[Bug ld/17453] New: Two issues found by AddressSanitizer

[markus at trippelsdorf dot de]

https://sourceware.org/bugzilla/show_bug.cgi?id=17453

            Bug ID: 17453
           Summary: Two issues found by AddressSanitizer
           Product: binutils
           Version: 2.25 (HEAD)
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ld
          Assignee: unassigned at sourceware dot org
          Reporter: markus at trippelsdorf dot de

1)

address@hidden ld % /var/tmp/binutils-gdb/ld/ld-new -o tmpdir/tlsie4
-L/var/tmp/binutils-gdb/ld/testsuite/ld-x86-64 -melf32_x86_64 tmpdir/tlsie4.o
=================================================================
==20993==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60400000b48f at pc 0x4da32d bp 0x7fffcd882d00 sp 0x7fffcd882cf8
READ of size 1 at 0x60400000b48f thread T0
    #0 0x4da32c in elf_x86_64_relocate_section
/var/tmp/binutils-gdb/bfd/elf64-x86-64.c:4294
    #1 0x5411d2 in elf_link_input_bfd /var/tmp/binutils-gdb/bfd/elflink.c:9721
    #2 0x54585c in bfd_elf_final_link /var/tmp/binutils-gdb/bfd/elflink.c:10908
    #3 0x43d377 in ldwrite /var/tmp/binutils-gdb/ld/ldwrite.c:581
    #4 0x406150 in main ldmain.c:427
    #5 0x7fddf2b84fcf in __libc_start_main (/lib/libc.so.6+0x1ffcf)
    #6 0x407484 (/var/tmp/binutils-gdb/ld/ld-new+0x407484)

0x60400000b48f is located 1 bytes to the left of 40-byte region
[0x60400000b490,0x60400000b4b8)
allocated by thread T0 here:
    #0 0x7fddf3132bcf in malloc
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x5ebcf)
    #1 0x490c8d in bfd_malloc /var/tmp/binutils-gdb/bfd/libbfd.c:181

SUMMARY: AddressSanitizer: heap-buffer-overflow
/var/tmp/binutils-gdb/bfd/elf64-x86-64.c:4294 elf_x86_64_relocate_section
Shadow bytes around the buggy address:
  0x0c087fff9640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9670: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 fa
  0x0c087fff9680: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
=>0x0c087fff9690: fa[fa]00 00 00 00 00 fa fa fa fd fd fd fd fd fd
  0x0c087fff96a0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
  0x0c087fff96b0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
  0x0c087fff96c0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
  0x0c087fff96d0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
  0x0c087fff96e0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==20993==ABORTING

2)

address@hidden ld % /var/tmp/binutils-gdb/ld/../binutils/readelf -d 
tmpdir/audit.out
=================================================================
==21468==ERROR: AddressSanitizer: global-buffer-overflow on address
0x0000005448c0 at pc 0x7f5d99269322 bp 0x7fffa0f91250 sp 0x7fffa0f91208
WRITE of size 4097 at 0x0000005448c0 thread T0
    #0 0x7f5d99269321 in scanf_common(void*, int, bool, char const*,
__va_list_tag*) [clone .constprop.55]
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x2b321)
    #1 0x7f5d99269c28 in vfscanf
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x2bc28)
    #2 0x7f5d99269d22 in __interceptor_fscanf
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x2bd22)
    #3 0x418337 in process_program_headers
/var/tmp/binutils-gdb/binutils/readelf.c:4403
    #4 0x43c7b7 in process_object
/var/tmp/binutils-gdb/binutils/readelf.c:14465
    #5 0x402d05 in process_file /var/tmp/binutils-gdb/binutils/readelf.c:14849
    #6 0x402d05 in main /var/tmp/binutils-gdb/binutils/readelf.c:14914
    #7 0x7f5d98ceefcf in __libc_start_main (/lib/libc.so.6+0x1ffcf)
    #8 0x40338d (/var/tmp/binutils-gdb/binutils/readelf+0x40338d)

0x0000005448c0 is located 32 bytes to the left of global variable
'dynamic_syminfo_nent' from 'readelf.c' (0x5448e0) of size 4
0x0000005448c0 is located 0 bytes to the right of global variable
'program_interpreter' from 'readelf.c' (0x5438c0) of size 4096
SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 scanf_common(void*, int,
bool, char const*, __va_list_tag*) [clone .constprop.55]
Shadow bytes around the buggy address:
  0x0000800a08c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800a08d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800a08e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800a08f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800a0900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000800a0910: 00 00 00 00 00 00 00 00[f9]f9 f9 f9 04 f9 f9 f9
  0x0000800a0920: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0000800a0930: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0000800a0940: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0000800a0950: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0000800a0960: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==21468==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.