https://sourceware.org/bugzilla/show_bug.cgi?id=29101
Bug ID: 29101 Summary: [Bug] User input is not sanitized in libdep_plugin.c and cause trouble on 32bit machine Product: binutils Version: 2.38 Status: UNCONFIRMED Severity: normal Priority: P2 Component: ld Assignee: unassigned at sourceware dot org Reporter: yguoaz at gmail dot com Target Milestone: --- In the file ld/libdep_pugin.c, the function get_libdeps has the following code: (link: https://sourceware.org/git/?p=binutils-gdb.git;a=blob;f=ld/libdep_plugin.c;h=5569aa45e360be6321a94fe7f3b2af1caf3fd163;hb=20756b0fbe065a84710aa38f2457563b57546440#l108) static enum ld_plugin_status get_libdeps (int fd) { arhdr ah; int len; ... for (;;) { len = read (fd, (void *) &ah, sizeof (ah)); if (len != sizeof (ah)) break; mlen = strtoul (ah.ar_size, NULL, 10); if (!mlen || strncmp (ah.ar_name, LIBDEPS, sizeof (LIBDEPS)-1)) { lseek (fd, mlen, SEEK_CUR); continue; } lr = malloc (sizeof (linerec) + mlen); ... } } where the definition of type arhdr is as follows: typedef struct arhdr { char ar_name[16]; char ar_date[12]; char ar_uid[6]; char ar_gid[6]; char ar_mode[8]; char ar_size[10]; char ar_fmag[2]; } arhdr; It is therefore possible to craft the file content and parse mlen to UINT32_MAX (just manipulate the string content starting at ah.ar_size). This will lead to an integer overflow for the calculation of the allocation size: sizeof (linerec) + mlen (assuming a 32bit environment where unsigned long takes 4 bytes). If this happens, accessing the buffer lr will lead to buffer overflow in later code. -- You are receiving this mail because: You are on the CC list for the bug.