https://sourceware.org/bugzilla/show_bug.cgi?id=22543
Bug ID: 22543
Summary: heap-buffer-overflow in bfd_getl32 (libbfd.c)
Product: binutils
Version: 2.29
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: yli044 at e dot ntu.edu.sg
Target Milestone: ---
Created attachment 10661
--> https://sourceware.org/bugzilla/attachment.cgi?id=10661&action=edit
the PoC file
Hi guys,
When we were testing "nm-new" with our fuzzer (FOT), we found a
read-out-of-bound in bfd_getl32 in libbfd.c.
The command to reproduce is:
nm-new -l -D $POC
The dump from AddressSanitizer is:
=================================================================
==5736==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ebd1
at pc 0x00000042806b bp 0x7fff0513a3e0 sp 0x7fff0513a3d0
READ of size 1 at 0x60200000ebd1 thread T0
#0 0x42806a in bfd_getl32 ../../bfd/libbfd.c:558
#1 0x539a81 in parse_die ../../bfd/dwarf1.c:192
#2 0x53b696 in _bfd_dwarf1_find_nearest_line ../../bfd/dwarf1.c:521
#3 0x4bffcb in _bfd_elf_find_nearest_line ../../bfd/elf.c:8641
#4 0x406ba2 in print_symbol ../../binutils/nm.c:1006
#5 0x4070a2 in print_symbols ../../binutils/nm.c:1086
#6 0x407a26 in display_rel_file ../../binutils/nm.c:1202
#7 0x408205 in display_file ../../binutils/nm.c:1320
#8 0x409dcd in main ../../binutils/nm.c:1794
#9 0x7f496bfa582f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#10 0x402e78 in _start
(/media/lyk/DATA/binutils-2.29/fot-tests/nm/nm-new-veri+0x402e78)
0x60200000ebd1 is located 0 bytes to the right of 1-byte region
[0x60200000ebd0,0x60200000ebd1)
allocated by thread T0 here:
#0 0x7f496c5eb602 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x427709 in bfd_malloc ../../bfd/libbfd.c:193
#2 0x63ba1c in bfd_get_full_section_contents ../../bfd/compress.c:248
#3 0x653c79 in bfd_simple_get_relocated_section_contents
../../bfd/simple.c:193
#4 0x53b309 in _bfd_dwarf1_find_nearest_line ../../bfd/dwarf1.c:490
#5 0x4bffcb in _bfd_elf_find_nearest_line ../../bfd/elf.c:8641
#6 0x406ba2 in print_symbol ../../binutils/nm.c:1006
#7 0x4070a2 in print_symbols ../../binutils/nm.c:1086
#8 0x407a26 in display_rel_file ../../binutils/nm.c:1202
#9 0x408205 in display_file ../../binutils/nm.c:1320
#10 0x409dcd in main ../../binutils/nm.c:1794
#11 0x7f496bfa582f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../bfd/libbfd.c:558
bfd_getl32
Shadow bytes around the buggy address:
0x0c047fff9d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9d70: fa fa fa fa fa fa fa fa fa fa[01]fa fa fa fd fd
0x0c047fff9d80: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff9d90: fa fa 00 fa fa fa fd fa fa fa fd fd fa fa fd fa
0x0c047fff9da0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9db0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9dc0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==5736==ABORTING
The PoC is in the attachment
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
