touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #93523
[Bug 1476014] Re: Stack-based buffer overflow in ihex_bad_byte function in ihex.c
Marking this bug as public since this was previously discussed in public
here: http://www.openwall.com/lists/oss-security/2014/11/03/16
This bug has not been fixed upstream. I'll create an upstream bug and
submit a patch.
** Information type changed from Private Security to Public Security
** Changed in: binutils (Ubuntu)
Status: New => Triaged
** Changed in: binutils (Ubuntu)
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to binutils in Ubuntu.
https://bugs.launchpad.net/bugs/1476014
Title:
Stack-based buffer overflow in ihex_bad_byte function in ihex.c
Status in binutils package in Ubuntu:
Triaged
Bug description:
-=Binary=-
size
-=Package=-
binutils 2.25-10ubuntu1
-=Title=-
size assert failure : ***buffer overflow detected***: size terminated
-=Input file=-
root@exploitdev-wily:~/Desktop/size-crashes/pass1-orig# xxd 1
00000000: 3a30 3030 3030 3030 3030 303a b030 3030 :0000000000:.000
00000010: 3030 3030 ____ ____ ____ ____ ____ ____ 0000
-=happens here=-
ihex.c:222 --> sprintf (buf, "\\%03o", (unsigned int) c);
-=stacktrace=-
(gdb) backtrace
#0 0xb7fdbbe0 in __kernel_vsyscall ()
#1 0xb7e2c057 in __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:55
#2 0xb7e2d699 in __GI_abort () at abort.c:89
#3 0xb7e6a19e in __libc_message (do_abort=2, fmt=0xb7f62380 "*** %s ***: %s terminated\n")
at ../sysdeps/posix/libc_fatal.c:175
#4 0xb7efacb8 in __GI___fortify_fail (msg=<optimised out>,
msg@entry=0xb7f62301 "buffer overflow detected") at fortify_fail.c:38
#5 0xb7ef8e3a in __GI___chk_fail () at chk_fail.c:28
#6 0xb7ef8618 in _IO_str_chk_overflow (fp=0xbffff0b0, c=54) at vsprintf_chk.c:33
#7 0xb7e6db5c in __GI__IO_default_xsputn (f=0xbffff0b0, data=0xbffff075, n=11)
at genops.c:480
#8 0xb7e43c3b in _IO_vfprintf_internal (s=0xbffff0b0, format=<optimised out>,
ap=0xbffff1b4 "O\362\377\277\b") at vfprintf.c:1641
#9 0xb7ef86ad in ___vsprintf_chk (s=0xbffff1c2 "\\37777777", flags=1, slen=10,
format=0x80cb83d "\\%03o", args=0xbffff1b0 "\260\377\377\377O\362\377\277\b")
at vsprintf_chk.c:84
#10 0xb7ef8600 in ___sprintf_chk (s=0xbffff1c2 "\\37777777", flags=1, slen=10,
format=0x80cb83d "\\%03o") at sprintf_chk.c:31
#11 0x08061607 in sprintf (__fmt=0x80cb83d "\\%03o", __s=0xbffff1c2 "\\37777777")
at /usr/include/i386-linux-gnu/bits/stdio2.h:33
#12 ihex_bad_byte (abfd=0x811a9f0, lineno=1, c=<optimised out>, error=0) at ihex.c:222
#13 0x08061d69 in ihex_scan (abfd=<optimised out>) at ihex.c:298
#14 ihex_object_p (abfd=0x811a9f0) at ihex.c:526
#15 0x08055742 in bfd_check_format_matches (abfd=0x811a9f0, format=bfd_object,
matching=0xbffff348) at format.c:305
#16 0x0804a8f0 in display_bfd (abfd=abfd@entry=0x811a9f0) at size.c:302
#17 0x0804aaaf in display_file (filename=0xbffff5dc "1") at size.c:398
#18 0x08049fd4 in main (argc=2, argv=0xbffff444) at size.c:239
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1476014/+subscriptions