[Bug binutils/33651] New: Use-after-free in dlltool (possible crash)

Wed, 19 Nov 2025 05:04:01 -0800 

https://sourceware.org/bugzilla/show_bug.cgi?id=33651

            Bug ID: 33651
           Summary: Use-after-free in dlltool (possible crash)
           Product: binutils
           Version: 2.45.1
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: m.weisser.m at gmail dot com
  Target Milestone: ---

Created attachment 16476
  --> https://sourceware.org/bugzilla/attachment.cgi?id=16476&action=edit
Object file to trigger the bug

I observed intermittent crashed in dlltool.exe 2.45.1 on windows. 

I couldn't pinpoint the error on windows but observed a use-after-free with the 
linux version of dlltool which I suspect the be the smoking gun.

I expect this commit to introduce the bug but didn't actually bisect it
https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=619f863c55ca0981fdb3209fe0a6fc600b66aa14

Steps to reproduce (on a linux host, done this on Ubuntu 24.04):

1. Build binutils with asan enabled
$ CFLAGS='-fsanitize=address'  ./configure --target=x86_64-w64-mingw32 && make
-j

2. Create a object file for windows using x86_64-w64-mingw32-gcc (I attached
one for convenience)
$ echo "void f(void){return;}" | x86_64-w64-mingw32-gcc -x c -c -o t.o -

3. Create a def file from the object file (disabling leak sanitizer)
$ ASAN_OPTIONS=detect_leaks=0 binutils/dlltool --export-all-symbols
--output-def t.def t.o 
=================================================================
==2442742==ERROR: AddressSanitizer: heap-use-after-free on address
0x521000008268 at pc 0x757a8e88303f bp 0x7ffc292886c0 sp 0x7ffc29287e68
READ of size 2 at 0x521000008268 thread T0
    #0 0x757a8e88303e in strchr
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:712
    #1 0x60e27ab787c7 in gen_def_file
(binutils-2.45.1/binutils/dlltool+0xb47c7) (BuildId:
09dc2bc102f1f62ae00f7a1e737ef9557dcad403)
    #2 0x60e27ab88f77 in main (binutils-2.45.1/binutils/dlltool+0xc4f77)
(BuildId: 09dc2bc102f1f62ae00f7a1e737ef9557dcad403)
    #3 0x757a8e42a1c9 in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
    #4 0x757a8e42a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #5 0x60e27ab74514 in _start (binutils-2.45.1/binutils/dlltool+0xb0514)
(BuildId: 09dc2bc102f1f62ae00f7a1e737ef9557dcad403)

0x521000008268 is located 2408 bytes inside of 4064-byte region
[0x521000007900,0x5210000088e0)
freed by thread T0 here:
    #0 0x757a8e8fc4d8 in free
../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
    #1 0x60e27aeafce3 in objalloc_free
(binutils-2.45.1/binutils/dlltool+0x3ebce3) (BuildId:
09dc2bc102f1f62ae00f7a1e737ef9557dcad403)
    #2 0x60e27abb50eb in _bfd_delete_bfd
(binutils-2.45.1/binutils/dlltool+0xf10eb) (BuildId:
09dc2bc102f1f62ae00f7a1e737ef9557dcad403)
    #3 0x60e27abb6aa9 in bfd_close_all_done
(binutils-2.45.1/binutils/dlltool+0xf2aa9) (BuildId:
09dc2bc102f1f62ae00f7a1e737ef9557dcad403)
    #4 0x60e27abb697e in bfd_close (binutils-2.45.1/binutils/dlltool+0xf297e)
(BuildId: 09dc2bc102f1f62ae00f7a1e737ef9557dcad403)
    #5 0x60e27ab77ce1 in scan_obj_file
(binutils-2.45.1/binutils/dlltool+0xb3ce1) (BuildId:
09dc2bc102f1f62ae00f7a1e737ef9557dcad403)
    #6 0x60e27ab8892b in main (binutils-2.45.1/binutils/dlltool+0xc492b)
(BuildId: 09dc2bc102f1f62ae00f7a1e737ef9557dcad403)
    #7 0x757a8e42a1c9 in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
    #8 0x757a8e42a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #9 0x60e27ab74514 in _start (binutils-2.45.1/binutils/dlltool+0xb0514)
(BuildId: 09dc2bc102f1f62ae00f7a1e737ef9557dcad403)

previously allocated by thread T0 here:
    #0 0x757a8e8fd9c7 in malloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x60e27aeafa60 in _objalloc_alloc
(binutils-2.45.1/binutils/dlltool+0x3eba60) (BuildId:
09dc2bc102f1f62ae00f7a1e737ef9557dcad403)
    #2 0x60e27abb112f in bfd_alloc (binutils-2.45.1/binutils/dlltool+0xed12f)
(BuildId: 09dc2bc102f1f62ae00f7a1e737ef9557dcad403)
    #3 0x60e27abb11b7 in bfd_zalloc (binutils-2.45.1/binutils/dlltool+0xed1b7)
(BuildId: 09dc2bc102f1f62ae00f7a1e737ef9557dcad403)
    #4 0x60e27ac33891 in coff_make_empty_symbol
(binutils-2.45.1/binutils/dlltool+0x16f891) (BuildId:
09dc2bc102f1f62ae00f7a1e737ef9557dcad403)
    #5 0x60e27abbde69 in _bfd_generic_new_section_hook
(binutils-2.45.1/binutils/dlltool+0xf9e69) (BuildId:
09dc2bc102f1f62ae00f7a1e737ef9557dcad403)
    #6 0x60e27abe1412 in coff_new_section_hook
(binutils-2.45.1/binutils/dlltool+0x11d412) (BuildId:
09dc2bc102f1f62ae00f7a1e737ef9557dcad403)
    #7 0x60e27abbe16c in bfd_section_init
(binutils-2.45.1/binutils/dlltool+0xfa16c) (BuildId:
09dc2bc102f1f62ae00f7a1e737ef9557dcad403)
    #8 0x60e27abbedd0 in bfd_make_section_anyway_with_flags
(binutils-2.45.1/binutils/dlltool+0xfadd0) (BuildId:
09dc2bc102f1f62ae00f7a1e737ef9557dcad403)
    #9 0x60e27abbedfe in bfd_make_section_anyway
(binutils-2.45.1/binutils/dlltool+0xfadfe) (BuildId:
09dc2bc102f1f62ae00f7a1e737ef9557dcad403)
    #10 0x60e27ac267d5 in make_a_section_from_file
(binutils-2.45.1/binutils/dlltool+0x1627d5) (BuildId:
09dc2bc102f1f62ae00f7a1e737ef9557dcad403)
    #11 0x60e27ac27e9d in coff_real_object_p
(binutils-2.45.1/binutils/dlltool+0x163e9d) (BuildId:
09dc2bc102f1f62ae00f7a1e737ef9557dcad403)
    #12 0x60e27ac286e9 in coff_object_p
(binutils-2.45.1/binutils/dlltool+0x1646e9) (BuildId:
09dc2bc102f1f62ae00f7a1e737ef9557dcad403)
    #13 0x60e27abacd48 in bfd_check_format_matches_lto
(binutils-2.45.1/binutils/dlltool+0xe8d48) (BuildId:
09dc2bc102f1f62ae00f7a1e737ef9557dcad403)
    #14 0x60e27abaa2a5 in bfd_check_format
(binutils-2.45.1/binutils/dlltool+0xe62a5) (BuildId:
09dc2bc102f1f62ae00f7a1e737ef9557dcad403)
    #15 0x60e27ab77cc2 in scan_obj_file
(binutils-2.45.1/binutils/dlltool+0xb3cc2) (BuildId:
09dc2bc102f1f62ae00f7a1e737ef9557dcad403)
    #16 0x60e27ab8892b in main (binutils-2.45.1/binutils/dlltool+0xc492b)
(BuildId: 09dc2bc102f1f62ae00f7a1e737ef9557dcad403)
    #17 0x757a8e42a1c9 in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
    #18 0x757a8e42a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #19 0x60e27ab74514 in _start (binutils-2.45.1/binutils/dlltool+0xb0514)
(BuildId: 09dc2bc102f1f62ae00f7a1e737ef9557dcad403)

SUMMARY: AddressSanitizer: heap-use-after-free
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:712
in strchr
Shadow bytes around the buggy address:
  0x521000007f80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x521000008000: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x521000008080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x521000008100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x521000008180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x521000008200: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
  0x521000008280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x521000008300: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x521000008380: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x521000008400: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x521000008480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2442742==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Reply via email to