Bug 1831873 (CVE-2019-12972) - CVE-2019-12972 binutils: out-of-bounds read in setup_group in bfd/elf.c
Summary: CVE-2019-12972 binutils: out-of-bounds read in setup_group in bfd/elf.c
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2019-12972
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1835138 1835139 1835156 1835157 1835158 1835159 1835183 1835184
Blocks: 1831874
TreeView+ depends on / blocked
 
Reported: 2020-05-05 19:40 UTC by Pedro Sampaio
Modified: 2021-10-28 09:53 UTC (History)
17 users (show)

Fixed In Version: binutils 2.33
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds read was discovered in Binutils while it processes a malformed ELF relocatable file (.o file). A victim user who uses Binutils tools (size, gdb, readelf) to analyze untrusted binaries, may be vulnerable to a denial of service attack.
Clone Of:
Environment:
Last Closed: 2021-10-28 09:53:43 UTC
Embargoed:


Attachments (Terms of Use)

Description Pedro Sampaio 2020-05-05 19:40:20 UTC
An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. There is a heap-based buffer over-read in _bfd_doprnt in bfd.c because elf_object_p in elfcode.h mishandles an e_shstrndx section of type SHT_GROUP by omitting a trailing '\0' character.

Upstream bug:

https://sourceware.org/bugzilla/show_bug.cgi?id=24689

Upstream fix:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=890f750a3b053532a4b839a2dd6243076de12031
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=14b2a8e4244a29208ad430167860a0f01b20f215

Comment 1 Riccardo Schirone 2020-05-12 16:13:19 UTC
The out-of-bounds read happens in setup_group() in elf.c, when called by _bfd_elf_make_section_from_shdr(). This is due to too loose checks in elf_object_p() in elfcode.h, which accepts e_shstrndx pointing to a section that is not SHT_STRTAB.

Comment 3 Riccardo Schirone 2020-05-13 08:36:50 UTC
Statement:

Impact of the flaw set to Low because it is not considered a common use case to analyze and debug untrusted binaries.

Comment 4 Riccardo Schirone 2020-05-13 08:39:45 UTC
Created binutils tracking bugs for this issue:

Affects: fedora-all [bug 1835138]


Created mingw-binutils tracking bugs for this issue:

Affects: fedora-all [bug 1835139]


Note You need to log in before you can comment on or make changes to this bug.