https://sourceware.org/bugzilla/show_bug.cgi?id=24911
Bug ID: 24911
Summary: Heap overflow issue in qsort_r, dwarf.c
Product: binutils
Version: 2.33 (HEAD)
Status: UNCONFIRMED
Severity: critical
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: featherrain26 at gmail dot com
Target Milestone: ---
Created attachment 11951
--> https://sourceware.org/bugzilla/attachment.cgi?id=11951&action=edit
PoC input
Hi, there.
There is a heap overflow issue in dwarf.c.
The environment and flag are:
Distributor ID: Ubuntu
Description: Ubuntu 16.04.6 LTS
Release: 16.04
Codename: xenial
gcc: 5.4.0
CFLAG="-g -O0 -m32 -fsanitize=address,leak,undefined"
The reproduce command is:
readelf -agteSdcWw --dyn-syms -D poc
==109875==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf44009ec
at pc 0x08106241 bp 0xffc13fb8 sp 0xffc13fa8
READ of size 8 at 0xf44009ec thread T0
#0 0x8106240 in comp_addr_base
/mnt/data/playground/binutils-2.32-a/binutils/dwarf.c:6475
#1 0xf6ff2d28 (/lib/i386-linux-gnu/libc.so.6+0x2dd28)
#2 0xf6ff3023 in qsort_r (/lib/i386-linux-gnu/libc.so.6+0x2e023)
#3 0xf6ff30e9 in qsort (/lib/i386-linux-gnu/libc.so.6+0x2e0e9)
#4 0x813c04f in display_debug_addr
/mnt/data/playground/binutils-2.32-a/binutils/dwarf.c:6526
#5 0x80a2f3a in display_debug_section
/mnt/data/playground/binutils-2.32-a/binutils/readelf.c:13945
#6 0x80a2f3a in process_section_contents
/mnt/data/playground/binutils-2.32-a/binutils/readelf.c:14036
#7 0x80fa70d in process_section_contents
/mnt/data/playground/binutils-2.32-a/binutils/readelf.c:19286
#8 0x80fa70d in process_object
/mnt/data/playground/binutils-2.32-a/binutils/readelf.c:19285
#9 0x804ba13 in process_file
/mnt/data/playground/binutils-2.32-a/binutils/readelf.c:19708
#10 0x804ba13 in main
/mnt/data/playground/binutils-2.32-a/binutils/readelf.c:19767
#11 0xf6fdd636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
#12 0x804c6eb
(/mnt/data/playground/binutils-2.32-a/binutils/readelf+0x804c6eb)
0xf44009ec is located 4 bytes to the right of 24-byte region
[0xf44009d0,0xf44009e8)
allocated by thread T0 here:
#0 0xf7211f8e in calloc (/usr/lib32/libasan.so.2+0x96f8e)
#1 0x81a90fe in xcalloc xmalloc.c:162
SUMMARY: AddressSanitizer: heap-buffer-overflow
/mnt/data/playground/binutils-2.32-a/binutils/dwarf.c:6475 comp_addr_base
Shadow bytes around the buggy address:
0x3e8800e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e8800f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e880100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e880110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e880120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3e880130: fa fa fa fa fa fa fa fa fa fa 00 00 00[fa]fa fa
0x3e880140: fd fd fd fa fa fa 00 00 00 fa fa fa fd fd fd fa
0x3e880150: fa fa fd fd fd fa fa fa 00 00 00 fa fa fa fd fd
0x3e880160: fd fa fa fa fd fd fd fa fa fa 00 00 00 04 fa fa
0x3e880170: 00 00 00 04 fa fa 00 00 00 fa fa fa 00 00 05 fa
0x3e880180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==109875==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
