Stack-based buffer overflow in ihex_bad_byte function in ihex.c

Bug #1476014 reported by Francesco Mifsud on 2015-07-19
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
binutils
Unknown
Unknown
binutils (Ubuntu)
Medium
Unassigned

Bug Description

-=Binary=-
size

-=Package=-
binutils 2.25-10ubuntu1

-=Title=-
size assert failure : ***buffer overflow detected***: size terminated

-=Input file=-
root@exploitdev-wily:~/Desktop/size-crashes/pass1-orig# xxd 1
00000000: 3a30 3030 3030 3030 3030 303a b030 3030 :0000000000:.000
00000010: 3030 3030 ____ ____ ____ ____ ____ ____ 0000

-=happens here=-
ihex.c:222 --> sprintf (buf, "\\%03o", (unsigned int) c);

-=stacktrace=-
(gdb) backtrace
#0 0xb7fdbbe0 in __kernel_vsyscall ()
#1 0xb7e2c057 in __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:55
#2 0xb7e2d699 in __GI_abort () at abort.c:89
#3 0xb7e6a19e in __libc_message (do_abort=2, fmt=0xb7f62380 "*** %s ***: %s terminated\n")
    at ../sysdeps/posix/libc_fatal.c:175
#4 0xb7efacb8 in __GI___fortify_fail (msg=<optimised out>,
    msg@entry=0xb7f62301 "buffer overflow detected") at fortify_fail.c:38
#5 0xb7ef8e3a in __GI___chk_fail () at chk_fail.c:28
#6 0xb7ef8618 in _IO_str_chk_overflow (fp=0xbffff0b0, c=54) at vsprintf_chk.c:33
#7 0xb7e6db5c in __GI__IO_default_xsputn (f=0xbffff0b0, data=0xbffff075, n=11)
    at genops.c:480
#8 0xb7e43c3b in _IO_vfprintf_internal (s=0xbffff0b0, format=<optimised out>,
    ap=0xbffff1b4 "O\362\377\277\b") at vfprintf.c:1641
#9 0xb7ef86ad in ___vsprintf_chk (s=0xbffff1c2 "\\37777777", flags=1, slen=10,
    format=0x80cb83d "\\%03o", args=0xbffff1b0 "\260\377\377\377O\362\377\277\b")
    at vsprintf_chk.c:84
#10 0xb7ef8600 in ___sprintf_chk (s=0xbffff1c2 "\\37777777", flags=1, slen=10,
    format=0x80cb83d "\\%03o") at sprintf_chk.c:31
#11 0x08061607 in sprintf (__fmt=0x80cb83d "\\%03o", __s=0xbffff1c2 "\\37777777")
    at /usr/include/i386-linux-gnu/bits/stdio2.h:33
#12 ihex_bad_byte (abfd=0x811a9f0, lineno=1, c=<optimised out>, error=0) at ihex.c:222
#13 0x08061d69 in ihex_scan (abfd=<optimised out>) at ihex.c:298
#14 ihex_object_p (abfd=0x811a9f0) at ihex.c:526
#15 0x08055742 in bfd_check_format_matches (abfd=0x811a9f0, format=bfd_object,
    matching=0xbffff348) at format.c:305
#16 0x0804a8f0 in display_bfd (abfd=abfd@entry=0x811a9f0) at size.c:302
#17 0x0804aaaf in display_file (filename=0xbffff5dc "1") at size.c:398
#18 0x08049fd4 in main (argc=2, argv=0xbffff444) at size.c:239

tags: added: binutils dos size
description: updated
description: updated
summary: - ihex_bad_byte in ihex.c : stack-based buffer overflow
+ Stack-based buffer overflow in ihex_bad_byte function in ihex.c
Francesco Mifsud (gradiusx) wrote :

size size-SBBOF to replicate

Tyler Hicks (tyhicks) wrote :

Marking this bug as public since this was previously discussed in public here: http://www.openwall.com/lists/oss-security/2014/11/03/16

This bug has not been fixed upstream. I'll create an upstream bug and submit a patch.

information type: Private Security → Public Security
Changed in binutils (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Tyler Hicks (tyhicks) wrote :

I've opened a bug in the upstream tracker: https://sourceware.org/bugzilla/show_bug.cgi?id=18750

Matthias Klose (doko) wrote :

fixed for 16.04

Changed in binutils (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.