[Bug binutils/24435] heap overflow in bfd_getl64

ago at gentoo dot org Wed, 10 Apr 2019 11:21:06 -0700

https://sourceware.org/bugzilla/show_bug.cgi?id=24435


--- Comment #3 from Agostino Sarubbo <ago at gentoo dot org> ---
I can reproduce the issue with the master compiled today, so I really guess
that the fix was not complete:

gf (CHROOT) crashes $ ld -v
GNU ld (Gentoo 9999) 2.32.51.20190410
gf (CHROOT) crashes $ ld 1.crashes.elf 
ld: warning: 1.crashes.elf has a corrupt section with a size (180000000010)
larger than the file size
=================================================================
==27723==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6020000028bf at pc 0x7efd46d96abb bp 0x7ffc2316a3e0 sp 0x7ffc2316a3d8
READ of size 1 at 0x6020000028bf thread T0
    #0 0x7efd46d96aba in bfd_getl64
/var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/libbfd.c:758:8
    #1 0x7efd46e2ceaf in bfd_elf64_swap_dyn_in
/var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/elfcode.h:457:21
    #2 0x7efd46ea9d76 in elf_link_add_object_symbols
/var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/elflink.c:4084:8
    #3 0x7efd46ea734a in bfd_elf_link_add_symbols
/var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/elflink.c:5772:14
    #4 0x528b26 in load_symbols
/var/tmp/portage/sys-devel/binutils-9999/work/binutils/ld/ldlang.c:3080:7
    #5 0x5448a2 in open_input_bfds
/var/tmp/portage/sys-devel/binutils-9999/work/binutils/ld/ldlang.c:3529:13
    #6 0x538a7a in lang_process
/var/tmp/portage/sys-devel/binutils-9999/work/binutils/ld/ldlang.c:7382:3
    #7 0x55eb86 in main
/var/tmp/portage/sys-devel/binutils-9999/work/binutils/ld/ldmain.c:440:3
    #8 0x7efd45d292aa in __libc_start_main
/var/tmp/portage/sys-libs/glibc-2.27-r6/work/glibc-2.27/csu/../csu/libc-start.c:308:16
    #9 0x41ecd9 in _init
(/usr/x86_64-pc-linux-gnu/binutils-bin/9999/ld+0x41ecd9)

0x6020000028bf is located 7 bytes to the right of 8-byte region
[0x6020000028b0,0x6020000028b8)
allocated by thread T0 here:
    #0 0x4ca673 in malloc
/var/tmp/portage/sys-libs/compiler-rt-sanitizers-8.0.0/work/compiler-rt-8.0.0.src/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x7efd46d94d0e in bfd_malloc
/var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/libbfd.c:275:9
    #2 0x7efd46d84db2 in bfd_get_full_section_contents
/var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/compress.c:253:21
    #3 0x7efd46ea9b24 in elf_link_add_object_symbols
/var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/elflink.c:4066:9
    #4 0x7efd46ea734a in bfd_elf_link_add_symbols
/var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/elflink.c:5772:14
    #5 0x528b26 in load_symbols
/var/tmp/portage/sys-devel/binutils-9999/work/binutils/ld/ldlang.c:3080:7
    #6 0x5448a2 in open_input_bfds
/var/tmp/portage/sys-devel/binutils-9999/work/binutils/ld/ldlang.c:3529:13
    #7 0x538a7a in lang_process
/var/tmp/portage/sys-devel/binutils-9999/work/binutils/ld/ldlang.c:7382:3
    #8 0x55eb86 in main
/var/tmp/portage/sys-devel/binutils-9999/work/binutils/ld/ldmain.c:440:3
    #9 0x7efd45d292aa in __libc_start_main
/var/tmp/portage/sys-libs/glibc-2.27-r6/work/glibc-2.27/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow
/var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/libbfd.c:758:8 in
bfd_getl64
Shadow bytes around the buggy address:
  0x0c047fff84c0: fa fa 00 07 fa fa 00 07 fa fa 00 00 fa fa 00 00
  0x0c047fff84d0: fa fa 00 00 fa fa 00 00 fa fa 00 06 fa fa 00 06
  0x0c047fff84e0: fa fa 00 05 fa fa 00 05 fa fa 00 04 fa fa 00 04
  0x0c047fff84f0: fa fa 00 00 fa fa 00 00 fa fa 00 02 fa fa 00 00
  0x0c047fff8500: fa fa 00 07 fa fa 00 03 fa fa 07 fa fa fa 06 fa
=>0x0c047fff8510: fa fa 00 06 fa fa 00[fa]fa fa fa fa fa fa fa fa
  0x0c047fff8520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==27723==ABORTING
Aborted

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/24435] heap overflow in bfd_getl64

Reply via email to