← Back to team overview

touch-packages team mailing list archive

[Bug 1476014] Re: Stack-based buffer overflow in ihex_bad_byte function in ihex.c

 

Marking this bug as public since this was previously discussed in public
here: http://www.openwall.com/lists/oss-security/2014/11/03/16

This bug has not been fixed upstream. I'll create an upstream bug and
submit a patch.

** Information type changed from Private Security to Public Security

** Changed in: binutils (Ubuntu)
       Status: New => Triaged

** Changed in: binutils (Ubuntu)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to binutils in Ubuntu.
https://bugs.launchpad.net/bugs/1476014

Title:
  Stack-based buffer overflow in ihex_bad_byte function in ihex.c

Status in binutils package in Ubuntu:
  Triaged

Bug description:
  -=Binary=-
  size

  
  -=Package=-
  binutils 2.25-10ubuntu1

  
  -=Title=-
  size assert failure : ***buffer overflow detected***: size terminated

  
  -=Input file=-
  root@exploitdev-wily:~/Desktop/size-crashes/pass1-orig# xxd 1
  00000000: 3a30 3030 3030 3030 3030 303a b030 3030  :0000000000:.000
  00000010: 3030 3030 ____ ____ ____ ____ ____ ____  0000

  
  -=happens here=-
  ihex.c:222   --> sprintf (buf, "\\%03o", (unsigned int) c);

  
  -=stacktrace=-
  (gdb) backtrace
  #0  0xb7fdbbe0 in __kernel_vsyscall ()
  #1  0xb7e2c057 in __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:55
  #2  0xb7e2d699 in __GI_abort () at abort.c:89
  #3  0xb7e6a19e in __libc_message (do_abort=2, fmt=0xb7f62380 "*** %s ***: %s terminated\n")
      at ../sysdeps/posix/libc_fatal.c:175
  #4  0xb7efacb8 in __GI___fortify_fail (msg=<optimised out>,
      msg@entry=0xb7f62301 "buffer overflow detected") at fortify_fail.c:38
  #5  0xb7ef8e3a in __GI___chk_fail () at chk_fail.c:28
  #6  0xb7ef8618 in _IO_str_chk_overflow (fp=0xbffff0b0, c=54) at vsprintf_chk.c:33
  #7  0xb7e6db5c in __GI__IO_default_xsputn (f=0xbffff0b0, data=0xbffff075, n=11)
      at genops.c:480
  #8  0xb7e43c3b in _IO_vfprintf_internal (s=0xbffff0b0, format=<optimised out>,
      ap=0xbffff1b4 "O\362\377\277\b") at vfprintf.c:1641
  #9  0xb7ef86ad in ___vsprintf_chk (s=0xbffff1c2 "\\37777777", flags=1, slen=10,
      format=0x80cb83d "\\%03o", args=0xbffff1b0 "\260\377\377\377O\362\377\277\b")
      at vsprintf_chk.c:84
  #10 0xb7ef8600 in ___sprintf_chk (s=0xbffff1c2 "\\37777777", flags=1, slen=10,
      format=0x80cb83d "\\%03o") at sprintf_chk.c:31
  #11 0x08061607 in sprintf (__fmt=0x80cb83d "\\%03o", __s=0xbffff1c2 "\\37777777")
      at /usr/include/i386-linux-gnu/bits/stdio2.h:33
  #12 ihex_bad_byte (abfd=0x811a9f0, lineno=1, c=<optimised out>, error=0) at ihex.c:222
  #13 0x08061d69 in ihex_scan (abfd=<optimised out>) at ihex.c:298
  #14 ihex_object_p (abfd=0x811a9f0) at ihex.c:526
  #15 0x08055742 in bfd_check_format_matches (abfd=0x811a9f0, format=bfd_object,
      matching=0xbffff348) at format.c:305
  #16 0x0804a8f0 in display_bfd (abfd=abfd@entry=0x811a9f0) at size.c:302
  #17 0x0804aaaf in display_file (filename=0xbffff5dc "1") at size.c:398
  #18 0x08049fd4 in main (argc=2, argv=0xbffff444) at size.c:239

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1476014/+subscriptions