Bug 1911444 (CVE-2020-35496)

Summary: CVE-2020-35496 binutils: NULL pointer dereference in bfd_pef_scan_start_address function in bfd/pef.c
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: adscvr, ailan, dvlasenk, erik-fedora, fweimer, jakub, kaycoth, klember, manisandro, marcandre.lureau, mcermak, mpolacek, mprchlik, nickc, ohudlick, rjones, sipoyare, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: binutils 2.34 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in bfd_pef_scan_start_address() of bfd/pef.c in binutils which could allow an attacker who is able to submit a crafted file to be processed by objdump to cause a NULL pointer dereference. The greatest threat of this flaw is to application availability.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1911445, 1911711, 1911712, 1911713, 1911714    
Bug Blocks: 1908372, 1911446    

Description Guilherme de Almeida Suckevicz 2020-12-29 13:39:10 UTC
GNU Binutils before 2.34 has a NULL pointer dereference in bfd_pef_scan_start_address function in bfd/pef.c due to not checking return value of bfd_malloc. This bug allows attackers to cause a denial of service.

Reference:
https://sourceware.org/bugzilla/show_bug.cgi?id=25308

Comment 1 Guilherme de Almeida Suckevicz 2020-12-29 13:39:30 UTC
Created mingw-binutils tracking bugs for this issue:

Affects: fedora-all [bug 1911445]

Comment 3 Todd Cullum 2020-12-30 20:26:56 UTC
Statement:

binutils as shipped with Red Hat Enterprise Linux 8's GCC Toolset 10 and Red Hat Developer Toolset 10 are not affected by this flaw because the versions shipped have already received the patch.

Comment 5 Todd Cullum 2020-12-30 20:31:35 UTC
Flaw technical summary:

In the `bfd_pef_scan_start_address()` function in bfd/pef.c, `bfd_malloc()` is called and the return pointer is not checked for point to NULL before it is passed to `bfd_read()` which dereferences it. If an attacker is able to cause `bfd_malloc()` to fail/return NULL, they could cause a denial of service. The upstream patch adds a NULL check before calling `bfd_read()`.