[Bug binutils/33022] New: Heap Buffer Overflow in nm with liblto_plugin.so During strncmp

xdcao.cs at gmail dot com Tue, 27 May 2025 11:13:54 -0700

https://sourceware.org/bugzilla/show_bug.cgi?id=33022


            Bug ID: 33022
           Summary: Heap Buffer Overflow in nm with liblto_plugin.so
                    During strncmp
           Product: binutils
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: xdcao.cs at gmail dot com
  Target Milestone: ---

Summary
Heap Buffer Overflow in nm with liblto_plugin.so During strncmp




Environment
GNU Binutils version: 2.44.50 & master
OS: Ubuntu 22.04.5 LTS


Steps to reproduce

# export CFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address"
# export CXXFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address"
# ./configure --disable-werror --enable-targets=all --enable-gold[=yes]
# make -j64 & make install

root@46b925a575de:# ./nm --plugin /usr/lib/bfd-plugins/liblto_plugin.so POC
=================================================================
==1983516==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6060000001d2 at pc 0x00000043268d bp 0x7ffd3f3fd1e0 sp 0x7ffd3f3fc980
READ of size 2 at 0x6060000001d2 thread T0
    #0 0x43268c in strncmp
(/workspace/new-test/fuzzdir/fz-binutils/fz-nm/nm+0x43268c)
    #1 0x7f89af140b21  (/usr/lib/bfd-plugins/liblto_plugin.so+0xeb21)
    #2 0x7f89af14087e  (/usr/lib/bfd-plugins/liblto_plugin.so+0xe87e)
    #3 0x7f89af13fe90  (/usr/lib/bfd-plugins/liblto_plugin.so+0xde90)
    #4 0x7ef82e in try_claim
/root/this-program/binutils-gdb/build/bfd/../../bfd/plugin.c:497:4
    #5 0x7ee72c in try_load_plugin
/root/this-program/binutils-gdb/build/bfd/../../bfd/plugin.c:608:8
    #6 0x7ede8a in load_plugin
/root/this-program/binutils-gdb/build/bfd/../../bfd/plugin.c:734:12
    #7 0x7ed067 in bfd_plugin_object_p
/root/this-program/binutils-gdb/build/bfd/../../bfd/plugin.c:761:53
    #8 0x5017e2 in bfd_check_format_matches
/root/this-program/binutils-gdb/build/bfd/../../bfd/format.c:497:17
    #9 0x4cd5e8 in display_file
/root/this-program/binutils-gdb/build/binutils/../../binutils/nm.c:1663:12
    #10 0x4cc5c1 in main
/root/this-program/binutils-gdb/build/binutils/../../binutils/nm.c:2181:12
    #11 0x7f89b1e3bd8f in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #12 0x7f89b1e3be3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #13 0x41f5b4 in _start
(/workspace/new-test/fuzzdir/fz-binutils/fz-nm/nm+0x41f5b4)

0x6060000001d2 is located 0 bytes to the right of 50-byte region
[0x6060000001a0,0x6060000001d2)
allocated by thread T0 here:
    #0 0x49a47d in malloc
(/workspace/new-test/fuzzdir/fz-binutils/fz-nm/nm+0x49a47d)
    #1 0x7f89af13c18c in xmalloc (/usr/lib/bfd-plugins/liblto_plugin.so+0xa18c)

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/workspace/new-test/fuzzdir/fz-binutils/fz-nm/nm+0x43268c) in strncmp
Shadow bytes around the buggy address:
  0x0c0c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0c7fff8000: fa fa fa fa 00 00 00 00 00 00 05 fa fa fa fa fa
  0x0c0c7fff8010: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0c7fff8020: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 05
=>0x0c0c7fff8030: fa fa fa fa 00 00 00 00 00 00[02]fa fa fa fa fa
  0x0c0c7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1983516==ABORTING

POC
https://drive.google.com/file/d/1nWTkCqzxdajk451n0G-BYAluMMzqAP9m/view?usp=sharing


redit
Xiaoguo Li (CUPL)
Xudong Cao (UCAS)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug binutils/33022] New: Heap Buffer Overflow in nm with liblto_plugin.so During strncmp

Reply via email to