[Bug binutils/27295] New: Unsafe strcmp() causing arbitrary read primitive and potential privacy impact in elf32_avr_get_note_desc()

dennis.r at columbia dot edu Sat, 30 Jan 2021 19:47:52 -0800

https://sourceware.org/bugzilla/show_bug.cgi?id=27295


            Bug ID: 27295
           Summary: Unsafe strcmp() causing arbitrary read primitive and
                    potential privacy impact in elf32_avr_get_note_desc()
           Product: binutils
           Version: 2.36
            Status: UNCONFIRMED
          Severity: critical
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: dennis.r at columbia dot edu
  Target Milestone: ---

Created attachment 13181
  --> https://sourceware.org/bugzilla/attachment.cgi?id=13181&action=edit
poc

= Attachment = 
./memory

= Reproduce =
Compile with ./configure -enable=avr
objdump --private=mem-usage memory

= Location =
https://sourcegraph.com/github.com/bminor/binutils-gdb@a7e3d08a26edefa411269636d7dcae7dd2736659/-/blob/binutils/od-elf32_avr.c#L117
 

= Description =
Using unsafe version of strcmp on user defined input in.namedata. Arbitrary
read primitive can be used in rop chain and aide exploitation.

if (strcmp (in.namedata, "AVR") != 0)

= Fix = 
Use strncmp

= UBSan =
../seed_folder/memory:     file format elf32-avr

../../binutils/od-elf32_avr.c:107:42: runtime error: unsigned integer overflow:
18446744073709551604 + 60 cannot be represented in type 'unsigned long'
../../binutils/od-elf32_avr.c:111:31: runtime error: negation of 4 cannot be
represented in type 'bfd_vma' (aka 'unsigned long')
../../binutils/od-elf32_avr.c:114:51: runtime error: unsigned integer overflow:
18446744073709551600 + 60 cannot be represented in type 'unsigned long'

= Stack Trace =
Breakpoint 1, elf32_avr_dump (abfd=<optimized out>) at
../../binutils/od-elf32_avr.c:107
107       if (in.namesz > contents - in.namedata + size)
(gdb) bt
#0  elf32_avr_dump (abfd=<optimized out>) at ../../binutils/od-elf32_avr.c:107
#1  0x000000000041e80d in dump_target_specific (abfd=0x38f4c90) at
../../binutils/objdump.c:4282
#2  dump_bfd (abfd=0x38f4c90, is_mainfile=1) at ../../binutils/objdump.c:4870
#3  0x000000000041bc6f in display_object_bfd (abfd=<optimized out>) at
../../binutils/objdump.c:5008
#4  display_any_bfd (file=<optimized out>, level=<optimized out>) at
../../binutils/objdump.c:5098
#5  0x000000000040757d in display_file (filename=<optimized out>,
target=<optimized out>, last_file=<optimized out>) at
../../binutils/objdump.c:5119
#6  main (argc=<optimized out>, argv=<optimized out>) at
../../binutils/objdump.c:5467

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug binutils/27295] New: Unsafe strcmp() causing arbitrary read primitive and potential privacy impact in elf32_avr_get_note_desc()

Reply via email to