|
| From: | pmayorov at cloudlinux dot com |
| Subject: | [Bug binutils/28694] New: stabs.c: Out-of-bounds write in stab_xcoff_builtin_type |
| Date: | Tue, 14 Dec 2021 14:02:59 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=28694
Bug ID: 28694
Summary: stabs.c: Out-of-bounds write in
stab_xcoff_builtin_type
Product: binutils
Version: 2.38 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: pmayorov at cloudlinux dot com
Target Milestone: ---
Created attachment 13851
--> https://sourceware.org/bugzilla/attachment.cgi?id=13851&action=edit
PoC and ASAN report
I found an out-of-bounds write to the array 'info->xcoff_types' in the function
'stab_xcoff_builtin_type' (binutils/stabs.c).
Processing of typenum -34 results in overwriting of adjacent field 'info->tags'
at line 3668:
info->xcoff_types[-typenum] = rettype;
This eventually leads to a segmentation fault due to illegal memory reference
performed by the function 'finish_stab'. ASAN catches this as
heap-buffer-overflow.
Steps to reproduce:
Build current verison of binutils with ASAN:
./configure --disable-shared --disable-gdb --disable-gdbserver CFLAGS="-ggdb
-Wno-error -fsanitize=address -fsanitize-recover=address" CXXFLAGS="-ggdb
-Wno-error -fsanitize=address -fsanitize-recover=address"
make all
Run inputs under ASAN:
binutils/objdump -g ~/oob_write
The proof-of-concept and ASAN report are attached.
--
You are receiving this mail because:
You are on the CC list for the bug.
| [Prev in Thread] | Current Thread | [Next in Thread] |