Bug 1680669 (CVE-2019-9075) - CVE-2019-9075 binutils: heap-based buffer overflow in function _bfd_archive_64_bit_slurp_armap in archive64.c
Summary: CVE-2019-9075 binutils: heap-based buffer overflow in function _bfd_archive_6...
Keywords:
Status: NEW
Alias: CVE-2019-9075
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1680670 1691070 1691071
Blocks: 1680680
TreeView+ depends on / blocked
 
Reported: 2019-02-25 13:47 UTC by Dhananjay Arunesh
Modified: 2019-09-29 15:08 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Dhananjay Arunesh 2019-02-25 13:47:22 UTC
An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is a heap-based buffer overflow in _bfd_archive_64_bit_slurp_armap in archive64.c.

Reference:
https://sourceware.org/bugzilla/show_bug.cgi?id=24236

Comment 1 Dhananjay Arunesh 2019-02-25 13:48:19 UTC
Created binutils tracking bugs for this issue:

Affects: fedora-all [bug 1680670]

Comment 2 Scott Gayou 2019-03-20 19:17:08 UTC
```
==6814== Memcheck, a memory error detector
==6814== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==6814== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==6814== Command: size poc
==6814== 
==6814== Invalid write of size 1
==6814==    at 0x4F27D5C: _bfd_archive_64_bit_slurp_armap (archive64.c:126)
==6814==    by 0x4E884A7: bfd_slurp_armap (archive.c:1156)
==6814==    by 0x4E88174: bfd_generic_archive_p (archive.c:864)
==6814==    by 0x4E8F924: bfd_check_format_matches (format.c:352)
==6814==    by 0x10AFA2: display_file (size.c:403)
==6814==    by 0x10A3F5: main (size.c:240)
==6814==  Address 0x5773328 is 0 bytes after a block of size 4,472 alloc'd
==6814==    at 0x4C30E8B: malloc (vg_replace_malloc.c:309)
==6814==    by 0x4F3DD21: _objalloc_alloc (objalloc.c:143)
==6814==    by 0x4E970DD: bfd_alloc (opncls.c:949)
==6814==    by 0x4E975CC: bfd_zalloc (opncls.c:998)
==6814==    by 0x4F27C9F: _bfd_archive_64_bit_slurp_armap (archive64.c:98)
==6814==    by 0x4E884A7: bfd_slurp_armap (archive.c:1156)
==6814==    by 0x4E88174: bfd_generic_archive_p (archive.c:864)
==6814==    by 0x4E8F924: bfd_check_format_matches (format.c:352)
==6814==    by 0x10AFA2: display_file (size.c:403)
==6814==    by 0x10A3F5: main (size.c:240)
==6814== 
==6814== 
==6814== HEAP SUMMARY:
==6814==     in use at exit: 0 bytes in 0 blocks
==6814==   total heap usage: 90 allocs, 90 frees, 31,320 bytes allocated
==6814== 
==6814== All heap blocks were freed -- no leaks are possible
==6814== 
==6814== For counts of detected and suppressed errors, rerun with: -v
==6814== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
```

and

```
size poc
double free or corruption (!prev)
Aborted (core dumped)
```


Note You need to log in before you can comment on or make changes to this bug.