[Bug binutils/24791] New: Heap Overflow issue in cp-demangle

featherrain26 at gmail dot com Tue, 09 Jul 2019 07:35:09 -0700

https://sourceware.org/bugzilla/show_bug.cgi?id=24791


            Bug ID: 24791
           Summary: Heap Overflow issue in cp-demangle
           Product: binutils
           Version: 2.33 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: featherrain26 at gmail dot com
  Target Milestone: ---

Created attachment 11897
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11897&action=edit
POC input

Hi, there.

There is a heap overflow in nm.

To reproduce the issue, the complie flag is:
CFLAGS="-g -O0 -m32 -fsanitize=address,undefined" ./configure;make

then,
nm-new -C -a -l --synthetic input

Here are the details reported by ASAN:
==178966==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4e02883
at pc 0x085d6167 bp 0xffe086d8 sp 0xffe086c8
READ of size 1 at 0xf4e02883 thread T0
    #0 0x85d6166 in d_expression_1 cp-demangle.c:3356
    #1 0x85d4f12 in d_expression_1 cp-demangle.c:3449
    #2 0x85d4f12 in d_expression_1 cp-demangle.c:3449
    #3 0x85d4f12 in d_expression_1 cp-demangle.c:3449
    #4 0x85d4f12 in d_expression_1 cp-demangle.c:3449
    #5 0x85d4f12 in d_expression_1 cp-demangle.c:3449
    #6 0x85d4f12 in d_expression_1 cp-demangle.c:3449
    #7 0x85d4f12 in d_expression_1 cp-demangle.c:3449
    #8 0x85d4f12 in d_expression_1 cp-demangle.c:3449
    #9 0x85c8395 in d_expression cp-demangle.c:3531
    #10 0x85c8395 in d_array_type cp-demangle.c:3011
    #11 0x85c8395 in cplus_demangle_type cp-demangle.c:2463
    #12 0x85ca143 in d_parmlist cp-demangle.c:2908
    #13 0x85d907c in d_bare_function_type cp-demangle.c:2962
    #14 0x85d907c in d_encoding cp-demangle.c:1343
    #15 0x85dc451 in cplus_demangle_mangled_name cp-demangle.c:1234
    #16 0x85e29ed in d_demangle_callback cp-demangle.c:6292
    #17 0x85e29ed in d_demangle cp-demangle.c:6343
    #18 0x85e29ed in cplus_demangle_v3 cp-demangle.c:6500
    #19 0x858e46c in cplus_demangle cplus-dem.c:165
    #20 0x808ea57 in bfd_demangle
/mnt/data/playground/binutils-2.32-a/bfd/bfd.c:2254
    #21 0x805f51f in print_symname
/mnt/data/playground/binutils-2.32-a/binutils/nm.c:423
    #22 0x805f51f in print_symbol_info_bsd
/mnt/data/playground/binutils-2.32-a/binutils/nm.c:1565
    #23 0x8053fcf in print_symbol
/mnt/data/playground/binutils-2.32-a/binutils/nm.c:903
    #24 0x80571b5 in print_symbols
/mnt/data/playground/binutils-2.32-a/binutils/nm.c:1102
    #25 0x80571b5 in display_rel_file
/mnt/data/playground/binutils-2.32-a/binutils/nm.c:1215
    #26 0x805adb1 in display_file
/mnt/data/playground/binutils-2.32-a/binutils/nm.c:1335
    #27 0x804f98a in main
/mnt/data/playground/binutils-2.32-a/binutils/nm.c:1816
    #28 0xf7000636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #29 0x805154b 
(/mnt/data/playground/binutils-2.32-a/binutils/nm-new+0x805154b)

0xf4e02883 is located 0 bytes to the right of 99-byte region
[0xf4e02820,0xf4e02883)
allocated by thread T0 here:
    #0 0xf7239dee in malloc (/usr/lib32/libasan.so.2+0x96dee)
    #1 0x80abadd in bfd_malloc
/mnt/data/playground/binutils-2.32-a/bfd/libbfd.c:275

SUMMARY: AddressSanitizer: heap-buffer-overflow cp-demangle.c:3356
d_expression_1
Shadow bytes around the buggy address:
  0x3e9c04c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e9c04d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e9c04e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e9c04f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e9c0500: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x3e9c0510:[03]fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
  0x3e9c0520: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
  0x3e9c0530: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
  0x3e9c0540: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
  0x3e9c0550: 00 00 00 fa fa fa fa fa fa fa fa fa 00 00 00 00
  0x3e9c0560: 00 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==178966==ABORTING

The attachment is the POC input.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/24791] New: Heap Overflow issue in cp-demangle

Reply via email to