https://sourceware.org/bugzilla/show_bug.cgi?id=22794
Bug ID: 22794
Summary: Unchecked strnlen operation in
bfd_get_debug_link_info_1 (./src/bfd/opncls.c)
Product: binutils
Version: 2.30
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: probefuzzer at gmail dot com
Target Milestone: ---
(this issue is discovered when UBSAN is enabled)
On version 2.30.51.20180206 and master branch of binutils:
there is an unchecked strnlen operation, which could be triggered by the POC
below.
As shown in line 1201, the first parameter ("name") of strnlen could be
manipulated by the input file. When "name" is NULL and the second parameter is
larger than NULL, the program would fail with segmentation fault.
1174 static char *
1175 bfd_get_debug_link_info_1 (bfd *abfd, void *crc32_out)
1176 {
1199 name = (char *) contents;
1200 /* PR 17597: avoid reading off the end of the buffer. */
1201 crc_offset = strnlen (name, bfd_get_section_size (sect)) + 1;
1202 crc_offset = (crc_offset + 3) & ~3;
1208 }
./src/bfd/opncls.c:1201:16: runtime error: null pointer passed as argument 1,
which is declared to never be null
To reproduce the issue, run: ./bin/nm -A -a -l -S -s --special-syms --synthetic
--with-symbol-versions -D $POC
POC:
https://github.com/ProbeFuzzer/poc/blob/master/binutils/binutils_2-30-51_nm_unchecked_strlen_bfd_get_debug_link_info_1
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
