[Bug binutils/28563] New: problem in readelf/strip
https://sourceware.org/bugzilla/show_bug.cgi?id=28563 Bug ID: 28563 Summary: problem in readelf/strip Product: binutils Version: 2.30 Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: 1360434810 at qq dot com Target Milestone: --- Created attachment 13768 --> https://sourceware.org/bugzilla/attachment.cgi?id=13768&action=edit inputs 1. problem 1 - target: readelf - file: readelf_new_seed_1/1ccrash_0_74 - reproduce: readelf [input] -a - Backtrace: ``` #0 0xf7fd5079 in __kernel_vsyscall () #1 0xf7e10542 in raise () from /lib32/libc.so.6 #2 0xf7e11961 in abort () from /lib32/libc.so.6 #3 0xf7e0875b in ?? () from /lib32/libc.so.6 #4 0xf7e087b9 in __assert_fail () from /lib32/libc.so.6 #5 0x08054f29 in find_section (filedata=filedata@entry=0x82275a0, name=name@entry=0x81d260f ".MIPS.abiflags") at readelf.c:658 #6 0x080d5981 in process_mips_specific (filedata=filedata@entry=0x82275a0) at readelf.c:15538 #7 0x080fb1b1 in process_arch_specific (filedata=0x82275a0) at readelf.c:18371 #8 process_object (filedata=filedata@entry=0x82275a0) at readelf.c:18681 #9 0x0804ba34 in process_file (file_name=) at readelf.c:19084 #10 main (argc=3, argv=0xd254) at readelf.c:19144 ``` 2. problem 2 - target: strip - file: strip_new_seed_1/crash_15_003353 - reproduce: strip [input] -o tmp - Backtrace: ``` #0 0xf7fd5079 in __kernel_vsyscall () #1 0xf7e0b542 in raise () from /lib32/libc.so.6 #2 0xf7e0c961 in abort () from /lib32/libc.so.6 #3 0xf7e4d493 in ?? () from /lib32/libc.so.6 #4 0xf7e4d52c in __libc_fatal () from /lib32/libc.so.6 #5 0xf7e4defa in ?? () from /lib32/libc.so.6 #6 0xf7e51d55 in _IO_sgetn () from /lib32/libc.so.6 #7 0xf7e44078 in fread () from /lib32/libc.so.6 #8 0x083b3733 in fread (__stream=0x8544480, __n=32, __size=1, __ptr=) at /usr/include/bits/stdio2.h:295 #9 cache_bread_1 (nbytes=, buf=, abfd=0x85423c0) at cache.c:337 #10 cache_bread (abfd=0x85423c0, buf=0xce50, nbytes=32) at cache.c:371 #11 0x08118f09 in bfd_bread (ptr=0xce50, size=, abfd=0x85423c0) at bfdio.c:196 #12 0x082e476b in bfd_elf32_object_p (abfd=0x85423c0) at elfcode.h:790 #13 0x0811e27f in bfd_check_format_matches (abfd=0x85423c0, format=bfd_object, matching=0xcfec) at format.c:311 #14 0x08073483 in copy_file ( input_filename=0xd3e9 "/home/zkp/afl-utils/valid_strip_all/strip_new_seed_1:crash_15_003353", output_filename=output_filename@entry=0x8542380 "/home/zkp/afl-utils/valid_strip_all/st9HMsFc", input_target=, output_target=0x0, input_arch=0x0) at objcopy.c:3503 #15 0x08057657 in strip_main (argv=, argc=) at objcopy.c:4470 #16 main (argc=2, argv=0xd264) at objcopy.c:5580 ``` 3. problem 3 - target: strip - file: strip_new_seed_1/crash_15_003354 - reproduce: strip [input] -o tmp - Backtrace: ``` #0 0xf7e440d5 in fread () from /lib32/libc.so.6 #1 0x083b3733 in fread (__stream=0x8544480, __n=32, __size=1, __ptr=) at /usr/include/bits/stdio2.h:295 #2 cache_bread_1 (nbytes=, buf=, abfd=0x85423c0) at cache.c:337 #3 cache_bread (abfd=0x85423c0, buf=0xce50, nbytes=32) at cache.c:371 #4 0x08118f09 in bfd_bread (ptr=0xce50, size=, abfd=0x85423c0) at bfdio.c:196 #5 0x082e476b in bfd_elf32_object_p (abfd=0x85423c0) at elfcode.h:790 #6 0x0811e27f in bfd_check_format_matches (abfd=0x85423c0, format=bfd_object, matching=0xcfec) at format.c:311 #7 0x08073483 in copy_file ( input_filename=0xd3e9 "/home/zkp/afl-utils/valid_strip_all/strip_new_seed_1:crash_15_003354", output_filename=output_filename@entry=0x8542380 "/home/zkp/afl-utils/valid_strip_all/st2XC6oE", input_target=, output_target=0x0, input_arch=0x0) at objcopy.c:3503 #8 0x08057657 in strip_main (argv=, argc=) at objcopy.c:4470 #9 main (argc=2, argv=0xd264) at objcopy.c:5580 ``` Thank you! -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/28564] New: sysdump: stack-buffer-overflow in sysdump.c:65
https://sourceware.org/bugzilla/show_bug.cgi?id=28564 Bug ID: 28564 Summary: sysdump: stack-buffer-overflow in sysdump.c:65 Product: binutils Version: 2.38 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: shaohua.li at inf dot ethz.ch Target Milestone: --- Created attachment 13769 --> https://sourceware.org/bugzilla/attachment.cgi?id=13769&action=edit poc_0 Hi there, I found a stack-buffer-overflow when fuzzing `sysdump`. Another consequence of this bug is when compiling with `-O0` and `-O2`, the compiled sysdump would give out different results on the poc. - Compiler: clang13 (compile with -fsanitize=address) - Platform: Ubuntu 20.04.3 LTS, x86_64 - Reproduce: run `sysdump poc_0` Address sanitizer report: ==636167==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffda83dbddf at pc 0x00498067 bp 0x7ffda83dbc70 sp 0x7ffda83db438 READ of size 255 at 0x7ffda83dbddf thread T0 #0 0x498066 in __asan_memcpy (/sysdump/analysis/debug/asan/clang13-O2/binutils/sysdump+0x498066) #1 0x4e091f in getCHARS /sysdump/analysis/debug/asan/clang13-O2/binutils/sysdump.c:65:3 #2 0x4e53f1 in sysroff_swap_du_in /sysdump/analysis/debug/asan/clang13-O2/binutils/./sysroff.c:1353:15 #3 0x4f2105 in getone /sysdump/analysis/debug/asan/clang13-O2/binutils/sysdump.c:438:2 #4 0x4f2105 in module /sysdump/analysis/debug/asan/clang13-O2/binutils/sysdump.c:621:10 #5 0x4f2105 in main /sysdump/analysis/debug/asan/clang13-O2/binutils/sysdump.c:712:3 #6 0x7f8a01af50b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) #7 0x41c4fd in _start (/sysdump/analysis/debug/asan/clang13-O2/binutils/sysdump+0x41c4fd) Address 0x7ffda83dbddf is located in stack of thread T0 at offset 287 in frame #0 0x4e48af in sysroff_swap_du_in /sysdump/analysis/debug/asan/clang13-O2/binutils/./sysroff.c:1332 This frame has 2 object(s): [32, 287) 'raw' (line 1333) [352, 356) 'idx' (line 1334) <== Memory access at offset 287 partially underflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow (/sysdump/analysis/debug/asan/clang13-O2/binutils/sysdump+0x498066) in __asan_memcpy Shadow bytes around the buggy address: 0x100035073760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100035073770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100035073780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100035073790: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 0x1000350737a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x1000350737b0: 00 00 00 00 00 00 00 00 00 00 00[07]f2 f2 f2 f2 0x1000350737c0: f2 f2 f2 f2 04 f3 f3 f3 00 00 00 00 00 00 00 00 0x1000350737d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000350737e0: 00 00 00 00 f1 f1 f1 f1 f8 f8 f8 f8 f8 f8 f8 f8 0x1000350737f0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 0x100035073800: f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f2 f2 f2 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb ==636167==ABORTING -- You are receiving this mail because: You are on the CC list for the bug.
nm/objdump --hep still display unsupported styles about --demangle.
Hello, I find a problem about usage. The commit 1910070b298052d7ca8e4024891465824588c1e9 fixed demangle.h to remove support for ancient GNU (pre-3.0), Lucid, ARM, HP, and EDG demangling styles. But usage of nm and objdump is still show the following message. -C, --demangle[=STYLE] Decode low-level symbol names into user-level names The STYLE, if specified, can be `auto' (the default), `gnu', `lucid', `arm', `hp', `edg', `gnu-v3', `java' or `gnat' So if you execute --demangle=gnu, it will display error message: unknown demangling style gnu. Would you delete unsupported styles from usage of nm and objdump?
Issue 40837 in oss-fuzz: binutils:fuzz_addr2line: Dynamic-stack-buffer-overflow in error_handler_internal
Comment #3 on issue 40837 by da...@adalogics.com: binutils:fuzz_addr2line: Dynamic-stack-buffer-overflow in error_handler_internal https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40837#c3 I'm unable to reproduce this one -- You received this message because: 1. You were specifically CC'd on the issue You may adjust your notification preferences at: https://bugs.chromium.org/hosting/settings Reply to this email to add a comment.
[Bug binutils/28563] problem in readelf/strip
https://sourceware.org/bugzilla/show_bug.cgi?id=28563 Alan Modra changed: What|Removed |Added Status|UNCONFIRMED |RESOLVED Resolution|--- |INVALID --- Comment #1 from Alan Modra --- Please do not report fuzzed binary problems for older versions of binutils. -- You are receiving this mail because: You are on the CC list for the bug.
