https://sourceware.org/bugzilla/show_bug.cgi?id=32347
Bug ID: 32347
Summary: Buffer overflow in objdump
Product: binutils
Version: 2.43
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: s0urc3.1er at gmail dot com
Target Milestone: ---
Created attachment 15788
--> https://sourceware.org/bugzilla/attachment.cgi?id=15788&action=edit
Buffer overflow objdump
Hello.
1.Vulnerability title: Buffer-overflow in objdump
2. High level overview: A global buffer-overflow was discovered in objdump
3. Version: 2.43
Root Cause:
Attempting to read 8 bytes at an address (0x557957135698) that is:
◦ 8 bytes before the global variable '_bfd_std_section'
◦ 64 bytes after 'bfd_plugin_canonicalize_symtab.fake_common_section'
The crash occurs in the following call stack:
1. bfd_get_next_section_by_name
2. first_phase (tekhex.c)
3. pass_over (tekhex.c)
4. tekhex_object_p (tekhex.c)
5. bfd_check_format_matches
6. display_object_bfd
This appears to be a bug in the BFD (Binary File Descriptor) library's handling
of tekhex format files. The issue occurs while trying to identify the file
format, specifically when processing sections in a tekhex file.
The bug manifests as an out-of-bounds read when accessing memory 8 bytes before
a global section variable. This suggests there might be:
1. An incorrect pointer arithmetic operation
2. A misaligned access to the section structure
3. An off-by-one error in section traversal
- Could potentially expose addresses to defeat ASLR
Repro: Find attached a file that triggers the bug. Simply compile binutils with
asan and run `./objdump -a poc_objdump`
Reporter credit: 2ourc3
--
You are receiving this mail because:
You are on the CC list for the bug.
