[Bug binutils/18750] New: Stack buffer overflow when printing bad bytes in Intel Hex objects

tyhicks at canonical dot com Fri, 31 Jul 2015 10:06:07 -0700

https://sourceware.org/bugzilla/show_bug.cgi?id=18750


            Bug ID: 18750
           Summary: Stack buffer overflow when printing bad bytes in Intel
                    Hex objects
           Product: binutils
           Version: 2.26 (HEAD)
            Status: NEW
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: tyhicks at canonical dot com
  Target Milestone: ---

Created attachment 8465
  --> https://sourceware.org/bugzilla/attachment.cgi?id=8465&action=edit
Buffer overflow reproducer

Joshua Rogers reported a stack buffer overflow in ihex.c (ihex_bad_byte):

  http://www.openwall.com/lists/oss-security/2014/11/03/16

It still affects HEAD, as of:

  22d31b1 Automatic date update in version.in

It was reported to Ubuntu with a reliable reproducer:

  https://bugs.launchpad.net/bugs/1476014

I've attached the reproducer file. Running size (or gdb and probably others) on
the reproducer results in a buffer stack overflow:

$ ./binutils/size size-SBBOF 
*** buffer overflow detected ***: ./binutils/size terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x78c4e)[0x7f457d1c9c4e]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7f457d269e8c]
/lib/x86_64-linux-gnu/libc.so.6(+0x116e80)[0x7f457d267e80]
/lib/x86_64-linux-gnu/libc.so.6(+0x1163d9)[0x7f457d2673d9]
/lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0x80)[0x7f457d1cd3a0]
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x3e42)[0x7f457d19ea62]
/lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x84)[0x7f457d267464]
/lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x7f457d2673bd]
./binutils/size[0x40fb5f]
./binutils/size[0x40ff81]
./binutils/size[0x40ac35]
./binutils/size[0x4035d0]
./binutils/size[0x403780]
./binutils/size[0x402bfe]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f457d171a40]
./binutils/size[0x402d39]
======= Memory map: ========
00400000-004fc000 r-xp 00000000 08:11 462525                            
/var/scm/binutils-gdb/binutils/size
006fb000-006fc000 r--p 000fb000 08:11 462525                            
/var/scm/binutils-gdb/binutils/size
006fc000-00701000 rw-p 000fc000 08:11 462525                            
/var/scm/binutils-gdb/binutils/size
00701000-00706000 rw-p 00000000 00:00 0 
00c91000-00cb2000 rw-p 00000000 00:00 0                                  [heap]
7f457cc36000-7f457cc4c000 r-xp 00000000 08:11 3408637                   
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f457cc4c000-7f457ce4b000 ---p 00016000 08:11 3408637                   
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f457ce4b000-7f457ce4c000 rw-p 00015000 08:11 3408637                   
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f457ce4c000-7f457d151000 r--p 00000000 08:11 3279935                   
/usr/lib/locale/locale-archive
7f457d151000-7f457d311000 r-xp 00000000 08:11 3411884                   
/lib/x86_64-linux-gnu/libc-2.21.so
7f457d311000-7f457d511000 ---p 001c0000 08:11 3411884                   
/lib/x86_64-linux-gnu/libc-2.21.so
7f457d511000-7f457d515000 r--p 001c0000 08:11 3411884                   
/lib/x86_64-linux-gnu/libc-2.21.so
7f457d515000-7f457d517000 rw-p 001c4000 08:11 3411884                   
/lib/x86_64-linux-gnu/libc-2.21.so
7f457d517000-7f457d51b000 rw-p 00000000 00:00 0 
7f457d51b000-7f457d51e000 r-xp 00000000 08:11 3409823                   
/lib/x86_64-linux-gnu/libdl-2.21.so
7f457d51e000-7f457d71d000 ---p 00003000 08:11 3409823                   
/lib/x86_64-linux-gnu/libdl-2.21.so
7f457d71d000-7f457d71e000 r--p 00002000 08:11 3409823                   
/lib/x86_64-linux-gnu/libdl-2.21.so
7f457d71e000-7f457d71f000 rw-p 00003000 08:11 3409823                   
/lib/x86_64-linux-gnu/libdl-2.21.so
7f457d71f000-7f457d743000 r-xp 00000000 08:11 3410094                   
/lib/x86_64-linux-gnu/ld-2.21.so
7f457d914000-7f457d917000 rw-p 00000000 00:00 0 
7f457d937000-7f457d939000 rw-p 00000000 00:00 0 
7f457d939000-7f457d940000 r--s 00000000 08:11 3820440                   
/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache
7f457d940000-7f457d942000 rw-p 00000000 00:00 0 
7f457d942000-7f457d943000 r--p 00023000 08:11 3410094                   
/lib/x86_64-linux-gnu/ld-2.21.so
7f457d943000-7f457d944000 rw-p 00024000 08:11 3410094                   
/lib/x86_64-linux-gnu/ld-2.21.so
7f457d944000-7f457d945000 rw-p 00000000 00:00 0 
7fffedd60000-7fffedd81000 rw-p 00000000 00:00 0                         
[stack]
7fffeddc1000-7fffeddc3000 r--p 00000000 00:00 0                          [vvar]
7fffeddc3000-7fffeddc5000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                 
[vsyscall]
Aborted (core dumped)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/18750] New: Stack buffer overflow when printing bad bytes in Intel Hex objects

Reply via email to