Bug ID: 21909
           Summary: Stack buffer overflow in pr_int_type - prdbg.c:586
           Product: binutils
           Version: 2.30 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: martino.sani at gmail dot com
  Target Milestone: ---

Created attachment 10316
Binary POC (zipped)


American fuzzy lop detects a stack buffer overflow in pr_int_type -

pr_int_type stores the ab variable on the stack, and writes a string into it
without verifying its length.

static bfd_boolean
pr_int_type (void *p, unsigned int size, bfd_boolean unsignedp)
  char ab[10];

  // !!!
  sprintf (ab, "%sint%d", unsignedp ? "u" : "", size * 8);

E.g: In the attached POC when size has value 177777 and unsignedp 1, sprintf
writes 11 chars into ab:
tot len = len("int") + len("u") + len(str(size * 8))

# stacktrace

WRITE of size 12 at 0x7ffea8f9b42a thread T0                                    
    #0 0x4a0b01 in vsprintf (/tmp/binutils/master/build/bin/objdump+0x4a0b01)   
    #1 0x4a0d62 in __interceptor_sprintf
    #2 0x5756a1 in pr_int_type
    #3 0x58fd8c in debug_write_type
    #4 0x591968 in debug_write_type
    #5 0x58df6c in debug_write_name
    #6 0x58da8c in debug_write
    #7 0x5752ef in print_debugging_info
    #8 0x50fbc7 in dump_bfd
    #9 0x50f201 in display_object_bfd
    #10 0x50f0e9 in display_any_bfd
    #11 0x50ebe8 in display_file
    #12 0x50e430 in main
    #13 0x7f022cccb2b0 in __libc_start_main
    #14 0x419d79 in _start (/tmp/binutils/master/build/bin/objdump+0x419d79)

# GIT version (master branch) - git:// 

# Command line to reproduce the issue
$ ./objdump -e poc.bin

You are receiving this mail because:
You are on the CC list for the bug.
bug-binutils mailing list

Reply via email to