[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/18750] New: Stack buffer overflow when printing bad bytes
From: |
tyhicks at canonical dot com |
Subject: |
[Bug binutils/18750] New: Stack buffer overflow when printing bad bytes in Intel Hex objects |
Date: |
Fri, 31 Jul 2015 17:05:22 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=18750
Bug ID: 18750
Summary: Stack buffer overflow when printing bad bytes in Intel
Hex objects
Product: binutils
Version: 2.26 (HEAD)
Status: NEW
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: tyhicks at canonical dot com
Target Milestone: ---
Created attachment 8465
--> https://sourceware.org/bugzilla/attachment.cgi?id=8465&action=edit
Buffer overflow reproducer
Joshua Rogers reported a stack buffer overflow in ihex.c (ihex_bad_byte):
http://www.openwall.com/lists/oss-security/2014/11/03/16
It still affects HEAD, as of:
22d31b1 Automatic date update in version.in
It was reported to Ubuntu with a reliable reproducer:
https://bugs.launchpad.net/bugs/1476014
I've attached the reproducer file. Running size (or gdb and probably others) on
the reproducer results in a buffer stack overflow:
$ ./binutils/size size-SBBOF
*** buffer overflow detected ***: ./binutils/size terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x78c4e)[0x7f457d1c9c4e]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7f457d269e8c]
/lib/x86_64-linux-gnu/libc.so.6(+0x116e80)[0x7f457d267e80]
/lib/x86_64-linux-gnu/libc.so.6(+0x1163d9)[0x7f457d2673d9]
/lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0x80)[0x7f457d1cd3a0]
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x3e42)[0x7f457d19ea62]
/lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x84)[0x7f457d267464]
/lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x7f457d2673bd]
./binutils/size[0x40fb5f]
./binutils/size[0x40ff81]
./binutils/size[0x40ac35]
./binutils/size[0x4035d0]
./binutils/size[0x403780]
./binutils/size[0x402bfe]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f457d171a40]
./binutils/size[0x402d39]
======= Memory map: ========
00400000-004fc000 r-xp 00000000 08:11 462525
/var/scm/binutils-gdb/binutils/size
006fb000-006fc000 r--p 000fb000 08:11 462525
/var/scm/binutils-gdb/binutils/size
006fc000-00701000 rw-p 000fc000 08:11 462525
/var/scm/binutils-gdb/binutils/size
00701000-00706000 rw-p 00000000 00:00 0
00c91000-00cb2000 rw-p 00000000 00:00 0 [heap]
7f457cc36000-7f457cc4c000 r-xp 00000000 08:11 3408637
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f457cc4c000-7f457ce4b000 ---p 00016000 08:11 3408637
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f457ce4b000-7f457ce4c000 rw-p 00015000 08:11 3408637
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f457ce4c000-7f457d151000 r--p 00000000 08:11 3279935
/usr/lib/locale/locale-archive
7f457d151000-7f457d311000 r-xp 00000000 08:11 3411884
/lib/x86_64-linux-gnu/libc-2.21.so
7f457d311000-7f457d511000 ---p 001c0000 08:11 3411884
/lib/x86_64-linux-gnu/libc-2.21.so
7f457d511000-7f457d515000 r--p 001c0000 08:11 3411884
/lib/x86_64-linux-gnu/libc-2.21.so
7f457d515000-7f457d517000 rw-p 001c4000 08:11 3411884
/lib/x86_64-linux-gnu/libc-2.21.so
7f457d517000-7f457d51b000 rw-p 00000000 00:00 0
7f457d51b000-7f457d51e000 r-xp 00000000 08:11 3409823
/lib/x86_64-linux-gnu/libdl-2.21.so
7f457d51e000-7f457d71d000 ---p 00003000 08:11 3409823
/lib/x86_64-linux-gnu/libdl-2.21.so
7f457d71d000-7f457d71e000 r--p 00002000 08:11 3409823
/lib/x86_64-linux-gnu/libdl-2.21.so
7f457d71e000-7f457d71f000 rw-p 00003000 08:11 3409823
/lib/x86_64-linux-gnu/libdl-2.21.so
7f457d71f000-7f457d743000 r-xp 00000000 08:11 3410094
/lib/x86_64-linux-gnu/ld-2.21.so
7f457d914000-7f457d917000 rw-p 00000000 00:00 0
7f457d937000-7f457d939000 rw-p 00000000 00:00 0
7f457d939000-7f457d940000 r--s 00000000 08:11 3820440
/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache
7f457d940000-7f457d942000 rw-p 00000000 00:00 0
7f457d942000-7f457d943000 r--p 00023000 08:11 3410094
/lib/x86_64-linux-gnu/ld-2.21.so
7f457d943000-7f457d944000 rw-p 00024000 08:11 3410094
/lib/x86_64-linux-gnu/ld-2.21.so
7f457d944000-7f457d945000 rw-p 00000000 00:00 0
7fffedd60000-7fffedd81000 rw-p 00000000 00:00 0
[stack]
7fffeddc1000-7fffeddc3000 r--p 00000000 00:00 0 [vvar]
7fffeddc3000-7fffeddc5000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
[vsyscall]
Aborted (core dumped)
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/18750] New: Stack buffer overflow when printing bad bytes in Intel Hex objects,
tyhicks at canonical dot com <=
- [Bug binutils/18750] Stack buffer overflow when printing bad bytes in Intel Hex objects, tyhicks at canonical dot com, 2015/07/31
- [Bug binutils/18750] Stack buffer overflow when printing bad bytes in Intel Hex objects, tyhicks at canonical dot com, 2015/07/31
- [Bug binutils/18750] Stack buffer overflow when printing bad bytes in Intel Hex objects, yumkam+binutils at gmail dot com, 2015/07/31
- [Bug binutils/18750] Stack buffer overflow when printing bad bytes in Intel Hex objects, yumkam+binutils at gmail dot com, 2015/07/31
- [Bug binutils/18750] Stack buffer overflow when printing bad bytes in Intel Hex objects, tyhicks at canonical dot com, 2015/07/31
- [Bug binutils/18750] Stack buffer overflow when printing bad bytes in Intel Hex objects, yumkam+binutils at gmail dot com, 2015/07/31
- [Bug binutils/18750] Stack buffer overflow when printing bad bytes in Intel Hex objects, tyhicks at canonical dot com, 2015/07/31
- [Bug binutils/18750] Stack buffer overflow when printing bad bytes in Intel Hex objects, yumkam+binutils at gmail dot com, 2015/07/31
- [Bug binutils/18750] Stack buffer overflow when printing bad bytes in Intel Hex objects, tyhicks at canonical dot com, 2015/07/31
- [Bug binutils/18750] Stack buffer overflow when printing bad bytes in Intel Hex objects, yumkam+binutils at gmail dot com, 2015/07/31