[Bug binutils/30361] New: [Objdump] heap-buffer-overflow at byte_get_little_endian

Mon, 17 Apr 2023 02:33:29 -0700 

https://sourceware.org/bugzilla/show_bug.cgi?id=30361

            Bug ID: 30361
           Summary: [Objdump] heap-buffer-overflow at
                    byte_get_little_endian
           Product: binutils
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: ziqiaokong at gmail dot com
  Target Milestone: ---

Created attachment 14831
  --> https://sourceware.org/bugzilla/attachment.cgi?id=14831&action=edit
Full logs and object file

Git commit hash: 93c6e8c3c14bf81020ca7571fe752250a34f5bc9

Steps to reproduce:

```
export CC=afl-clang-fast
export CXX=afl-clang-fast++
export AFL_USE_ASAN=1
export CFLAGS="-latomic --ld-path=/usr/bin/ld.lld-14"
export CFLAGS_FOR_TARGETS="-latomic --ld-path=/usr/bin/ld.lld-14"
export CXXFLAGS="-latomic --ld-path=/usr/bin/ld.lld-14"
./configure
make -j
./binutils/objdump -g /path/to/obj
```

Note this doesn't have to be reproduced with AFL++ but gdbserver fails to build
with just specifying `CFLAGS=-fsanitize=address` due to `-Wl,--no-undefined`,
which `afl-clang-fast++` will handle automatically and make things easy.

ASAN logs:

```
<some objdump logs...>
/out/asan_noins/objdump: Error: read LEB value is too large to store in
destination variable
=================================================================
==5088==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a00000007c
at pc 0x5567712adfb1 bp 0x7ffd1eaff740 sp 0x7ffd1eaff738
READ of size 1 at 0x61a00000007c thread T0
    #0 0x5567712adfb0 in byte_get_little_endian
/binutils/binutils/elfcomm.c:118:26
    #1 0x55677126db03 in fetch_indexed_string
/binutils/binutils/./dwarf.c:683:16
    #2 0x5567712553ef in display_debug_macro
/binutils/binutils/./dwarf.c:6317:3
    #3 0x556771228c90 in dump_dwarf_section
/binutils/binutils/./objdump.c:4425:6
    #4 0x556771349c5b in bfd_map_over_sections /binutils/bfd/section.c:1366:5
    #5 0x556771227b4c in dump_dwarf /binutils/binutils/./objdump.c:4463:3
    #6 0x556771226708 in dump_bfd /binutils/binutils/./objdump.c:5707:4
    #7 0x5567712238dd in display_object_bfd /binutils/binutils/./objdump.c
    #8 0x5567712238dd in display_any_bfd /binutils/binutils/./objdump.c:5831:5
    #9 0x556771221f03 in display_file /binutils/binutils/./objdump.c:5852:3
    #10 0x556771221f03 in main /binutils/binutils/./objdump.c:6263:6
    #11 0x7fbd3fc44d8f in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #12 0x7fbd3fc44e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #13 0x556771162654 in _start (/out/asan_noins/objdump+0x1d1654) (BuildId:
813539ae82b68bf436716e5400b37ebb3ab40c5e)

0x61a00000007c is located 4 bytes to the left of 1385-byte region
[0x61a000000080,0x61a0000005e9)
allocated by thread T0 here:
    #0 0x5567711e549e in __interceptor_malloc
(/out/asan_noins/objdump+0x25449e) (BuildId:
813539ae82b68bf436716e5400b37ebb3ab40c5e)
    #1 0x55677156de88 in xmalloc /binutils/libiberty/./xmalloc.c:149:12
    #2 0x55677123b92f in load_separate_debug_files
/binutils/binutils/./dwarf.c:12037:7
    #3 0x5567712238dd in display_object_bfd /binutils/binutils/./objdump.c
    #4 0x5567712238dd in display_any_bfd /binutils/binutils/./objdump.c:5831:5
    #5 0x556771221f03 in display_file /binutils/binutils/./objdump.c:5852:3
    #6 0x556771221f03 in main /binutils/binutils/./objdump.c:6263:6
    #7 0x7fbd3fc44d8f in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow
/binutils/binutils/elfcomm.c:118:26 in byte_get_little_endian
Shadow bytes around the buggy address:
  0x0c347fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c347fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0c347fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5088==ABORTING
```

See attached for the full logs.


System environment:

```
[afl++ c338ba581e56] / # clang --version
Ubuntu clang version 14.0.6
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
[afl++ c338ba581e56] / # clang++ --version
Ubuntu clang version 14.0.6
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
[afl++ c338ba581e56] / # ld.lld-14 --version
Ubuntu LLD 14.0.6 (compatible with GNU linkers)
[afl++ c338ba581e56] / # uname -a
Linux c338ba581e56 5.4.0-146-generic #163-Ubuntu SMP Fri Mar 17 18:26:02 UTC
2023 x86_64 x86_64 x86_64 GNU/Linux
[afl++ c338ba581e56] / #
```

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Reply via email to