[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/24958] New: Buffer over read in print_insn_mmix
|
From: |
p.antoine at catenacyber dot fr |
|
Subject: |
[Bug binutils/24958] New: Buffer over read in print_insn_mmix |
|
Date: |
Mon, 02 Sep 2019 18:46:44 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=24958
Bug ID: 24958
Summary: Buffer over read in print_insn_mmix
Product: binutils
Version: 2.33 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: p.antoine at catenacyber dot fr
Target Milestone: ---
Binutils is version from commit 217d2eaa69c2a5d58cdfd11619c4f2e41c986826
I have been fuzzing binutils disassembler, you can find the fuzz target here
https://github.com/google/oss-fuzz/pull/2617
Bug is buffer over read of array `spec_reg_name` of struct mmix_dis_info : `
const char *spec_reg_name[32];`
In `print_insn_mmix`, we first have
```
x = buffer[1];
y = buffer[2];
z = buffer[3];
```
Then, with no more control of these values, we use them as index for
`spec_reg_name`
For instance :
`(*info->fprintf_func) (info->stream, "%s,%d", minfop->spec_reg_name[x], z);`
There are three such lines of code
A patch could be to check `if x >= 32` and error in this case before calling
`(*info->fprintf_func)`
A reproducer can be made with :
disasm_info.arch = 0x49;
disasm_info.mach = 0;
disasm_info.flavour = 0;
disasm_info.buffer = {0xf7, 0x25, 0x00, 0x00};
disasm_info.buffer_length = 4;
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/24958] New: Buffer over read in print_insn_mmix,
p.antoine at catenacyber dot fr <=