[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/28518] New: objdump : signed integer overflow & free on un
|
From: |
shaohua.li at inf dot ethz.ch |
|
Subject: |
[Bug binutils/28518] New: objdump : signed integer overflow & free on unmalloced address |
|
Date: |
Fri, 29 Oct 2021 14:50:26 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=28518
Bug ID: 28518
Summary: objdump : signed integer overflow & free on unmalloced
address
Product: binutils
Version: 2.38 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: shaohua.li at inf dot ethz.ch
Target Milestone: ---
Created attachment 13745
--> https://sourceware.org/bugzilla/attachment.cgi?id=13745&action=edit
poc_signed
Hi there,
For the poc file I provided, it triggered both a signed integer overflow and
free on unmalloced address.
- Compiler: clang13 (compile with -fsanitize=address,undefined)
- Platform: Ubuntu 20.04.3 LTS, x86_64
- Reproduce: run `objdump -S -D poc_signed`
Sanitize report:
vms-alpha.c:4832:29: runtime error: signed integer overflow: 1724079360 +
778462822 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior vms-alpha.c:4832:29 in
=================================================================
==251==ERROR: AddressSanitizer: attempting free on address which was not
malloc()-ed: 0x6170000006a4 in thread T0
#0 0x499af2 in free (/objdump/repo/clang13-O3/binutils/objdump+0x499af2)
#1 0x1cac27c in build_module_list
/objdump/repo/clang13-O3/bfd/vms-alpha.c:4841:7
#2 0x1cac27c in _bfd_vms_find_nearest_line
/objdump/repo/clang13-O3/bfd/vms-alpha.c:4962:24
#3 0x4f616b in show_line
/objdump/repo/clang13-O3/binutils/./objdump.c:1784:9
#4 0x4f616b in disassemble_bytes
/objdump/repo/clang13-O3/binutils/./objdump.c:2770:6
#5 0x4ec60a in disassemble_section
/objdump/repo/clang13-O3/binutils/./objdump.c:3455:4
#6 0xeb382b in bfd_map_over_sections
/objdump/repo/clang13-O3/bfd/section.c:1383:5
#7 0x4d5c97 in disassemble_data
/objdump/repo/clang13-O3/binutils/./objdump.c:3599:3
#8 0x4d5c97 in dump_bfd
/objdump/repo/clang13-O3/binutils/./objdump.c:5010:5
#9 0x4d09c2 in display_object_bfd
/objdump/repo/clang13-O3/binutils/./objdump.c
#10 0x4d09c2 in display_any_bfd
/objdump/repo/clang13-O3/binutils/./objdump.c:5162:5
#11 0x4cede5 in display_file
/objdump/repo/clang13-O3/binutils/./objdump.c:5183:3
#12 0x4cede5 in main /objdump/repo/clang13-O3/binutils/./objdump.c:5533:6
#13 0x7fbf3f1e60b2 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#14 0x41d5ad in _start (/objdump/repo/clang13-O3/binutils/objdump+0x41d5ad)
0x6170000006a4 is located 676 bytes inside of 680-byte region
[0x617000000400,0x6170000006a8)
allocated by thread T0 here:
#0 0x499d5d in __interceptor_malloc
(/objdump/repo/clang13-O3/binutils/objdump+0x499d5d)
#1 0xea0233 in bfd_malloc /objdump/repo/clang13-O3/bfd/libbfd.c:289:9
SUMMARY: AddressSanitizer: bad-free
(/objdump/repo/clang13-O3/binutils/objdump+0x499af2) in free
==251==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/28518] New: objdump : signed integer overflow & free on unmalloced address,
shaohua.li at inf dot ethz.ch <=