[Bug binutils/29925] New: Memroy leak in nm-new

pdeng21 at m dot fudan.edu.cn Wed, 21 Dec 2022 00:10:46 -0800

https://sourceware.org/bugzilla/show_bug.cgi?id=29925


            Bug ID: 29925
           Summary: Memroy leak in nm-new
           Product: binutils
           Version: 2.39
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: pdeng21 at m dot fudan.edu.cn
  Target Milestone: ---

Created attachment 14534
  --> https://sourceware.org/bugzilla/attachment.cgi?id=14534&action=edit
PoC to replay the vulnerability

#Summary
There is a memory leak vulnerability in nm-new, which can be triggered by a
craft elf file.

#Verification
git clone git://sourceware.org/git/binutils-gdb.git
CC="clang -fsanitize=address" CXX="clang++ -fsanitize=address" ./configure
--disable-shared && make -j$(nproc)
./binutils/nm-new -A -a -l -S -s --special-syms --synthetic
--with-symbol-versions -D poc

#ASAN
poc:0000000000001948 t ./binutils/nm-new: BFD (GNU Binutils) 2.39.50.20221221
assertion fail ./dwarf2.c:5044

poc:0000000000000000 0000000000000064 d __afl_area_ptr./binutils/nm-new: DWARF
error: offset (4278190080) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (25115) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: offset (1612316672) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: offset (472973653) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: offset (8192596) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: offset (72417564) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: offset (4278190080) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: offset (16973824) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: offset (355469056) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: could not find abbrev number 126975
./binutils/nm-new: DWARF error: could not find variable specification at offset
0x113
./binutils/nm-new: DWARF error: could not find abbrev number 991
./binutils/nm-new: DWARF error: could not find variable specification at offset
0x114
./binutils/nm-new: DWARF error: offset (25115) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: offset (1612316672) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: offset (472973653) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: offset (8192596) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: offset (72417564) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: offset (4278190080) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: offset (25115) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: offset (1612316672) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: offset (472973653) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: offset (8192596) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: offset (72417564) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: offset (4278190080) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: offset (16973824) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: offset (355469056) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: could not find abbrev number 126975
./binutils/nm-new: DWARF error: could not find variable specification at offset
0x113
./binutils/nm-new: DWARF error: could not find abbrev number 991
./binutils/nm-new: DWARF error: could not find variable specification at offset
0x114
./binutils/nm-new: DWARF error: offset (25115) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: offset (1612316672) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: offset (472973653) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: offset (8192596) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: offset (72417564) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: offset (4278190080) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: offset (25115) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: offset (1612316672) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: offset (472973653) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: offset (8192596) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: offset (72417564) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: offset (4278190080) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: offset (16973824) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: offset (355469056) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: could not find abbrev number 126975
./binutils/nm-new: DWARF error: could not find variable specification at offset
0x113
./binutils/nm-new: DWARF error: could not find abbrev number 991
./binutils/nm-new: DWARF error: could not find variable specification at offset
0x114
./binutils/nm-new: DWARF error: offset (25115) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: offset (1612316672) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: offset (472973653) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: offset (8192596) greater than or equal to
.debug_str size (1224)
./binutils/nm-new: DWARF error: offset (72417564) greater than or equal to
.debug_str size (1224)

poc:0000000000001c2e t __afl_die
poc:0000000000000010 0000000000000004 d __afl_fork_pid
poc:0000000000001b49 t __afl_fork_resume
poc:0000000000001a8b t __afl_forkserver
poc:0000000000001ab1 0000000000000064 t __afl_fork_wait_loop
poc:0000000000000008 0000000000000008 C __afl_global_area_ptr
poc:0000000000001920 t __afl_maybe_log
poc:e900000000000008 0000000000000007 d __afl_prev_loc
poc:0000000000001950 t __afl_setup
poc:0000000000000018 0000000000000001 d __afl_setup_failure
poc:0000000000001971 t __afl_setup_first
poc:0000000000001d07 t .AFL_SHM_ENV
poc:0000000000001930 t __afl_store
poc:0000000000000014 0000000000000004 d __afl_temp
poc:0000000000001d07 t .AFL_VARS
poc:                 U atoi
poc:0000000000001750 00000000000001c9 T CatPath
poc:                 U close
poc:0000000000000000 d .data
poc:0000000000000000 N .debug_abbrev    st_rdev/paths.c:25
poc:0000000000000000 N .debug_aranges   st_rdev/paths.c:25
poc:0000000000000000 N .debug_info      st_rdev/paths.c:25
poc:0000000000000000 N .debug_info
poc:0000000000000000 N .debug_info
poc:0000000000000000 N .debug_line      st_rdev/paths.c:25
poc:0000000000000000 N .debug_str       st_rdev/paths.c:25
poc:0000000000000000 0000000000001741 T EnsurePathExists       
st_rdev/paths.c:25
poc:                 U etenv
poc:                 U _exit
poc:                 U __fprintf_chk
poc:                 U getenv
poc:                 U _GLOBAL_OFFSET_TABLE_
poc:0000000000000000 b .gnu.linkonce.wi..8      st_rdev/paths.c:36
poc:0000000000001c36 t I~afl_setup_abort
poc:                 U intf_chk
poc:0000000000000000 r linkonce.wi..8
poc:0000000000000080 t linkonce.wi..8
poc:                 U mkdi�
poc:0000000000000000 n .note.GNU-stack  st_rdev/paths.c:25
poc:0000000000000000 a paths.c
poc:0000000000000000 A read
poc:0000000000000000 N .rela.debug_aranges      st_rdev/paths.c:25
poc:0000000000000000 a .rela.debug_line
poc:                 U __stack_chk_fail
poc:                 U stderr
poc:                 U __stpcpy_chk
poc:                 U strcat
poc:                 U strcpy
poc:                 U strlen
poc:0000000000000000 t .text    st_rdev/paths.c:25
poc:                 U waitpid
poc:                 U write
poc:                 U __xstat

=================================================================
==40988==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 63 byte(s) in 3 object(s) allocated from:
    #0 0x493fed in malloc (/binutils-gdb/binutils/nm-new+0x493fed)
    #1 0x4e3683 in bfd_malloc /binutils-gdb/bfd/libbfd.c:289:9
    #2 0x5f7141 in comp_unit_find_line /binutils-gdb/bfd/./dwarf2.c:4733:8

SUMMARY: AddressSanitizer: 63 byte(s) leaked in 3 allocation(s).

#Envieonment
Ubuntu 18.04
clang 10.0.0

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug binutils/29925] New: Memroy leak in nm-new

Reply via email to