https://sourceware.org/bugzilla/show_bug.cgi?id=20896
Bug ID: 20896
Summary: AS: Buffer Overflow when expanding .irp directives
Product: binutils
Version: 2.28 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: gas
Assignee: unassigned at sourceware dot org
Reporter: boehme.marcel at gmail dot com
Target Milestone: ---
Dear all,
The following bug was found with AFLFast, a fork of AFL, in a 24 hour fuzzing
session on Binutils. Thanks also to Van-Thuan Pham.
The assembler crashes for the following execution:
$ printf ".irp\n000000000;#000\"0000000000000000000000\n" > test
$ ./as test
On trunk, Ubuntu 14.04 x86_64:
test:2: Internal error!
Assertion failure in ignore_rest_of_line at read.c:3758.
Please report this bug.
On Binutils v2.26.1, Ubuntu 16.04 x86_64:
Segmentation Fault
On Binutils v2.24, Ubuntu 14.04 x86_64:
No problems.
ASAN says:
=================================================================
==123173==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60b00000a5b0 at pc 0x00000046f678 bp 0x7fff7ce8b410 sp 0x7fff7ce8b408
READ of size 1 at 0x60b00000a5b0 thread T0
#0 0x46f677 in next_char_of_string ../../gas/read.c:5533
#1 0x470580 in demand_copy_string ../../gas/read.c:5741
#2 0x463001 in s_app_line ../../gas/read.c:2039
#3 0x44ecd3 in buffer_and_nest ../../gas/macro.c:231
#4 0x45a0fd in expand_irp ../../gas/macro.c:1323
#5 0x4645a0 in s_irp ../../gas/read.c:2366
#6 0x45f518 in read_a_source_file ../../gas/read.c:1146
#7 0x40c417 in perform_an_assembly_pass ../../gas/as.c:1172
#8 0x40c86c in main ../../gas/as.c:1296
#9 0x7f2c353bff44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#10 0x403858
(/home/ubuntu/subjects/binutils-gdb/obj-asan/gas/as-new+0x403858)
0x60b00000a5b0 is located 0 bytes to the right of 112-byte region
[0x60b00000a540,0x60b00000a5b0)
allocated by thread T0 here:
#0 0x7f2c36740710 in __interceptor_realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2710)
#1 0x928e38 in xrealloc ../../libiberty/xmalloc.c:180
#2 0x473fa1 in sb_check ../../gas/sb.c:150
#3 0x47436d in sb_add_buffer ../../gas/sb.c:187
#4 0x4656a6 in get_line_sb ../../gas/read.c:2658
#5 0x465730 in get_non_macro_line_sb ../../gas/read.c:2672
#6 0x44ee8f in buffer_and_nest ../../gas/macro.c:241
#7 0x45a0fd in expand_irp ../../gas/macro.c:1323
#8 0x4645a0 in s_irp ../../gas/read.c:2366
#9 0x45f518 in read_a_source_file ../../gas/read.c:1146
#10 0x40c417 in perform_an_assembly_pass ../../gas/as.c:1172
#11 0x40c86c in main ../../gas/as.c:1296
#12 0x7f2c353bff44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../gas/read.c:5533 in
next_char_of_string
Valgrind reports several reads of size 1:
==123176== Invalid read of size 1
==123176== at 0x4CEB0F: next_char_of_string (read.c:5533)
==123176== by 0x4CEB0F: demand_copy_string (read.c:5741)
==123176== by 0x4D1B89: s_app_line (read.c:2039)
==123176== by 0x470328: buffer_and_nest (macro.c:231)
==123176== by 0x4755D3: expand_irp (macro.c:1323)
==123176== by 0x482DE4: s_irp (read.c:2366)
==123176== by 0x4B5BAF: read_a_source_file (read.c:1146)
==123176== by 0x407ED1: perform_an_assembly_pass (as.c:1172)
==123176== by 0x407ED1: main (as.c:1296)
...
==123176== Invalid read of size 1
==123176== at 0x4D1BE7: get_linefile_number (read.c:1985)
==123176== by 0x4D1BE7: s_app_line (read.c:2045)
==123176== by 0x470328: buffer_and_nest (macro.c:231)
==123176== by 0x4755D3: expand_irp (macro.c:1323)
==123176== by 0x482DE4: s_irp (read.c:2366)
==123176== by 0x4B5BAF: read_a_source_file (read.c:1146)
==123176== by 0x407ED1: perform_an_assembly_pass (as.c:1172)
==123176== by 0x407ED1: main (as.c:1296)
==123176== Address 0x57ebf12 is 30 bytes before a block of size 74,304 in
arena "client"
==123176==
==123176== Invalid read of size 1
==123176== at 0x4D0C3B: ignore_rest_of_line (read.c:3758)
==123176== by 0x4D0C3B: s_app_line (read.c:2098)
==123176== by 0x470328: buffer_and_nest (macro.c:231)
==123176== by 0x4755D3: expand_irp (macro.c:1323)
==123176== by 0x482DE4: s_irp (read.c:2366)
==123176== by 0x4B5BAF: read_a_source_file (read.c:1146)
==123176== by 0x407ED1: perform_an_assembly_pass (as.c:1172)
==123176== by 0x407ED1: main (as.c:1296)
==123176== Address 0x57ebf12 is 30 bytes before a block of size 74,304 in
arena "client"
Best regards,
- Marcel
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
