[Bug binutils/22113] Heap out of bounds read in bfd_getl16()

Tue, 13 Mar 2018 02:08:30 -0700 

https://sourceware.org/bugzilla/show_bug.cgi?id=22113

--- Comment #4 from Kamil Frankowicz <fumfi.255 at gmail dot com> ---
Hi,

Problem still exists in 2.30:

==3183==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60f00000ec41
at pc 0x000000602aa5 bp 0x7ffe6cea6600 sp 0x7ffe6cea65f0
READ of size 1 at 0x60f00000ec41 thread T0
    #0 0x602aa4 in bfd_getl16 XYZ/binutils-2.30.0/bfd/libbfd.c:505
    #1 0x9777c8 in pex64_xdata_print_uwd_codes
XYZ/binutils-2.30.0/bfd/pei-x86_64.c:241
    #2 0x9777c8 in pex64_dump_xdata XYZ/binutils-2.30.0/bfd/pei-x86_64.c:403
    #3 0x9777c8 in pex64_bfd_print_pdata_section
XYZ/binutils-2.30.0/bfd/pei-x86_64.c:720
    #4 0x97887d in pex64_print_all_pdata_sections
XYZ/binutils-2.30.0/bfd/pei-x86_64.c:745
    #5 0x61c56b in bfd_map_over_sections XYZ/binutils-2.30.0/bfd/section.c:1397
    #6 0x9787e9 in pex64_bfd_print_pdata
XYZ/binutils-2.30.0/bfd/pei-x86_64.c:759
    #7 0x99abcd in _bfd_pex64_print_private_bfd_data_common
XYZ/binutils-2.30.0/bfd/pex64igen.c:2908
    #8 0x963640 in pe_print_private_bfd_data
XYZ/binutils-2.30.0/bfd/peicode.h:336
    #9 0x42009c in dump_bfd_private_header objdump.c:2966
    #10 0x42009c in dump_bfd objdump.c:3559
    #11 0x421a77 in display_object_bfd objdump.c:3658
    #12 0x421a77 in display_any_bfd objdump.c:3747
    #13 0x40ea81 in display_file objdump.c:3768
    #14 0x40ea81 in main objdump.c:4070
    #15 0x7fe1da1f782f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #16 0x411ca8 in _start (/usr/local/bin/objdump+0x411ca8)

0x60f00000ec41 is located 1 bytes to the right of 176-byte region
[0x60f00000eb90,0x60f00000ec40)
allocated by thread T0 here:
    #0 0x7fe1da83d602 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x601d1a in bfd_malloc XYZ/binutils-2.30.0/bfd/libbfd.c:193
    #2 0x61200000bfb7  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow
XYZ/binutils-2.30.0/bfd/libbfd.c:505 bfd_getl16
Shadow bytes around the buggy address:
  0x0c1e7fff9d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff9d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff9d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff9d70: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1e7fff9d80: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
  0x0c1e7fff9d90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1e7fff9da0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa 00 00
  0x0c1e7fff9db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1e7fff9dc0: 00 00 00 00 fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c1e7fff9dd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

Reply via email to