[Bug binutils/22893] New: heap buffer overflow in bfd_getl32

Sun, 25 Feb 2018 19:30:24 -0800 

https://sourceware.org/bugzilla/show_bug.cgi?id=22893

            Bug ID: 22893
           Summary: heap buffer overflow in  bfd_getl32
           Product: binutils
           Version: 2.31 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: luanjunchao at 163 dot com
  Target Milestone: ---

The command I test is "nm-new -A -a -l -S -s --special-syms --synthetic
--with-symbol-versions -D $POC".
Here is the output.                                
=================================================================  
==93407==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf2ee250a at
pc 0x080a1f18 bp 0xffa2dbf8 sp 0xffa2dbe8              
READ of size 4 at 0xf2ee250a thread T0                             
    #0 0x80a1f17 in bfd_getl32 /work/binutils-gdb/bfd/libbfd.c:638 
    #1 0x83257b4 in read_4_bytes /work/binutils-gdb/bfd/dwarf2.c:614            
    #2 0x83257b4 in read_attribute_value /work/binutils-gdb/bfd/dwarf2.c:1228   
    #3 0x83257b4 in read_attribute /work/binutils-gdb/bfd/dwarf2.c:1280         
    #4 0x83257b4 in scan_unit_for_symbols /work/binutils-gdb/bfd/dwarf2.c:3143  
    #5 0x8332bef in comp_unit_maybe_decode_line_info
/work/binutils-gdb/bfd/dwarf2.c:3656                                            
    #6 0x8332bef in comp_unit_find_line /work/binutils-gdb/bfd/dwarf2.c:3682    
    #7 0x833fd0d in _bfd_dwarf2_find_nearest_line
/work/binutils-gdb/bfd/dwarf2.c:4640                                            
    #8 0x8200b52 in _bfd_elf_find_line /work/binutils-gdb/bfd/elf.c:8782        
    #9 0x80544f6 in print_symbol /work/binutils-gdb/binutils/nm.c:1008          
    #10 0x80572aa in print_symbols /work/binutils-gdb/binutils/nm.c:1089        
    #11 0x80572aa in display_rel_file /work/binutils-gdb/binutils/nm.c:1205     
    #12 0x805a927 in display_file /work/binutils-gdb/binutils/nm.c:1325         
    #13 0x804f5e6 in main /work/binutils-gdb/binutils/nm.c:1799                 
    #14 0xf6fe6636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) 
    #15 0x805135b  (/work/build/binutils/nm-new+0x805135b)                      

AddressSanitizer can not describe address in more detail (wild memory access
suspected).                                               
SUMMARY: AddressSanitizer: heap-buffer-overflow
/work/binutils-gdb/bfd/libbfd.c:638 bfd_getl32                                  
Shadow bytes around the buggy address:                                          
  0x3e5dc450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa      
  0x3e5dc460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                   
  0x3e5dc470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa      
  0x3e5dc480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa      
  0x3e5dc490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                   
=>0x3e5dc4a0: fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa                   
  0x3e5dc4b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                   
  0x3e5dc4c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                   
  0x3e5dc4d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa    
  0x3e5dc4e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                   
  0x3e5dc4f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                   
Shadow byte legend (one shadow byte represents 8 application bytes):            
  Addressable:           00                                                     
  Partially addressable: 01 02 03 04 05 06 07                                   
  Heap left redzone:       fa                                                   
  Heap right redzone:      fb                                                   
  Freed heap region:       fd                                                   
  Stack left redzone:      f1                                                   
  Stack mid redzone:       f2                                                   
  Stack right redzone:     f3                                                   
  Stack partial redzone:   f4                                                   
  Stack after return:      f5                                                   
  Stack use after scope:   f8                                                   
  Global redzone:          f9                                      
  Global init order:       f6                                                   
  Poisoned by user:        f7                                      
  Container overflow:      fc                                      
  Array cookie:            ac                                                   
  Intra object redzone:    bb                                                   
  ASan internal:           fe                                                   
==93407==ABORTING              

The POC file is
https://github.com/skysider/FuzzVuln/blob/master/binutils_nm_heap_overflow_bfd_get_32.elf

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

Reply via email to