http://bugzilla.opensuse.org/show_bug.cgi?id=1038874 Bug ID: 1038874 Summary: VUL-1: binutils: readelf heapoverflow2-byte_get_little_endian Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Created attachment 724889 --> http://bugzilla.opensuse.org/attachment.cgi?id=724889&action=edit binutils-readelf-heapoverflow2-byte_get_little_endian_reproducer Ref: https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/ ======================================================================== # readelf -a $FILE ==12002==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000039 at pc 0x0000005a4f79 bp 0x7ffea5d104d0 sp 0x7ffea5d104c8 READ of size 1 at 0x602000000039 thread T0 #0 0x5a4f78 in byte_get_little_endian /var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/elfcomm.c:210:22 #1 0x565bc4 in process_mips_specific /var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:15190:8 #2 0x52483a in process_arch_specific /var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:16565:14 #3 0x52483a in process_object /var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:16770 #4 0x50b57c in process_file /var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:17138:13 #5 0x50b57c in main /var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:17209 #6 0x7f2e28f6e680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289 #7 0x419f68 in dl_iterate_phdr (/usr/x86_64-pc-linux-gnu/binutils-bin/2.28/readelf+0x419f68) 0x602000000039 is located 0 bytes to the right of 9-byte region [0x602000000030,0x602000000039) allocated by thread T0 here: #0 0x4cf918 in malloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:66 #1 0x50be47 in get_data /var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:392:9 #2 0x565a00 in process_mips_specific /var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:15169:32 #3 0x52483a in process_arch_specific /var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:16565:14 #4 0x52483a in process_object /var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:16770 #5 0x50b57c in process_file /var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:17138:13 #6 0x50b57c in main /var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:17209 #7 0x7f2e28f6e680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289 SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/elfcomm.c:210:22 in byte_get_little_endian Affected version: 2.28 Fixed version: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00258-binutils-readelf-heapoverf... Commit fix: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f32ba72991d2406b2... ======================================================================== (open-)SUSE: https://software.opensuse.org/package/binutils 2.28 (TW, official repo) 2.26.1 (42.{1,2}, official repo) -- You are receiving this mail because: You are on the CC list for the bug.