Bug 1911437 (CVE-2020-35493) - CVE-2020-35493 binutils: heap-based buffer overflow in bfd_pef_parse_function_stubs function in bfd/pef.c via crafted PEF file
Summary: CVE-2020-35493 binutils: heap-based buffer overflow in bfd_pef_parse_function...
Status: NEW
Alias: CVE-2020-35493
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nobody
QA Contact:
Depends On: 1911438 1911507 1911508 1911510 1911511 1912249 1912250 1912251 1912252
Blocks: 1908372 1911446
TreeView+ depends on / blocked
Reported: 2020-12-29 13:21 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-07-09 12:57 UTC (History)
21 users (show)

Fixed In Version: binutils 2.34
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Binutils in bfd/pef.c. This flaw allows an attacker who can submit a crafted PEF file to be parsed by objdump to cause a heap buffer overflow, leading to an out-of-bounds read. The highest threat from this vulnerability is to system availability.
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-12-29 13:21:16 UTC
Objdump of GNU Binutils before 2.34 has a heap-buffer-overflow in function bfd_pef_parse_function_stubs (file bfd/pef.c) which could allow attackers to cause a denial of service or unspecified impact.


Comment 1 Guilherme de Almeida Suckevicz 2020-12-29 13:21:34 UTC
Created mingw-binutils tracking bugs for this issue:

Affects: fedora-all [bug 1911438]

Comment 5 Todd Cullum 2020-12-30 00:38:52 UTC
Flaw technical summary:

This flaw is caused by an improper length check followed by a call to `bfd_pef_parse_function_stub()` in `bfd_pef_parse_function_stubs()` of bfd/pef.c. There's a length check for `if ((codepos + 4) > codelen)`, but the subsequent call to `bfd_pef_parse_function_stub()` passes in length 24, which could read past the end of the `codebuf` buffer.

Comment 11 RaTasha Tillery-Smith 2021-02-22 18:50:20 UTC

Binutils as shipped with Red Hat Enterprise Linux 8's GCC Toolset 10 and Red Hat Developer Toolset 10 are not affected by this flaw because the versions shipped have already received the patch.

Note You need to log in before you can comment on or make changes to this bug.