http://bugzilla.opensuse.org/show_bug.cgi?id=1038877 Bug ID: 1038877 Summary: VUL-1: binutils: readelf-heapoverflow2-byte_get_little_endian Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Created attachment 724892 --> http://bugzilla.opensuse.org/attachment.cgi?id=724892&action=edit binutils-readelf-heapoverflow2-byte_get_little_endian_reproducer Ref: https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/ ======================================================================= # readelf -a $FILE ==20287==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000039 at pc 0x00000064c061 bp 0x7ffcc34b2580 sp 0x7ffcc34b2578 READ of size 1 at 0x602000000039 thread T0 #0 0x64c060 in byte_get_little_endian /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/elfcomm.c:210:22 #1 0x5d31c5 in process_mips_specific /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:15190:8 #2 0x549e1d in process_arch_specific /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:16565:14 #3 0x549e1d in process_object /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:16770 #4 0x51780f in process_file /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:17138:13 #5 0x51780f in main /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:17209 #6 0x7fa5fc60b78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289 #7 0x41a158 in getenv (/usr/x86_64-pc-linux-gnu/binutils-bin/2.28/readelf+0x41a158) 0x602000000039 is located 0 bytes to the right of 9-byte region [0x602000000030,0x602000000039) allocated by thread T0 here: #0 0x4d9828 in malloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:66 #1 0x518af2 in get_data /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:392:9 #2 0x5d2ee2 in process_mips_specific /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:15169:32 #3 0x549e1d in process_arch_specific /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:16565:14 #4 0x549e1d in process_object /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:16770 #5 0x51780f in process_file /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:17138:13 #6 0x51780f in main /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/readelf.c:17209 #7 0x7fa5fc60b78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289 SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/binutils/elfcomm.c:210:22 in byte_get_little_endian Affected version: 2.28 Fixed version: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00258-binutils-readelf-heapoverf... Commit fix: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75ec1fdbb797a389e... https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c4ab9505b53cdc899... ======================================================================= (open-)SUSE: https://software.opensuse.org/package/binutils 2.28 (TW, official repo) 2.26.1 (42.{1,2}, official repo) -- You are receiving this mail because: You are on the CC list for the bug.