[Bug binutils/27293] New: Arbitrary read/write via Integer Overflow in e

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/27293] New: Arbitrary read/write via Integer Overflow in e

From:	dennis.r at columbia dot edu
Subject:	[Bug binutils/27293] New: Arbitrary read/write via Integer Overflow in elf32_avr_get_device_info()
Date:	Sun, 31 Jan 2021 03:45:10 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=27293

            Bug ID: 27293
           Summary: Arbitrary read/write via Integer Overflow in
                    elf32_avr_get_device_info()
           Product: binutils
           Version: 2.36
            Status: UNCONFIRMED
          Severity: critical
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: dennis.r at columbia dot edu
  Target Milestone: ---

= Location = 
https://sourcegraph.com/github.com/bminor/binutils-gdb@a7e3d08a26edefa411269636d7dcae7dd2736659/-/blob/binutils/od-elf32_avr.c#L136
https://sourcegraph.com/github.com/bminor/binutils-gdb@a7e3d08a26edefa411269636d7dcae7dd2736659/-/blob/binutils/od-elf32_avr.c#L137
https://sourcegraph.com/github.com/bminor/binutils-gdb@a7e3d08a26edefa411269636d7dcae7dd2736659/-/blob/binutils/od-elf32_avr.c#L146
https://sourcegraph.com/github.com/bminor/binutils-gdb@a7e3d08a26edefa411269636d7dcae7dd2736659/-/blob/binutils/od-elf32_avr.c#L146

= Description = 
elf32_avr_get_device_info (bfd *abfd, char *description,
        deviceinfo *device)
{
  if (description == NULL)
    return;

  const bfd_size_type memory_sizes = 6;

  memcpy (device, description, memory_sizes * sizeof(uint32_t));
  device->name = NULL;

  uint32_t *stroffset_table = ((uint32_t *) description) + memory_sizes;
  bfd_size_type stroffset_table_size = bfd_get_32 (abfd, stroffset_table);
  char *str_table = ((char *) stroffset_table) + stroffset_table_size;

  /* If the only content is the size itself, there's nothing in the table */
  if (stroffset_table_size == 4)
    return;

  /* First entry is the device name index. */
  uint32_t device_name_index = bfd_get_32 (abfd, stroffset_table + 1);

  device->name = str_table + device_name_index;
}

Device description of length INT_MAX-6 can trigger an overflow in the 32bit
variable stroffset_table which is used as an offset to find the device name in
str_table. Successful integer overflow may thus turn into an arbitrary
read/write, and potentially be exploitable.

Large str_table triggers integer overflow in 8bit variable

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/27293] New: Arbitrary read/write via Integer Overflow in elf32_avr_get_device_info(), dennis.r at columbia dot edu <=

Prev by Date: [Bug binutils/27292] New: Heap Buffer Overflow O2BO and/or Out-of-Memory (OOM) in bfd_get_section_contents()
Next by Date: [Bug binutils/27294] New: Potentially exploitable Heap Overwrites in avr_elf32_load_records_from_section()
Previous by thread: [Bug binutils/27292] New: Heap Buffer Overflow O2BO and/or Out-of-Memory (OOM) in bfd_get_section_contents()
Next by thread: [Bug binutils/27294] New: Potentially exploitable Heap Overwrites in avr_elf32_load_records_from_section()
Index(es):
- Date
- Thread