https://sourceware.org/bugzilla/show_bug.cgi?id=26005
Bug ID: 26005
Summary: [size] crash with ASAN in bfd_section_from_shdr
Product: binutils
Version: 2.35 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: dkcjd2000 at gmail dot com
Target Milestone: ---
Created attachment 12551
--> https://sourceware.org/bugzilla/attachment.cgi?id=12551&action=edit
crash test case
Hello,
I'm currently developing a new fuzzing feature, and I found a crash in size.
I downloaded from git master, and I built it with Ubuntu 16.04 with gcc 5.4.0
with ASAN, and the following command to build size from the source:
CFLAGS="-O1 -fsanitize=address -U_FORTIFY_SOURCE" ./configure; make clean all;
You can reproduce the crash with the following command:
./size <attached file>
The AddressSanitizer message of the crash is:
==7401==ERROR: AddressSanitizer: heap-use-after-free on address 0x621000014124
at pc 0x000000460d42 bp 0x7ffc2483b3d0 sp 0x7ffc2483b3c0
READ of size 4 at 0x621000014124 thread T0
#0 0x460d41 in bfd_section_from_shdr
(/home/cheong/results/crashes/size_crash/size.master_asan+0x460d41)
#1 0x4624a5 in bfd_section_from_shdr
(/home/cheong/results/crashes/size_crash/size.master_asan+0x4624a5)
#2 0x4624a5 in bfd_section_from_shdr
(/home/cheong/results/crashes/size_crash/size.master_asan+0x4624a5)
#3 0x4f8310 in bfd_elf32_object_p
(/home/cheong/results/crashes/size_crash/size.master_asan+0x4f8310)
#4 0x418a29 in bfd_check_format_matches
(/home/cheong/results/crashes/size_crash/size.master_asan+0x418a29)
#5 0x403989 in display_bfd
(/home/cheong/results/crashes/size_crash/size.master_asan+0x403989)
#6 0x403c11 in display_file
(/home/cheong/results/crashes/size_crash/size.master_asan+0x403c11)
#7 0x4040ed in main
(/home/cheong/results/crashes/size_crash/size.master_asan+0x4040ed)
#8 0x7fd86d9ff82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#9 0x402bc8 in _start
(/home/cheong/results/crashes/size_crash/size.master_asan+0x402bc8)
0x621000014124 is located 36 bytes inside of 4064-byte region
[0x621000014100,0x6210000150e0)
freed by thread T0 here:
#0 0x7fd86e0452ca in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
#1 0x5ae662 in objalloc_free_block
(/home/cheong/results/crashes/size_crash/size.master_asan+0x5ae662)
previously allocated by thread T0 here:
#0 0x7fd86e045602 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x5ae3d8 in _objalloc_alloc
(/home/cheong/results/crashes/size_crash/size.master_asan+0x5ae3d8)
SUMMARY: AddressSanitizer: heap-use-after-free ??:0 bfd_section_from_shdr
Shadow bytes around the buggy address:
0x0c427fffa7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffa7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffa7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffa800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffa810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c427fffa820: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
0x0c427fffa830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c427fffa840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c427fffa850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c427fffa860: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c427fffa870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==7401==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
