https://sourceware.org/bugzilla/show_bug.cgi?id=32347
Bug ID: 32347 Summary: Buffer overflow in objdump Product: binutils Version: 2.43 Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: s0urc3.1er at gmail dot com Target Milestone: --- Created attachment 15788 --> https://sourceware.org/bugzilla/attachment.cgi?id=15788&action=edit Buffer overflow objdump Hello. 1.Vulnerability title: Buffer-overflow in objdump 2. High level overview: A global buffer-overflow was discovered in objdump 3. Version: 2.43 Root Cause: Attempting to read 8 bytes at an address (0x557957135698) that is: ◦ 8 bytes before the global variable '_bfd_std_section' ◦ 64 bytes after 'bfd_plugin_canonicalize_symtab.fake_common_section' The crash occurs in the following call stack: 1. bfd_get_next_section_by_name 2. first_phase (tekhex.c) 3. pass_over (tekhex.c) 4. tekhex_object_p (tekhex.c) 5. bfd_check_format_matches 6. display_object_bfd This appears to be a bug in the BFD (Binary File Descriptor) library's handling of tekhex format files. The issue occurs while trying to identify the file format, specifically when processing sections in a tekhex file. The bug manifests as an out-of-bounds read when accessing memory 8 bytes before a global section variable. This suggests there might be: 1. An incorrect pointer arithmetic operation 2. A misaligned access to the section structure 3. An off-by-one error in section traversal - Could potentially expose addresses to defeat ASLR Repro: Find attached a file that triggers the bug. Simply compile binutils with asan and run `./objdump -a poc_objdump` Reporter credit: 2ourc3 -- You are receiving this mail because: You are on the CC list for the bug.