[Bug ld/29101] New: [Bug] User input is not sanitized in libdep

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug ld/29101] New: [Bug] User input is not sanitized in libdep_plugin.c

From:	yguoaz at gmail dot com
Subject:	[Bug ld/29101] New: [Bug] User input is not sanitized in libdep_plugin.c and cause trouble on 32bit machine
Date:	Thu, 28 Apr 2022 09:16:51 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=29101

            Bug ID: 29101
           Summary: [Bug] User input is not sanitized in libdep_plugin.c
                    and cause trouble on 32bit machine
           Product: binutils
           Version: 2.38
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: ld
          Assignee: unassigned at sourceware dot org
          Reporter: yguoaz at gmail dot com
  Target Milestone: ---

In the file ld/libdep_pugin.c, the function get_libdeps has the following code:
(link:
https://sourceware.org/git/?p=binutils-gdb.git;a=blob;f=ld/libdep_plugin.c;h=5569aa45e360be6321a94fe7f3b2af1caf3fd163;hb=20756b0fbe065a84710aa38f2457563b57546440#l108)

static enum ld_plugin_status
get_libdeps (int fd) 
{
    arhdr ah;
    int len;
    ...
    for (;;)
    {
        len = read (fd, (void *) &ah, sizeof (ah));
        if (len != sizeof (ah))
            break;
        mlen = strtoul (ah.ar_size, NULL, 10);
        if (!mlen || strncmp (ah.ar_name, LIBDEPS, sizeof (LIBDEPS)-1))
        {
            lseek (fd, mlen, SEEK_CUR);
            continue;
        }
        lr = malloc (sizeof (linerec) + mlen);

        ...
    }
}

where the definition of type arhdr is as follows:

typedef struct arhdr
{
    char ar_name[16];
    char ar_date[12];
    char ar_uid[6];
    char ar_gid[6];
    char ar_mode[8];
    char ar_size[10];
    char ar_fmag[2];
} arhdr;

It is therefore possible to craft the file content and parse mlen to UINT32_MAX
(just manipulate the string content starting at ah.ar_size).

This will lead to an integer overflow for the calculation of the allocation
size: sizeof (linerec) + mlen (assuming a 32bit environment where unsigned long
takes 4 bytes). If this happens, accessing the buffer lr will lead to buffer
overflow in later code.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug ld/29101] New: [Bug] User input is not sanitized in libdep_plugin.c and cause trouble on 32bit machine, yguoaz at gmail dot com <=
- [Bug ld/29101] [Bug] User input is not sanitized in libdep_plugin.c and cause trouble on 32bit machine, yguoaz at gmail dot com, 2022/04/28
- [Bug ld/29101] [Bug] User input is not sanitized in libdep_plugin.c and cause trouble on 32bit machine, nickc at redhat dot com, 2022/04/29

Prev by Date: [Bug binutils/29099] Buffer overflow can happen at libiberty/argv.c
Next by Date: [Bug ld/29101] [Bug] User input is not sanitized in libdep_plugin.c and cause trouble on 32bit machine
Previous by thread: [Bug gprof/29100] New: Buffer overflow when read function mapping file
Next by thread: [Bug ld/29101] [Bug] User input is not sanitized in libdep_plugin.c and cause trouble on 32bit machine
Index(es):
- Date
- Thread