1911439 – (CVE-2020-35494) CVE-2020-35494 binutils: usage of unitialized heap in tic4x_print_cond function in opcodes/tic4x-dis.c

Bug 1911439 (CVE-2020-35494) - CVE-2020-35494 binutils: usage of unitialized heap in tic4x_print_cond function in opcodes/tic4x-dis.c

Summary: CVE-2020-35494 binutils: usage of unitialized heap in tic4x_print_cond functi...

Keywords:
Status:	NEW
Alias:	CVE-2020-35494
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1911440 1911518 1911519 1911520 1911521 1912254 1912255 1912256 1912257 1912258 1912259 1912260 1912261 1912262 1912263 1912264 1912265 1912266 1912267 1912268 1912269 1912270 1912271 1912272 1912273 1912274 1912275 1912276 1912278 1912279 1912280 1912281 1912282 1912283 1912284 1912285 1912286 1912287 1912288 1912289 1912290 1912291 1912292
Blocks:	1908372 1911446
TreeView+	depends on / blocked

Reported:	2020-12-29 13:28 UTC by Guilherme de Almeida Suckevicz
Modified:	2023-07-09 12:57 UTC (History)
CC List:	22 users (show)
Fixed In Version:	binutils 2.34
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in binutils. An attacker who is able to submit a crafted input file to be processed by binutils could cause usage of uninitialized memory. The highest threat is to application availability with a lower threat to data confidentiality.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-12-29 13:28:49 UTC

GNU Binutils before 2.34 has an uninitialized-heap vulnerability in function tic4x_print_cond (file opcodes/tic4x-dis.c) which could allow attackers to make an information leak.

Reference:
https://sourceware.org/bugzilla/show_bug.cgi?id=25319

Comment 1 Guilherme de Almeida Suckevicz 2020-12-29 13:29:10 UTC

Created mingw-binutils tracking bugs for this issue:

Affects: fedora-all [bug 1911440]

Comment 3 Todd Cullum 2020-12-30 00:15:17 UTC

Statement:

binutils as shipped with Red Hat Enterprise Linux 8's GCC Toolset 10 and Red Hat Developer Toolset 10 are not affected by this flaw because the versions shipped have already received the patch.

Comment 4 Todd Cullum 2020-12-30 00:26:13 UTC

Flaw technical summary:

In routine tic4x_print_cond() of opcodes/tic4x-dis.c, xmalloc() is called to allocate 32 bytes, 20 of which are initialized. It is possible for the uninitialized bytes to be reached in a subsequent call to `(*info->fprintf_func)`. This could cause a crash or print the uninitialized data. The upstream patch addresses this flaw by replacing the call to xmalloc() with xcalloc(), which 0-initializes all of the bytes upon allocation.

Comment 6 Todd Cullum 2020-12-30 20:45:31 UTC

Upstream commit: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=2c5b6e1a1c406cbe06e2d6f77861764ebd01b9ce

Note You need to log in before you can comment on or make changes to this bug.

adscvr
ailan
cmoore
dvlasenk
erik-fedora
fweimer
gmccullo
jakub
kaycoth
klember
kwalsh
manisandro
marcandre.lureau
mcermak
mpolacek
mprchlik
nickc
ohudlick
rjones
sadams
sipoyare
virt-maint