[Bug binutils/24048] memory leaks in readelf
https://sourceware.org/bugzilla/show_bug.cgi?id=24048 --- Comment #1 from zerokeeper <0x0keeper at gmail dot com> --- update,the first information, AddressSanitizer don't show the symbolize on stack traces,so i change a machine,rebuild binutils. readelf: Error: = ==24023==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030ef50 at pc 0x7f196b4121e9 bp 0x7ffc894f6a00 sp 0x7ffc894f6178 READ of size 2 at 0x6030ef50 thread T0 #0 0x7f196b4121e8 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x601e8) #1 0x7f196b412bcc in vfprintf (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x60bcc) #2 0x5420b6 in error /root/fuzz/binutils-2.31/binutils/elfcomm.c:43 #3 0x4a6311 in process_archive /root/fuzz/binutils-2.31/binutils/readelf.c:19092 #4 0x404397 in process_file /root/fuzz/binutils-2.31/binutils/readelf.c:19247 #5 0x404397 in main /root/fuzz/binutils-2.31/binutils/readelf.c:19318 #6 0x7f196b00882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #7 0x404f78 in _start (/root/fuzz/binutils-2.31/binutils/readelf+0x404f78) 0x6030ef50 is located 0 bytes inside of 19-byte region [0x6030ef50,0x6030ef63) freed by thread T0 here: #0 0x7f196b44a2ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca) #1 0x4a55ee in process_archive /root/fuzz/binutils-2.31/binutils/readelf.c:19178 previously allocated by thread T0 here: #0 0x7f196b44a602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x54b194 in make_qualified_name /root/fuzz/binutils-2.31/binutils/elfcomm.c:906 SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ?? Shadow bytes around the buggy address: 0x0c067fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fd fd =>0x0c067fff9de0: fd fa fa fa fd fd fd fd fa fa[fd]fd fd fa fa fa 0x0c067fff9df0: fd fd fd fa fa fa 00 00 01 fa fa fa 00 00 00 fa 0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe ==24023==ABORTING -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/24049] heap-use-after-free in readelf
https://sourceware.org/bugzilla/show_bug.cgi?id=24049 --- Comment #1 from zerokeeper <0x0keeper at gmail dot com> --- update,the first AddressSanitizer don't show code symbolize.i rebuild. this is symbolize on the stack traces. readelf: Error: = ==24023==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030ef50 at pc 0x7f196b4121e9 bp 0x7ffc894f6a00 sp 0x7ffc894f6178 READ of size 2 at 0x6030ef50 thread T0 #0 0x7f196b4121e8 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x601e8) #1 0x7f196b412bcc in vfprintf (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x60bcc) #2 0x5420b6 in error /root/fuzz/binutils-2.31/binutils/elfcomm.c:43 #3 0x4a6311 in process_archive /root/fuzz/binutils-2.31/binutils/readelf.c:19092 #4 0x404397 in process_file /root/fuzz/binutils-2.31/binutils/readelf.c:19247 #5 0x404397 in main /root/fuzz/binutils-2.31/binutils/readelf.c:19318 #6 0x7f196b00882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #7 0x404f78 in _start (/root/fuzz/binutils-2.31/binutils/readelf+0x404f78) 0x6030ef50 is located 0 bytes inside of 19-byte region [0x6030ef50,0x6030ef63) freed by thread T0 here: #0 0x7f196b44a2ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca) #1 0x4a55ee in process_archive /root/fuzz/binutils-2.31/binutils/readelf.c:19178 previously allocated by thread T0 here: #0 0x7f196b44a602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x54b194 in make_qualified_name /root/fuzz/binutils-2.31/binutils/elfcomm.c:906 SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ?? Shadow bytes around the buggy address: 0x0c067fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fd fd =>0x0c067fff9de0: fd fa fa fa fd fd fd fd fa fa[fd]fd fd fa fa fa 0x0c067fff9df0: fd fd fd fa fa fa 00 00 01 fa fa fa 00 00 00 fa 0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe ==24023==ABORTING -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/24048] memory leaks in readelf
https://sourceware.org/bugzilla/show_bug.cgi?id=24048
--- Comment #2 from zerokeeper <0x0keeper at gmail dot com> ---
update,update!i'm so sorry.the second comment is bug 24049,i comment worng.
this first comment AddressSanitizer symbolize
==14781==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 528 byte(s) in 1 object(s) allocated from:
#0 0x7fc1cf81e602 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x555afc in xmalloc xmalloc.c:147
SUMMARY: AddressSanitizer: 528 byte(s) leaked in 1 allocation(s).
now i fuzz a new poc to memory leak in readelf.c:425
➜ binutils-2.31 ./binutils/readelf -a binutils-readelf--memory-leak-filedata
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI:UNIX - System V
ABI Version: 0
Type: : 1002
Machine: Advanced Micro Devices X86-64
Version: 0x1
Entry point address: 0x400720
Start of program headers: 64 (bytes into file)
Start of section headers: 28880 (bytes into file)
Flags: 0x0
Size of this header: 64 (bytes)
Size of program headers: 56 (bytes)
Number of program headers: 10
Size of section headers: 64 (bytes)
Number of section headers: 37
Section header string table index: 34
Section Headers:
[Nr] Name Type Address Offset
Size EntSize Flags Link Info Align
[ 0] NULL
0 0 0
[ 1] .intÿ PROGBITS 00400270 0270
001c A 0 0 1
[ 2] .note.ABI-tag NOTE 0040028c 028c
0020 A 0 0 4294967277
[ 3] .gnu.hash
...
...
Version symbols section '.gnu.version' contains 11 entries:
Addr: 00400514 Offset: 0x000514 Link: 4 (.dynsym)
000: 0 (*local*) 0 (*local*) 0 (*local*) 2 (GLIBCXX_3.4)
004: 3 (GLIBC_2.2.5) 3 (GLIBC_2.2.5) 0 (*local*) 2 (GLIBCXX_3.4)
008: 0 (*local*) 2 (GLIBCXX_3.4) 2 (GLIBCXX_3.4)
Version needs section '.gnu.version_r' contains 2 entries:
Addr: 0x00400530 Offset: 0x000530 Link: 5 (.dynstr)
00: Version: 1 File: libc.so.6 Cnt: 1
0x0010: Name: GLIBC_2.2.5 Flags: none Version: 3
0x0020: Version: 1 File: libstdc++.so.6 Cnt: 1
0x0030: Name: GLIBCXX_3.4 Flags: none Version: 2
Displaying notes found in: .note.ABI-tag
readelf: Warning: Corrupt note: alignment 4294967277, expecting 4 or 8
=
==21374==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 33 byte(s) in 1 object(s) allocated from:
#0 0x7f8f21c8b602 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x425ffb in get_data /root/fuzz/binutils-2.31/binutils/readelf.c:425
SUMMARY: AddressSanitizer: 33 byte(s) leaked in 1 allocation(s).
here is code readelf.c:425
410
411if (fseek (filedata->handle, archive_file_offset + offset, SEEK_SET))
412 {
413if (reason)
414 error (_("Unable to seek to 0x%lx for %s\n"),
415 archive_file_offset + offset, reason);
416return NULL;
417 }
418
419mvar = var;
420if (mvar == NULL)
421 {
422/* Check for overflow. */
423if (nmemb < (~(bfd_size_type) 0 - 1) / size)
424 /* + 1 so that we can '\0' terminate invalid string table
sections. */
425 mvar = malloc ((size_t) amt + 1);
426
427if (mvar == NULL)
428 {
429if (reason)
430 error (_("Out of memory allocating %s bytes for %s\n"),
431 bfd_vmatoa ("u", amt), reason);
432return NULL;
433 }
--
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/24048] memory leaks in readelf
https://sourceware.org/bugzilla/show_bug.cgi?id=24048 --- Comment #3 from zerokeeper <0x0keeper at gmail dot com> --- Created attachment 11504 --> https://sourceware.org/bugzilla/attachment.cgi?id=11504&action=edit binutils-readelf--memory-leak-filedata -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
