Ghidra: Buffer overflow in the native windows PDB.exe binary
Describe the bug
There is a buffer overflow in the native windows PDB.exe binary due to an unchecked call to strncpy in pdb/cpp/util.cpp
To Reproduce
Steps to reproduce the behavior:
- Run the
pdb.exebinary in the debugger of your choice with the following arguments:fakefilename.pdb AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA- 0 - Observe the STATUS_STACK_BUFFER_OVERRUN (0xC0000409) exception thrown by the stack cookie check.
Expected behavior
An error to be thrown if the string to be copied is larger than the stack buffer size (256).
Environment (please complete the following information):
- OS: Windows 10
- Java Version: 11.02
- Ghidra Version: 9.0.2
Additional context
I was not going to submit this originally because I don't believe it to be actually exploitable, but I figured that somebody else should decide on that.
I don't think this is exploitable through loading a malicious pdb into Ghidra, as the GUID and signature are stored as the GUID and int types respectively before being passed to pdb.exe, effectively limiting their values, lengths, and formats.
Andoryuuta
>All comments
Maybe not exploitable, but that's not the first buffer overflow we've found in this code (and likely not the last). This code needs to be scrubbed, if not replaced.
d-millar
on 4 Apr 2019
Related issues
tambry
路
3Comments
0x6d696368
路
3Comments
loudinthecloud
路
3Comments
ghost
路
3Comments
rrivera1849
路
3Comments
Most helpful comment
Maybe not exploitable, but that's not the first buffer overflow we've found in this code (and likely not the last). This code needs to be scrubbed, if not replaced.