bug-binutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/22794] New: Unchecked strnlen operation in bfd_get_debug_l


From: probefuzzer at gmail dot com
Subject: [Bug binutils/22794] New: Unchecked strnlen operation in bfd_get_debug_link_info_1 (./src/bfd/opncls.c)
Date: Tue, 06 Feb 2018 08:43:44 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=22794

            Bug ID: 22794
           Summary: Unchecked strnlen operation in
                    bfd_get_debug_link_info_1 (./src/bfd/opncls.c)
           Product: binutils
           Version: 2.30
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: probefuzzer at gmail dot com
  Target Milestone: ---

(this issue is discovered when UBSAN is enabled)

On version 2.30.51.20180206 and master branch of binutils:
there is an unchecked strnlen operation, which could be triggered by the POC
below. 

As shown in line 1201, the first parameter ("name") of strnlen could be
manipulated by the input file. When "name" is NULL and the second parameter is
larger than NULL, the program would fail with segmentation fault.

 1174 static char *
   1175 bfd_get_debug_link_info_1 (bfd *abfd, void *crc32_out)
   1176 {
   1199   name = (char *) contents;
   1200   /* PR 17597: avoid reading off the end of the buffer.  */
   1201   crc_offset = strnlen (name, bfd_get_section_size (sect)) + 1;
   1202   crc_offset = (crc_offset + 3) & ~3;
   1208 }

./src/bfd/opncls.c:1201:16: runtime error: null pointer passed as argument 1,
which is declared to never be null

To reproduce the issue, run: ./bin/nm -A -a -l -S -s --special-syms --synthetic
--with-symbol-versions -D $POC

POC:
https://github.com/ProbeFuzzer/poc/blob/master/binutils/binutils_2-30-51_nm_unchecked_strlen_bfd_get_debug_link_info_1

-- 
You are receiving this mail because:
You are on the CC list for the bug.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]