Mailinglist Archive: opensuse-bugs (4295 mails)

< Previous Next >
[Bug 1038874] New: VUL-1: binutils: readelf heapoverflow2-byte_get_little_endian
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Fri, 12 May 2017 13:17:49 +0000
  • Message-id: <bug-1038874-21960@http.bugzilla.opensuse.org/>
http://bugzilla.opensuse.org/show_bug.cgi?id=1038874


Bug ID: 1038874
Summary: VUL-1: binutils: readelf
heapoverflow2-byte_get_little_endian
Classification: openSUSE
Product: openSUSE Distribution
Version: Leap 42.2
Hardware: Other
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Security
Assignee: security-team@xxxxxxx
Reporter: mikhail.kasimov@xxxxxxxxx
QA Contact: qa-bugs@xxxxxxx
Found By: ---
Blocker: ---

Created attachment 724889
--> http://bugzilla.opensuse.org/attachment.cgi?id=724889&action=edit
binutils-readelf-heapoverflow2-byte_get_little_endian_reproducer

Ref: https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/
========================================================================
# readelf -a $FILE
==12002==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000000039 at pc 0x0000005a4f79 bp 0x7ffea5d104d0 sp 0x7ffea5d104c8
READ of size 1 at 0x602000000039 thread T0
#0 0x5a4f78 in byte_get_little_endian
/var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/elfcomm.c:210:22
#1 0x565bc4 in process_mips_specific
/var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:15190:8
#2 0x52483a in process_arch_specific
/var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:16565:14
#3 0x52483a in process_object
/var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:16770
#4 0x50b57c in process_file
/var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:17138:13
#5 0x50b57c in main
/var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:17209
#6 0x7f2e28f6e680 in __libc_start_main
/tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
#7 0x419f68 in dl_iterate_phdr
(/usr/x86_64-pc-linux-gnu/binutils-bin/2.28/readelf+0x419f68)

0x602000000039 is located 0 bytes to the right of 9-byte region
[0x602000000030,0x602000000039)
allocated by thread T0 here:
#0 0x4cf918 in malloc
/tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:66
#1 0x50be47 in get_data
/var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:392:9
#2 0x565a00 in process_mips_specific
/var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:15169:32
#3 0x52483a in process_arch_specific
/var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:16565:14
#4 0x52483a in process_object
/var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:16770
#5 0x50b57c in process_file
/var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:17138:13
#6 0x50b57c in main
/var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:17209
#7 0x7f2e28f6e680 in __libc_start_main
/tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow
/var/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/elfcomm.c:210:22
in byte_get_little_endian

Affected version:
2.28

Fixed version:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00258-binutils-readelf-heapoverflow2-byte_get_little_endian

Commit fix:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f32ba72991d2406b21ab17edc234a2f3fa7fb23d
========================================================================

(open-)SUSE: https://software.opensuse.org/package/binutils

2.28 (TW, official repo)
2.26.1 (42.{1,2}, official repo)

--
You are receiving this mail because:
You are on the CC list for the bug.
< Previous Next >
This Thread
  • No further messages