC (zipped)
Hello,
American fuzzy lop detects a stack buffer overflow in pr_int_type -
prdbg.c:586.
pr_int_type stores the ab variable on the stack, and writes a string into it
without verifying its length.
static bfd_boolean
pr_int_type (void *p, unsigned int size, bfd_boolean unsignedp)
{
char ab[10];
// !!!
sprintf (ab, "%sint%d", unsignedp ? "u" : "", size * 8);
}
E.g: In the attached POC when size has value 177777 and unsignedp 1, sprintf
writes 11 chars into ab:
tot len = len("int") + len("u") + len(str(size * 8))
# stacktrace
WRITE of size 12 at 0x7ffea8f9b42a thread T0
#0 0x4a0b01 in vsprintf (/tmp/binutils/master/build/bin/objdump+0x4a0b01)
#1 0x4a0d62 in __interceptor_sprintf
(/tmp/binutils/master/build/bin/objdump+0x4a0d62)
#2 0x5756a1 in pr_int_type
/tmp/binutils/master/binutils-gdb/binutils/prdbg.c:586:3
#3 0x58fd8c in debug_write_type
/tmp/binutils/master/binutils-gdb/binutils/debug.c:2491:14
#4 0x591968 in debug_write_type
/tmp/binutils/master/binutils-gdb/binutils/debug.c:2588:9
#5 0x58df6c in debug_write_name
/tmp/binutils/master/binutils-gdb/binutils/debug.c:2382:13
#6 0x58da8c in debug_write
/tmp/binutils/master/binutils-gdb/binutils/debug.c:2350:14
#7 0x5752ef in print_debugging_info
/tmp/binutils/master/binutils-gdb/binutils/prdbg.c:316:20
#8 0x50fbc7 in dump_bfd
/tmp/binutils/master/binutils-gdb/binutils/./objdump.c:3555:9
#9 0x50f201 in display_object_bfd
/tmp/binutils/master/binutils-gdb/binutils/./objdump.c:3603:7
#10 0x50f0e9 in display_any_bfd
/tmp/binutils/master/binutils-gdb/binutils/./objdump.c:3692:5
#11 0x50ebe8 in display_file
/tmp/binutils/master/binutils-gdb/binutils/./objdump.c:3713:3
#12 0x50e430 in main
/tmp/binutils/master/binutils-gdb/binutils/./objdump.c:4015:6
#13 0x7f022cccb2b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#14 0x419d79 in _start (/tmp/binutils/master/build/bin/objdump+0x419d79)
# GIT version (master branch) - git://sourceware.org/git/binutils-gdb.git
a66930b357fee4ae716bfc8816e78c0f9c024005
# Command line to reproduce the issue
$ ./objdump -e poc.bin
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/21909] New: Stack buffer overflow in pr_int_type - prdbg.c:586,
martino.sani at gmail dot com <=