https://sourceware.org/bugzilla/show_bug.cgi?id=27293
Bug ID: 27293
Summary: Arbitrary read/write via Integer Overflow in
elf32_avr_get_device_info()
Product: binutils
Version: 2.36
Status: UNCONFIRMED
Severity: critical
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: dennis.r at columbia dot edu
Target Milestone: ---
= Location =
https://sourcegraph.com/github.com/bminor/binutils-gdb@a7e3d08a26edefa411269636d7dcae7dd2736659/-/blob/binutils/od-elf32_avr.c#L136
https://sourcegraph.com/github.com/bminor/binutils-gdb@a7e3d08a26edefa411269636d7dcae7dd2736659/-/blob/binutils/od-elf32_avr.c#L137
https://sourcegraph.com/github.com/bminor/binutils-gdb@a7e3d08a26edefa411269636d7dcae7dd2736659/-/blob/binutils/od-elf32_avr.c#L146
https://sourcegraph.com/github.com/bminor/binutils-gdb@a7e3d08a26edefa411269636d7dcae7dd2736659/-/blob/binutils/od-elf32_avr.c#L146
= Description =
elf32_avr_get_device_info (bfd *abfd, char *description,
deviceinfo *device)
{
if (description == NULL)
return;
const bfd_size_type memory_sizes = 6;
memcpy (device, description, memory_sizes * sizeof(uint32_t));
device->name = NULL;
uint32_t *stroffset_table = ((uint32_t *) description) + memory_sizes;
bfd_size_type stroffset_table_size = bfd_get_32 (abfd, stroffset_table);
char *str_table = ((char *) stroffset_table) + stroffset_table_size;
/* If the only content is the size itself, there's nothing in the table */
if (stroffset_table_size == 4)
return;
/* First entry is the device name index. */
uint32_t device_name_index = bfd_get_32 (abfd, stroffset_table + 1);
device->name = str_table + device_name_index;
}
Device description of length INT_MAX-6 can trigger an overflow in the 32bit
variable stroffset_table which is used as an offset to find the device name in
str_table. Successful integer overflow may thus turn into an arbitrary
read/write, and potentially be exploitable.
Large str_table triggers integer overflow in 8bit variable
--
You are receiving this mail because:
You are on the CC list for the bug.
