Bug 1911444 (CVE-2020-35496) - CVE-2020-35496 binutils: NULL pointer dereference in bfd_pef_scan_start_address function in bfd/pef.c
Summary: CVE-2020-35496 binutils: NULL pointer dereference in bfd_pef_scan_start_addre...
Keywords:
Status: NEW
Alias: CVE-2020-35496
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1911445 1911711 1911712 1911713 1911714
Blocks: 1908372 1911446
TreeView+ depends on / blocked
 
Reported: 2020-12-29 13:39 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-02-23 16:19 UTC (History)
21 users (show)

Fixed In Version: binutils 2.34
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in bfd_pef_scan_start_address() of bfd/pef.c in binutils which could allow an attacker who is able to submit a crafted file to be processed by objdump to cause a NULL pointer dereference. The greatest threat of this flaw is to application availability.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-12-29 13:39:10 UTC
GNU Binutils before 2.34 has a NULL pointer dereference in bfd_pef_scan_start_address function in bfd/pef.c due to not checking return value of bfd_malloc. This bug allows attackers to cause a denial of service.

Reference:
https://sourceware.org/bugzilla/show_bug.cgi?id=25308

Comment 1 Guilherme de Almeida Suckevicz 2020-12-29 13:39:30 UTC
Created mingw-binutils tracking bugs for this issue:

Affects: fedora-all [bug 1911445]

Comment 3 Todd Cullum 2020-12-30 20:26:56 UTC
Statement:

binutils as shipped with Red Hat Enterprise Linux 8's GCC Toolset 10 and Red Hat Developer Toolset 10 are not affected by this flaw because the versions shipped have already received the patch.

Comment 5 Todd Cullum 2020-12-30 20:31:35 UTC
Flaw technical summary:

In the `bfd_pef_scan_start_address()` function in bfd/pef.c, `bfd_malloc()` is called and the return pointer is not checked for point to NULL before it is passed to `bfd_read()` which dereferences it. If an attacker is able to cause `bfd_malloc()` to fail/return NULL, they could cause a denial of service. The upstream patch adds a NULL check before calling `bfd_read()`.


Note You need to log in before you can comment on or make changes to this bug.