An integer overflow was found in objdump, bfd_get_dynamic_reloc_upper_bound and bfd_canonicalize_dynamic_reloc functions of binutils. A local attacker could use this to crash the application or potentially achieve code execution.
Created binutils tracking bugs for this issue:
Affects: fedora-all [bug 1664713]
Created mingw-binutils tracking bugs for this issue:
Affects: epel-all [bug 1664715]
Affects: fedora-all [bug 1664714]
On 32bit architectures, where the C `long` type is 32bit in size, function bfd/elf.c:_bfd_elf_get_dynamic_reloc_upper_bound() has an integer overflow in the way the size necessary to store relocations is computed. A crafted ELF file with particular section header information associated with SHT_REL/SHT_RELA sections may trigger this integer overflow. The size returned by _bfd_elf_get_dynamic_reloc_upper_bound() is then used to allocate a buffer on the heap, that is written to in bfd/elf.c:_bfd_elf_canonicalize_dynamic_reloc() where an out-of-bound write may happen.
However, the attacker has no control over the written data, because they are the addresses (on the heap) of other data structures.
> On 32bit architectures, where the C `long` type is 32bit in size, ...
Actually, it is not necessary to be on 32bit architectures, but just to use 32bit compiled binutils libraries (libbfd).
Decreasing Impact of this flaw to Moderate because of the unlikelihood of running a 32bit compiled objdump and/or having a compiled binary that uses 32bit compiled binutils libraries to analyze binaries from a not trusted source.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2019:2075 https://access.redhat.com/errata/RHSA-2019:2075
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):