Bug 1739490 (CVE-2019-14250) - CVE-2019-14250 binutils: integer overflow in simple-object-elf.c leads to a heap-based buffer overflow
Summary: CVE-2019-14250 binutils: integer overflow in simple-object-elf.c leads to a h...
Keywords:
Status: NEW
Alias: CVE-2019-14250
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1739491 1744192 1744174 1744175 1744176 1744177 1744178 1744179 1744182 1744183
Blocks: 1739492
TreeView+ depends on / blocked
 
Reported: 2019-08-09 12:41 UTC by Marian Rehak
Modified: 2019-08-26 18:22 UTC (History)
18 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Marian Rehak 2019-08-09 12:41:38 UTC
An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow.

Upstream Issue:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90924

Comment 1 Marian Rehak 2019-08-09 12:41:52 UTC
Created binutils tracking bugs for this issue:

Affects: fedora-all [bug 1739491]

Comment 6 Marco Benatto 2019-08-21 13:32:27 UTC
Upstream patch for gcc:

https://gcc.gnu.org/viewcvs/gcc/branches/gcc-8-branch/libiberty/simple-object-elf.c?view=patch&r1=273794&r2=273793&pathrev=273794

upstream commit for binutils:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commitdiff;h=f211b8c0b91fc7b1657079a495f05a9a4d957821

On the binutils scenario the patch synchronizes with gcc mainline so it includes much more changes than we might expect.
The changelog entry for that on the commit message is:

 * simple-object-elf.c (simple_object_elf_match): Check zero value shstrndx.
            This fixes a Bug 90924.

Comment 10 Marco Benatto 2019-08-21 13:49:52 UTC
Created gcc tracking bugs for this issue:

Affects: fedora-all [bug 1744192]

Comment 12 Marco Benatto 2019-08-21 14:32:31 UTC
Statement:

This issue resides on libiberty code, libiberty is part of GNU project and contains several utilities being distributed by gcc and binutils packages. This flaws affects binutils versions as shipped with Red Hat Enterprise Linux 5, 6, 7 and 8 and also gcc versions as shipped with Red Hat Enterprise Linux 5, 6 ,7 and 8. Versions of gcc shipped with Red Hat Developers Tool Set 7 and 8 are also affected. This flaw was scored with 'Low' security impact for both binutils and gcc packages by Red Hat Product Security Team.

Comment 13 Marco Benatto 2019-08-21 14:47:40 UTC
When reading ELF files libiberty parses the ELF structure to load its sections on memory. A crafted ELF file with invalid Section Header index leads to buffer overflow at simple_object_elf_find_sections() due to the lack of input validation. The overflow may lead to memory corruption and further out of bands read causing DoS.


Note You need to log in before you can comment on or make changes to this bug.