[Bug binutils/29890] New: Out of bound read at `case DST__K_SRC_SETREC_W` handler in function `parse_module`

Sun, 11 Dec 2022 19:44:01 -0800 

https://sourceware.org/bugzilla/show_bug.cgi?id=29890

            Bug ID: 29890
           Summary: Out of bound read at `case DST__K_SRC_SETREC_W`
                    handler in function `parse_module`
           Product: binutils
           Version: 2.40 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: r3tr0spect2019 at gmail dot com
  Target Milestone: ---

Created attachment 14511
  --> https://sourceware.org/bugzilla/attachment.cgi?id=14511&action=edit
PoC

# Reproduce

```bash
cd binutils-gdb
git reset --hard f2f58a399cf3f946983398cdfe52d0eaa72bf877
mkdir build && cd build
../configure --disable-gdb --disable-gdbserver --disable-gdbsupport
--disable-libdecnumber --disable-readline --disable-sim --disable-libbacktrace
--disable-gas --disable-ld --disable-werror --enable-targets=all
CPPFLAGS=-DDEBUG CFLAGS="-g -O0 -fsanitize=address"
make all-binutils MAKEINFO=true && true
binutils/addr2line -e poc.bin 0
```

# Output

```
binutils/addr2line: unknown source command 0
binutils/addr2line: unknown source command 0
binutils/addr2line: unknown source command 0
binutils/addr2line: unknown source command 0
binutils/addr2line: unknown source command 52
binutils/addr2line: unknown source command 0
binutils/addr2line: unknown source command 192
binutils/addr2line: unknown source command 0
binutils/addr2line: unknown source command 0
binutils/addr2line: unknown source command 0
binutils/addr2line: unknown source command 66
binutils/addr2line: unknown source command 0
binutils/addr2line: unknown source command 0
binutils/addr2line: unknown source command 0
binutils/addr2line: unknown source command 0
binutils/addr2line: unknown source command 0
binutils/addr2line: unknown source command 0
binutils/addr2line: unknown source command 0
binutils/addr2line: unknown source command 0
binutils/addr2line: unknown source command 0
binutils/addr2line: unknown source command 0
binutils/addr2line: unknown source command 0
binutils/addr2line: unknown source command 0
binutils/addr2line: unknown source command 0
binutils/addr2line: unknown source command 0
binutils/addr2line: unknown source command 0
binutils/addr2line: unknown source command 255
binutils/addr2line: unknown source command 255
binutils/addr2line: unknown source command 255
binutils/addr2line: unknown source command 255
binutils/addr2line: unknown source command 0
binutils/addr2line: unknown source command 0
binutils/addr2line: unknown source command 0
binutils/addr2line: unknown source command 0
binutils/addr2line: unknown source command 0
binutils/addr2line: unknown source command 0
binutils/addr2line: unknown source command 0
binutils/addr2line: unknown source command 0
binutils/addr2line: unknown source command 0
=================================================================
==181531==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61a000000b81 at pc 0x55c21968bc4e bp 0x7ffe6ee52570 sp 0x7ffe6ee52560
READ of size 1 at 0x61a000000b81 thread T0
    #0 0x55c21968bc4d in bfd_getl16 ../../bfd/libbfd.c:633
    #1 0x55c219c4bda0 in parse_module ../../bfd/vms-alpha.c:4549
    #2 0x55c219c4cfad in module_find_nearest_line ../../bfd/vms-alpha.c:4902
    #3 0x55c219c4d911 in _bfd_vms_find_nearest_line ../../bfd/vms-alpha.c:4982
    #4 0x55c219679b1e in find_address_in_section ../../binutils/addr2line.c:197
    #5 0x55c219694f43 in bfd_map_over_sections ../../bfd/section.c:1366
    #6 0x55c21967a8eb in translate_addresses ../../binutils/addr2line.c:337
    #7 0x55c21967afbc in process_file ../../binutils/addr2line.c:470
    #8 0x55c21967b5b1 in main ../../binutils/addr2line.c:579
    #9 0x7fce40321d8f in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
    #10 0x7fce40321e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #11 0x55c219679244 in _start
(/binutils-gdb/build/binutils/addr2line+0x343244)

0x61a000000b81 is located 1 bytes to the right of 1280-byte region
[0x61a000000680,0x61a000000b80)
allocated by thread T0 here:
    #0 0x7fce405d4867 in __interceptor_malloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x55c21968b8d5 in bfd_malloc ../../bfd/libbfd.c:289
    #2 0x55c219c3613a in _bfd_malloc_and_read ../../bfd/libbfd.h:970
    #3 0x55c219c4cf77 in module_find_nearest_line ../../bfd/vms-alpha.c:4896
    #4 0x55c219c4d911 in _bfd_vms_find_nearest_line ../../bfd/vms-alpha.c:4982
    #5 0x55c219679b1e in find_address_in_section ../../binutils/addr2line.c:197
    #6 0x55c219694f43 in bfd_map_over_sections ../../bfd/section.c:1366
    #7 0x55c21967a8eb in translate_addresses ../../binutils/addr2line.c:337
    #8 0x55c21967afbc in process_file ../../binutils/addr2line.c:470
    #9 0x55c21967b5b1 in main ../../binutils/addr2line.c:579
    #10 0x7fce40321d8f in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../bfd/libbfd.c:633 in
bfd_getl16
Shadow bytes around the buggy address:
  0x0c347fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c347fff8170:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==181531==ABORTING
Aborted (core dumped)
```

# Analysis

`src_ptr + DST_S_W_SRC_UNSWORD` is accessed without bound check.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Reply via email to