[Bug binutils/27759] New: heap-buffer-overflow in srec_read_section

Tue, 20 Apr 2021 09:59:20 -0700 

https://sourceware.org/bugzilla/show_bug.cgi?id=27759

            Bug ID: 27759
           Summary: heap-buffer-overflow in srec_read_section
           Product: binutils
           Version: 2.36.1
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: rubycccccccccc at gmail dot com
  Target Milestone: ---

Created attachment 13391
  --> https://sourceware.org/bugzilla/attachment.cgi?id=13391&action=edit
The file that reproduces this problem

OS : ubuntu 20.04.2
kernel : gnu/linux 5.8.0-48-generic
CPU : Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz
compiler : gcc version 9.3.0

Steps to Reproduce :
download the sample from the attachment

~/target/binutils-2.36.1-asan/binutils/objcopy -O tekhex ./sample01

ASan trace:
/home/ruby/target/binutils-2.36.1-asan/binutils/objcopy: BFD (GNU Binutils)
2.36.1 assertion fail srec.c:736
=================================================================
==1714453==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6040000000f8 at pc 0x55e4b9f21206 bp 0x7ffdda381c70 sp 0x7ffdda381c60
READ of size 1 at 0x6040000000f8 thread T0
    #0 0x55e4b9f21205 in srec_read_section
/home/ruby/target/binutils-2.36.1-asan/bfd/srec.c:796
    #1 0x55e4b9f21205 in srec_get_section_contents
/home/ruby/target/binutils-2.36.1-asan/bfd/srec.c:843
    #2 0x55e4b9f21205 in srec_get_section_contents
/home/ruby/target/binutils-2.36.1-asan/bfd/srec.c:821
    #3 0x55e4b9ed02d6 in bfd_get_full_section_contents
/home/ruby/target/binutils-2.36.1-asan/bfd/compress.c:288
    #4 0x55e4b9e1d8c3 in copy_section
/home/ruby/target/binutils-2.36.1-asan/binutils/objcopy.c:4409
    #5 0x55e4b9effc9e in bfd_map_over_sections
/home/ruby/target/binutils-2.36.1-asan/bfd/section.c:1382
    #6 0x55e4b9e28a3e in copy_object
/home/ruby/target/binutils-2.36.1-asan/binutils/objcopy.c:3303
    #7 0x55e4b9e3303a in copy_file
/home/ruby/target/binutils-2.36.1-asan/binutils/objcopy.c:3877
    #8 0x55e4b9e0e79a in copy_main
/home/ruby/target/binutils-2.36.1-asan/binutils/objcopy.c:5930
    #9 0x55e4b9e0e79a in main
/home/ruby/target/binutils-2.36.1-asan/binutils/objcopy.c:6057
    #10 0x7fd915d4f0b2 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #11 0x55e4b9e1489d in _start
(/home/ruby/target/binutils-2.36.1-asan/binutils/objcopy+0xb689d)

0x6040000000f8 is located 0 bytes to the right of 40-byte region
[0x6040000000d0,0x6040000000f8)
allocated by thread T0 here:
    #0 0x7fd91602dbc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
    #1 0x55e4b9ee6dcd in bfd_malloc
/home/ruby/target/binutils-2.36.1-asan/bfd/libbfd.c:275

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/ruby/target/binutils-2.36.1-asan/bfd/srec.c:796 in srec_read_section
Shadow bytes around the buggy address:                                         
                                       [7/36]
  0x0c087fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff8000: fa fa 00 00 00 00 01 fa fa fa fd fd fd fd fd fa
=>0x0c087fff8010: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00[fa]
  0x0c087fff8020: fa fa 00 00 00 00 00 03 fa fa 00 00 00 00 00 fa
  0x0c087fff8030: fa fa 00 00 00 00 00 06 fa fa fd fd fd fd fd fa
  0x0c087fff8040: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 00
  0x0c087fff8050: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 05
  0x0c087fff8060: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1714453==ABORTING


It also causes the error at HEAD c5df7e44

~/binutils-gdb-new/binutils/objcopy -O tekhex ./sample01
/home/ruby/target/binutils-gdb-new-asan/binutils/objcopy: BFD (GNU Binutils)
2.36.50.20210420 assertion fail srec.c:736
[1]    1222672 segmentation fault  ~/target/binutils-gdb-new/binutils/objcopy
-O tekhex ./sample01

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Reply via email to