https://sourceware.org/bugzilla/show_bug.cgi?id=27290
Bug ID: 27290
Summary: Out-of-memory (OOM) Denial of Service via unprotected
memory allocation in
elf32_avr_get_note_section_contents()
Product: binutils
Version: 2.36
Status: UNCONFIRMED
Severity: critical
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: dennis.r at columbia dot edu
Target Milestone: ---
= Location =
https://sourcegraph.com/github.com/bminor/binutils-gdb@a7e3d08a26edefa411269636d7dcae7dd2736659/-/blob/binutils/od-elf32_avr.c#L89
= Description =
Large ".note.gnu.avr.deviceinfo" can be used to set large malloc parameter
*size = bfd_section_size (section); // ptr to ".note.gnu.avr.deviceinfo"
section
char *contents = (char *) xmalloc (*size);
Setting ".note.gnu.avr.deviceinfo" section size to 0 may also cause the
following line to segmentation fault bfd_get_section_contents (abfd, section,
contents, 0, *size);
= Fix =
Check the size of *size before using it.
--
You are receiving this mail because:
You are on the CC list for the bug.
