At the end of 2022, a security issue surfaced in the GNU Binutils project, particularly with the addr2line utility—a handy tool for converting memory addresses into file names and line numbers. The issue, assigned as CVE-2022-47673, is a set of out-of-bounds reads in the parse_module function, prior to version 2.39.3. This flaw can be triggered by a specially crafted input file, leading to a potential Denial of Service (DoS) or other unintended impacts. If you use Binutils tools for analyzing binaries, this is something you should know and fix.
What is Binutils addr2line?
- Binutils is a set of binary tools common in UNIX/Linux development environments.
- addr2line translates program addresses (from crash logs, stack traces, etc.) into readable file names and line numbers.
The Vulnerability (CVE-2022-47673)
- The issue is specifically with the implementation in the file addr2line.c, function named parse_module.
The program crashing (Denial of Service).
- Potential other, less defined impacts (memory leakage, or perhaps exploitation if combined with other bugs).
Technical Details
Let’s highlight the core problem with a simplified code snippet inspired by the patch and upstream commit discussions.
Vulnerable Code Pattern
// Pseudo-code for parse_module before fix
void parse_module(const char *module) {
char buf[256];
// Assume module argument comes from user input and is not verified.
strcpy(buf, module); // Potential for overflow or reading too much.
// ... parsing logic ...
}
Lacking correct bounds checking, user-controlled input allows out-of-bounds access.
### Patch/Fix (From Binutils 2.39.3+)
The fix essentially adds strict length checks before doing any access
// After the fix
void parse_module(const char *module) {
char buf[256];
if (strlen(module) >= sizeof(buf)) {
// Error handling: module string too big
return;
}
strcpy(buf, module);
// ... safer parsing logic ...
}
Proof-of-Concept (PoC): Crashing addr2line
You can create a malformed ELF file to trigger the bug. Even without deep fuzzing techniques, a crafted input string or corrupted ELF data can crash vulnerable addr2line. Here’s a basic idea in pseudo-steps.
PoC Script (Using Python)
*Note: This simple demo may crash an old addr2line, but patch yours first to avoid accidents.*
# Generate a minimal malformed ELF (this does not produce a working binary,
# but will suffice to show the effect; for real fuzzing, mutate real ELF files!)
with open("malicious.elf", "wb") as f:
f.write(b'\x7fELF' + b'\x00' * 100 + b'A' * 500) # Overlong data section
Then run
addr2line -e malicious.elf x401000
If your addr2line is vulnerable and unpatched, there’s a good chance it will crash or hang.
How Was It Found?
The Binutils team and external security researchers routinely fuzz file handlers, especially those that process untrusted binaries. The bug was caught by feeding large, malformed binaries or deeply nested debug info to addr2line under memory/error checking tools like AddressSanitizer (ASAN). The out-of-bounds read was confirmed and the specific function traced.
DoS: Most likely, the main impact is that a bad input file can crash addr2line.
- Security Context: In most build systems, addr2line is NOT used on untrusted files, but “malicious log” or “reproducible bug” scenarios exist.
Fix & Remediation
- Patch / Update Binutils:
Upgrade to Binutils 2.39.3 or later.
Download: https://ftp.gnu.org/gnu/binutils/
Distributions:
- Ubuntu: USN-6187-1
- Debian: DSA-5465-1
- Red Hat: Bug 2158246
Upstream Commit:
References
- CVE Record: CVE-2022-47673
- Binutils Official Site
- Ubuntu USN-6187-1
- Debian DSA-5465-1
- Red Hat Bug 2158246
- Upstream Fix Commit
Conclusion
- If you run or distribute Binutils—especially addr2line—make sure you’re running at least 2.39.3.
Never process untrusted binaries with debugging tools, and keep your toolchains up to date.
- While CVE-2022-47673 is unlikely to allow direct code execution, careless handling could still lead to trouble in developer or CI environments.
Timeline
Published on: 08/22/2023 19:16:00 UTC
Last modified on: 08/26/2023 02:14:00 UTC