search

Xilinx / bootgen

bootgen source code
Other
34 stars 42 forks source link

Invalid read of a malformed .bif triggers a crash #4

Closed geeknik closed 3 years ago

geeknik commented 4 years ago

echo "IA==" | base64 -d > test0000 ./bootgen -image test0000

****** Xilinx Bootgen v2020.1
  **** Build date : Jul 15 2020-15:10:01
    ** Copyright 1986-2020 Xilinx, Inc. All Rights Reserved.

AddressSanitizer:DEADLYSIGNAL
=================================================================
==30623==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000004d0 (pc 0x000000523748 bp 0x7fffffffd470 sp 0x7fffffffd3a0 T0)
==30623==The signal is caused by a READ memory access.
==30623==Hint: address points to the zero page.
    #0 0x523748 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/basic_string.h
    #1 0x523748 in BifOptions::GetGroupName[abi:cxx11]() /root/bootgen/bifoptions.cpp:381:12
    #2 0x4c849b in BootImage::BootImage(Options&) /root/bootgen/bootimage.cpp:220:24
    #3 0x4c0b03 in ZynqBootImage::ZynqBootImage(Options&) /root/bootgen/bootimage-zynq.cpp:37:50
    #4 0x4c0b03 in BIF_File::Process(Options&) /root/bootgen/bootimage.cpp:88:29
    #5 0x4bb1f2 in BootGenApp::Run(int, char const**) /root/bootgen/main.cpp:78:17
    #6 0x4b993d in main /root/bootgen/main.cpp:91:13
    #7 0x7ffff765909a in __libc_start_main /build/glibc-vjB4T1/glibc-2.28/csu/../csu/libc-start.c:308:16
    #8 0x307c59 in _start (/root/bootgen/bootgen+0x307c59)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/basic_string.h in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)
==30623==ABORTING
RamyaDarapuneni commented 4 years ago

Thanks for reporting!!! We will check on it and make sure fix in the next release.

w3x10e8 commented 3 years ago

@RamyaDarapuneni Does exploiting the binary with malformed bif comes in scope of h1 bug bounty?

sadanandmutyala commented 3 years ago

@RamyaDarapuneni Does exploiting the binary with malformed bif comes in scope of h1 bug bounty?

@w3x10e8, malformed bif is not in scope. Please refer to https://hackerone.com/xilinx_bbp?type=team