https://sourceware.org/bugzilla/show_bug.cgi?id=24039
Bug ID: 24039
Summary: integer overflow in libiberty, heap overflow will be
triggered
Product: binutils
Version: 2.32 (HEAD)
Status: UNCONFIRMED
Severity: critical
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: yanshb at gmail dot com
Target Milestone: ---
Created attachment 11495
--> https://sourceware.org/bugzilla/attachment.cgi?id=11495&action=edit
nm -C POC
I use 32bit binutils in 64bit Ubuntu 16.04.4 LTS.
The trigger command is ./nm -C POC
The source Code show as follow in cplus-dem.c
>2246 work->tmpl_argvec = XNEWVEC (char *, r); //sizeof(char*) * r
>2247 work->ntmpl_args = r;
>2248 for (i = 0; i < r; i++)
>2249 work->tmpl_argvec[i] = 0;
Integer overflow when r > 0x40000000 in line 2246, that will trigger heap
overflow in in line 2249.
There are several similar problems in libiberty.
The part of crash output show as follow.
=================================================================
==17964==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf44fea80 at
pc 0x08837adf bp 0xffaceb68 sp 0xffaceb60
WRITE of size 4 at 0xf44fea80 thread T0
#0 0x8837ade (./nm-new+0x8837ade)
#1 0x881916b (./nm-new+0x881916b)
#2 0x880ad63 (./nm-new+0x880ad63)
#3 0x88029fe (./nm-new+0x88029fe)
#4 0x8185166 (./nm-new+0x8185166)
#5 0x81472ea (./nm-new+0x81472ea)
#6 0x815268b (./nm-new+0x815268b)
#7 0x814d966 (./nm-new+0x814d966)
#8 0x8146040 (./nm-new+0x8146040)
#9 0x81441aa (./nm-new+0x81441aa)
#10 0xf7c8e636 (/lib/i386-linux-gnu/libc.so.6+0x18636)
#11 0x8069dfc (./nm-new+0x8069dfc)
0xf44fea80 is located 0 bytes to the right of 251581056-byte region
[0xe5511800,0xf44fea80)
allocated by thread T0 here:
#0 0x8115823 (./nm-new+0x8115823)
#1 0x89e6bd9 (./nm-new+0x89e6bd9)
#2 0x881916b (./nm-new+0x881916b)
#3 0x880ad63 (./nm-new+0x880ad63)
#4 0x88029fe (./nm-new+0x88029fe)
#5 0x8185166 (./nm-new+0x8185166)
SUMMARY: AddressSanitizer: heap-buffer-overflow (./nm-new+0x8837ade)
Shadow bytes around the buggy address:
0x3e89fd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3e89fd10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3e89fd20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3e89fd30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3e89fd40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x3e89fd50:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e89fd60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e89fd70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e89fd80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e89fd90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e89fda0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==17964==ABORTING
00000000 AAborted
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
