[Bug binutils/28694] New: stabs.c: Out-of-bounds write in stab_xcoff_builtin_type
https://sourceware.org/bugzilla/show_bug.cgi?id=28694 Bug ID: 28694 Summary: stabs.c: Out-of-bounds write in stab_xcoff_builtin_type Product: binutils Version: 2.38 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: pmayorov at cloudlinux dot com Target Milestone: --- Created attachment 13851 --> https://sourceware.org/bugzilla/attachment.cgi?id=13851&action=edit PoC and ASAN report I found an out-of-bounds write to the array 'info->xcoff_types' in the function 'stab_xcoff_builtin_type' (binutils/stabs.c). Processing of typenum -34 results in overwriting of adjacent field 'info->tags' at line 3668: info->xcoff_types[-typenum] = rettype; This eventually leads to a segmentation fault due to illegal memory reference performed by the function 'finish_stab'. ASAN catches this as heap-buffer-overflow. Steps to reproduce: Build current verison of binutils with ASAN: ./configure --disable-shared --disable-gdb --disable-gdbserver CFLAGS="-ggdb -Wno-error -fsanitize=address -fsanitize-recover=address" CXXFLAGS="-ggdb -Wno-error -fsanitize=address -fsanitize-recover=address" make all Run inputs under ASAN: binutils/objdump -g ~/oob_write The proof-of-concept and ASAN report are attached. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/28694] stabs.c: Out-of-bounds write in stab_xcoff_builtin_type
https://sourceware.org/bugzilla/show_bug.cgi?id=28694 --- Comment #3 from Pavel Mayorov --- CVE-2021-45078 -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/28718] New: debug.c: Stack-overflow in debug_write_type
https://sourceware.org/bugzilla/show_bug.cgi?id=28718 Bug ID: 28718 Summary: debug.c: Stack-overflow in debug_write_type Product: binutils Version: 2.38 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: pmayorov at cloudlinux dot com Target Milestone: --- Created attachment 13870 --> https://sourceware.org/bugzilla/attachment.cgi?id=13870&action=edit PoC and ASAN report I found a stack-overflow in 'debug_write_type' (binutils/debug.c). The problem is caused by a self-reference in a type definition string in the "stabs" representation of debugging information (http://www.sourceware.org/gdb/onlinedocs/stabs.html). This leads to an infinite recursion during the printing debug information about this type. There is the following type definition: .stabs "some_type:t&1=2=3=2",128,0,0,0 Here 'some_type' is defined as a reference to the indirect type 1, which is the indirect type 2, which is the indirect type 3, which finally is the indirect type 2. And after parsing we get a "looped" type 2: *type->u.kindirect->slot == type Steps to reproduce: Build current verison of binutils with ASAN: ./configure --disable-shared --disable-gdb --disable-gdbserver CFLAGS="-ggdb -Wno-error -fsanitize=address -fsanitize-recover=address" CXXFLAGS="-ggdb -Wno-error -fsanitize=address -fsanitize-recover=address" make all Run inputs under ASAN: binutils/objdump -g ~/stack_overflow The proof-of-concept and ASAN report are attached. And I'm preparing a patch to solve this issue. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/28718] debug.c: Stack-overflow in debug_write_type
https://sourceware.org/bugzilla/show_bug.cgi?id=28718 --- Comment #3 from Pavel Mayorov --- Hi Nick. I submitted the patch for review the same day (https://sourceware.org/pipermail/binutils/2021-December/118976.html)... but still haven't received any response. Best regards, Pavel -- You are receiving this mail because: You are on the CC list for the bug.
