Headline
CVE-2021-45078: 28694 – stabs.c: Out-of-bounds write in stab_xcoff_builtin_type
stab_xcoff_builtin_type in stabs.c in GNU Binutils through 2.37 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write. NOTE: this issue exists because of an incorrect fix for CVE-2018-12699.
Description Pavel Mayorov 2021-12-14 14:02:59 UTC
Created attachment 13851 [details] PoC and ASAN report
I found an out-of-bounds write to the array ‘info->xcoff_types’ in the function ‘stab_xcoff_builtin_type’ (binutils/stabs.c).
Processing of typenum -34 results in overwriting of adjacent field ‘info->tags’ at line 3668: info->xcoff_types[-typenum] = rettype;
This eventually leads to a segmentation fault due to illegal memory reference performed by the function 'finish_stab’. ASAN catches this as heap-buffer-overflow.
Steps to reproduce:
Build current verison of binutils with ASAN: ./configure --disable-shared --disable-gdb --disable-gdbserver CFLAGS="-ggdb -Wno-error -fsanitize=address -fsanitize-recover=address" CXXFLAGS="-ggdb -Wno-error -fsanitize=address -fsanitize-recover=address" make all
Run inputs under ASAN: binutils/objdump -g ~/oob_write
The proof-of-concept and ASAN report are attached.
Comment 2 Alan Modra 2021-12-15 01:31:02 UTC
Fixed.