[Bug binutils/26111] New: Attempting free on address which was not malloc()

Thu, 11 Jun 2020 05:28:55 -0700 

https://sourceware.org/bugzilla/show_bug.cgi?id=26111

            Bug ID: 26111
           Summary: Attempting free on address which was not malloc()
           Product: binutils
           Version: 2.34
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: 15664243668 at 163 dot com
  Target Milestone: 2.34

Created attachment 12616
  --> https://sourceware.org/bugzilla/attachment.cgi?id=12616&action=edit
PoC

I have found a bug of attempting free on address which was not malloc() in
function _bfd_coff_free_symbols by fuzzing, which is located in
binutils-2.34/bfd/coffgen.c:1782. This bug is triggered as
$objdump -d PoC

We compile GNU Binutils-2.34 with AddressSanitizer in 32-bits on Ubuntu 16.04.
The information are printed as:


./id:000047,sig:06,src:001766,op:havoc,rep:4:     file format pei-i386


Disassembly of section .text:

00000000 <.text>:
   0:   ff 25 00 00 00 00       jmp    *0x0
   6:   90                      nop
   7:   90                      nop
=================================================================
==20459==ERROR: AddressSanitizer: attempting free on address which was not
malloc()-ed: 0xf3803b60 in thread T0
    #0 0xf7275a84 in free (/usr/lib32/libasan.so.2+0x96a84)
    #1 0x867669f in _bfd_coff_free_symbols
/home/ubuntu/yuetai/asan_programs/binutils-2.34/bfd/coffgen.c:1782
    #2 0x867669f in _bfd_coff_close_and_cleanup
/home/ubuntu/yuetai/asan_programs/binutils-2.34/bfd/coffgen.c:3180
    #3 0x82b5784 in bfd_close_all_done
/home/ubuntu/yuetai/asan_programs/binutils-2.34/bfd/opncls.c:789
    #4 0x8059628 in display_file objdump.c:5016
    #5 0x8059628 in main objdump.c:5349
    #6 0xf703e636 in __libc_start_main (/lib32/libc.so.6+0x18636)
    #7 0x805ced5 
(/home/ubuntu/yuetai/asan_target/binutils-2-34/objdump+0x805ced5)

0xf3803b60 is located 736 bytes inside of 1745-byte region
[0xf3803880,0xf3803f51)
allocated by thread T0 here:
    #0 0xf7275f8e in calloc (/usr/lib32/libasan.so.2+0x96f8e)
    #1 0x82a60ae in bfd_malloc
/home/ubuntu/yuetai/asan_programs/binutils-2.34/bfd/libbfd.c:275
    #2 0x82a60ae in bfd_zmalloc
/home/ubuntu/yuetai/asan_programs/binutils-2.34/bfd/libbfd.c:360
    #3 0x893dd8b 
(/home/ubuntu/yuetai/asan_target/binutils-2-34/objdump+0x893dd8b)

SUMMARY: AddressSanitizer: bad-free ??:0 free
==20459==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Reply via email to