https://sourceware.org/bugzilla/show_bug.cgi?id=27294
Bug ID: 27294
Summary: Potentially exploitable Heap Overwrites in
avr_elf32_load_records_from_section()
Product: binutils
Version: 2.36
Status: UNCONFIRMED
Severity: critical
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: dennis.r at columbia dot edu
Target Milestone: ---
= Location =
https://sourcegraph.com/github.com/bminor/binutils-gdb@a7e3d08a26edefa411269636d7dcae7dd2736659/-/blob/bfd/elf32-avr.c#L4026
https://sourcegraph.com/github.com/bminor/binutils-gdb@a7e3d08a26edefa411269636d7dcae7dd2736659/-/blob/bfd/elf32-avr.c#L4027
https://sourcegraph.com/github.com/bminor/binutils-gdb@a7e3d08a26edefa411269636d7dcae7dd2736659/-/blob/bfd/elf32-avr.c#L4089
= Description =
Large section parameter to avr_elf32_load_records_from_section may cause OOM in
heap allocation.
Later on, may read section data into contents variable, which may be
under-allocated via size variable. Overwriting heap data, likely an adjacent
chunks metadata, potentially exploitable
A second, restricted heap overwrite can is caused by an off-by-one in the same
function. Miscounted number of iterations of for loop for (i = 0; i <
record_count; ++i).
Should stop at record_count-1. This is overwriting heap data, likely an
adjacent chunk’s metadata, and potentially exploitable.
--
You are receiving this mail because:
You are on the CC list for the bug.
