[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/29988] New: AddressSanitizer: heap-buffer-overflow /binuti
|
From: |
13579and24680 at gmail dot com |
|
Subject: |
[Bug binutils/29988] New: AddressSanitizer: heap-buffer-overflow /binutils-gdb/bfd/libbfd.c:784 in bfd_getl64 |
|
Date: |
Wed, 11 Jan 2023 10:00:01 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=29988
Bug ID: 29988
Summary: AddressSanitizer: heap-buffer-overflow
/binutils-gdb/bfd/libbfd.c:784 in bfd_getl64
Product: binutils
Version: 2.40
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: 13579and24680 at gmail dot com
Target Milestone: ---
Created attachment 14574
--> https://sourceware.org/bugzilla/attachment.cgi?id=14574&action=edit
Generated by my fuzzer and afl-tmin
# version
$ ./binutils-gdb_asan/binutils/objdump --version
GNU objdump (GNU Binutils) 2.40.50.20230110
Copyright (C) 2023 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.
---------------------------------------------------------------------
# git log
$ git log --oneline -1
aefebe82dc8 (HEAD -> master, origin/master, origin/HEAD) IBM zSystems: Fix
offset relative to static TLS
---------------------------------------------------------------------
# make
$ git clone git://sourceware.org/git/binutils-gdb.git
$ mv binutils-gdb binutils-gdb_asan
$ cd binutils-gdb_asan
$ ./configure CFLAGS='-fsanitize=address -g3' CXXFALGS='-fsanitize=address -g3'
$ make
---------------------------------------------------------------------
# ASAN report
$ ./binutils-gdb_asan/binutils/objdump -S poc
BFD: warning: poc has a section extending past end of file
poc: file format elf64-x86-64
Disassembly of section abbrev:
3030303030303030 <abbrev>:
BFD: DWARF error: can't find .debug_str section.
BFD: DWARF error: can't find .debug_str section.
BFD: DWARF error: can't find .debug_str section.
BFD: DWARF error: can't find .debug_line_str section.
BFD: DWARF error: can't find .debug_line_str section.
BFD: DWARF error: can't find .debug_line_str section.
BFD: DWARF error: can't find .debug_line_str section.
BFD: DWARF error: can't find .debug_line_str section.
BFD: DWARF error: can't find .debug_line_str section.
BFD: DWARF error: can't find .debug_line_str section.
BFD: DWARF error: can't find .debug_line_str section.
BFD: DWARF error: can't find .debug_line_str section.
BFD: DWARF error: can't find .debug_line_str section.
BFD: DWARF error: mangled line number section (bad file number)
BFD: DWARF error: mangled line number section (bad file number)
=================================================================
==3970096==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60300000017f at pc 0x5573ee01c8cc bp 0x7fff9bcf2f50 sp 0x7fff9bcf2f40
READ of size 1 at 0x60300000017f thread T0
#0 0x5573ee01c8cb in bfd_getl64
/home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/libbfd.c:784
#1 0x5573ee16bef2 in read_indexed_address dwarf2.c:1431
#2 0x5573ee16dc6a in read_attribute_value dwarf2.c:1669
#3 0x5573ee16e004 in read_attribute dwarf2.c:1711
#4 0x5573ee1783c7 in scan_unit_for_symbols dwarf2.c:3973
#5 0x5573ee17c2c4 in comp_unit_maybe_decode_line_info dwarf2.c:4721
#6 0x5573ee17bf03 in comp_unit_find_nearest_line dwarf2.c:4679
#7 0x5573ee182273 in _bfd_dwarf2_find_nearest_line_with_alt dwarf2.c:5991
#8 0x5573ee0d4de3 in _bfd_elf_find_nearest_line_with_alt
/home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/elf.c:9338
#9 0x5573ee0d4c72 in _bfd_elf_find_nearest_line
/home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/elf.c:9315
#10 0x5573edec9d8b in show_line objdump.c:2180
#11 0x5573edecf759 in disassemble_bytes objdump.c:3339
#12 0x5573eded37f3 in disassemble_section objdump.c:4050
#13 0x5573ee024bbc in bfd_map_over_sections
/home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/section.c:1366
#14 0x5573eded4767 in disassemble_data objdump.c:4194
#15 0x5573ededc530 in dump_bfd objdump.c:5676
#16 0x5573ededc807 in display_object_bfd objdump.c:5739
#17 0x5573ededcb38 in display_any_bfd objdump.c:5825
#18 0x5573ededcbb2 in display_file objdump.c:5846
#19 0x5573edede4db in main objdump.c:6254
#20 0x7f755d389082 in __libc_start_main ../csu/libc-start.c:308
#21 0x5573edec23bd in _start
(/home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/binutils/objdump+0x13b3bd)
0x60300000017f is located 2 bytes to the right of 29-byte region
[0x603000000160,0x60300000017d)
allocated by thread T0 here:
#0 0x7f755d66a808 in __interceptor_malloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x5573ee01b6aa in bfd_malloc
/home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/libbfd.c:289
#2 0x5573ee168ad5 in read_section dwarf2.c:734
#3 0x5573ee16bae7 in read_indexed_address dwarf2.c:1412
#4 0x5573ee16dc6a in read_attribute_value dwarf2.c:1669
#5 0x5573ee16e004 in read_attribute dwarf2.c:1711
#6 0x5573ee1783c7 in scan_unit_for_symbols dwarf2.c:3973
#7 0x5573ee17c2c4 in comp_unit_maybe_decode_line_info dwarf2.c:4721
#8 0x5573ee17bf03 in comp_unit_find_nearest_line dwarf2.c:4679
#9 0x5573ee182273 in _bfd_dwarf2_find_nearest_line_with_alt dwarf2.c:5991
#10 0x5573ee0d4de3 in _bfd_elf_find_nearest_line_with_alt
/home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/elf.c:9338
#11 0x5573ee0d4c72 in _bfd_elf_find_nearest_line
/home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/elf.c:9315
#12 0x5573edec9d8b in show_line objdump.c:2180
#13 0x5573edecf759 in disassemble_bytes objdump.c:3339
#14 0x5573eded37f3 in disassemble_section objdump.c:4050
#15 0x5573ee024bbc in bfd_map_over_sections
/home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/section.c:1366
#16 0x5573eded4767 in disassemble_data objdump.c:4194
#17 0x5573ededc530 in dump_bfd objdump.c:5676
#18 0x5573ededc807 in display_object_bfd objdump.c:5739
#19 0x5573ededcb38 in display_any_bfd objdump.c:5825
#20 0x5573ededcbb2 in display_file objdump.c:5846
#21 0x5573edede4db in main objdump.c:6254
#22 0x7f755d389082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/libbfd.c:784
in bfd_getl64
Shadow bytes around the buggy address:
0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff8000: fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00
0x0c067fff8010: 00 fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
=>0x0c067fff8020: 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00 00[05]
0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3970096==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/29988] New: AddressSanitizer: heap-buffer-overflow /binutils-gdb/bfd/libbfd.c:784 in bfd_getl64,
13579and24680 at gmail dot com <=