[Bug binutils/32347] New: Buffer overflow in objdump

[s0urc3.1er at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=32347

            Bug ID: 32347
           Summary: Buffer overflow in objdump
           Product: binutils
           Version: 2.43
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: s0urc3.1er at gmail dot com
  Target Milestone: ---

Created attachment 15788
  --> https://sourceware.org/bugzilla/attachment.cgi?id=15788&action=edit
Buffer overflow objdump

Hello.

1.Vulnerability title: Buffer-overflow in objdump
2. High level overview: A global buffer-overflow was discovered in objdump
3. Version: 2.43 


Root Cause: 

Attempting to read 8 bytes at an address (0x557957135698) that is: 
        ◦ 8 bytes before the global variable '_bfd_std_section' 
        ◦ 64 bytes after 'bfd_plugin_canonicalize_symtab.fake_common_section' 

The crash occurs in the following call stack:
    1. bfd_get_next_section_by_name 
    2. first_phase (tekhex.c) 
    3. pass_over (tekhex.c) 
    4. tekhex_object_p (tekhex.c) 
    5. bfd_check_format_matches 
    6. display_object_bfd 

This appears to be a bug in the BFD (Binary File Descriptor) library's handling
of tekhex format files. The issue occurs while trying to identify the file
format, specifically when processing sections in a tekhex file.

The bug manifests as an out-of-bounds read when accessing memory 8 bytes before
a global section variable. This suggests there might be:

    1. An incorrect pointer arithmetic operation 
    2. A misaligned access to the section structure 
    3. An off-by-one error in section traversal

- Could potentially expose addresses to defeat ASLR

Repro: Find attached a file that triggers the bug. Simply compile binutils with
asan and run `./objdump -a poc_objdump`

Reporter credit: 2ourc3

-- 
You are receiving this mail because:
You are on the CC list for the bug.