https://sourceware.org/bugzilla/show_bug.cgi?id=28736
Bug ID: 28736
Summary: Heap-buffer-overflow in ada_demangle function with
nm-new
Product: binutils
Version: 2.38 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: duzhengjie100 at gmail dot com
Target Milestone: ---
Created attachment 13887
--> https://sourceware.org/bugzilla/attachment.cgi?id=13887&action=edit
the poc file which can trigger this bug
Hi, we found a heap-buffer-overflow in ada_demangle function with nm-new.
To reproduce it, we have attached the poc file.
ENV : Ubuntu 20.04.2 LTS
clang version 12.0.0
COMPILE CMD: CC=clang CFLAGS="-g -fsanitize=address -fPIE" LDFLAGAS="
-fsanitize=address -fPIE" ./configure
EXE CMD: ./binutils/nm-new --demangle=gnat poc_file
ASAN OUTPUT:
=================================================================
==21131==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x603000000177 at pc 0x000000482df8 bp 0x7ffc767d9cf0 sp 0x7ffc767d94b0
WRITE of size 8 at 0x603000000177 thread T0
#0 0x482df7 in strcpy
(/src/projects/binutils-2.37/test/build/binutils/nm-new+0x482df7)
#1 0x85c490 in ada_demangle
/src/projects/binutils-2.37/test/build/libiberty/./cplus-dem.c:338:11
#2 0x85b095 in cplus_demangle
/src/projects/binutils-2.37/test/build/libiberty/./cplus-dem.c:187:12
#3 0x4ed717 in bfd_demangle
/src/projects/binutils-2.37/test/build/bfd/bfd.c:2428:9
#4 0x4cc0ba in print_symname
/src/projects/binutils-2.37/test/build/binutils/nm.c:694:15
#5 0x4cad43 in print_symbol_info_bsd
/src/projects/binutils-2.37/test/build/binutils/nm.c:1944:3
#6 0x4d2d15 in print_symbol
/src/projects/binutils-2.37/test/build/binutils/nm.c:1212:3
#7 0x4d08db in print_symbols
/src/projects/binutils-2.37/test/build/binutils/nm.c:1396:7
#8 0x4cf02e in display_rel_file
/src/projects/binutils-2.37/test/build/binutils/nm.c:1523:5
#9 0x4ca3b2 in display_file
/src/projects/binutils-2.37/test/build/binutils/nm.c:1690:7
#10 0x4c9798 in main
/src/projects/binutils-2.37/test/build/binutils/nm.c:2227:12
#11 0x7f64b8f280b2 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#12 0x41c50d in _start
(/src/projects/binutils-2.37/test/build/binutils/nm-new+0x41c50d)
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/src/projects/binutils-2.37/test/build/binutils/nm-new+0x482df7) in strcpy
Shadow bytes around the buggy address:
0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff8000: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa fd fd
0x0c067fff8010: fd fa fa fa fd fd fd fa fa fa 00 00 00 fa fa fa
=>0x0c067fff8020: fd fd fd fa fa fa fd fd fd fa fa fa 00 00[07]fa
0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==21131==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
