bug-binutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug gas/20896] New: AS: Buffer Overflow when expanding .irp directives

From: boehme.marcel at gmail dot com
Subject: [Bug gas/20896] New: AS: Buffer Overflow when expanding .irp directives
Date: Thu, 01 Dec 2016 12:45:32 +0000 
https://sourceware.org/bugzilla/show_bug.cgi?id=20896

            Bug ID: 20896
           Summary: AS: Buffer Overflow when expanding .irp directives
           Product: binutils
           Version: 2.28 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: gas
          Assignee: unassigned at sourceware dot org
          Reporter: boehme.marcel at gmail dot com
  Target Milestone: ---

Dear all,

The following bug was found with AFLFast, a fork of AFL, in a 24 hour fuzzing
session on Binutils. Thanks also to Van-Thuan Pham.

The assembler crashes for the following execution:

$ printf ".irp\n000000000;#000\"0000000000000000000000\n" > test
$ ./as test

On trunk, Ubuntu 14.04 x86_64:
test:2: Internal error!
Assertion failure in ignore_rest_of_line at read.c:3758.
Please report this bug.

On Binutils v2.26.1, Ubuntu 16.04 x86_64:
Segmentation Fault

On Binutils v2.24, Ubuntu 14.04 x86_64:
No problems.

ASAN says:
=================================================================
==123173==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60b00000a5b0 at pc 0x00000046f678 bp 0x7fff7ce8b410 sp 0x7fff7ce8b408
READ of size 1 at 0x60b00000a5b0 thread T0
    #0 0x46f677 in next_char_of_string ../../gas/read.c:5533
    #1 0x470580 in demand_copy_string ../../gas/read.c:5741
    #2 0x463001 in s_app_line ../../gas/read.c:2039
    #3 0x44ecd3 in buffer_and_nest ../../gas/macro.c:231
    #4 0x45a0fd in expand_irp ../../gas/macro.c:1323
    #5 0x4645a0 in s_irp ../../gas/read.c:2366
    #6 0x45f518 in read_a_source_file ../../gas/read.c:1146
    #7 0x40c417 in perform_an_assembly_pass ../../gas/as.c:1172
    #8 0x40c86c in main ../../gas/as.c:1296
    #9 0x7f2c353bff44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #10 0x403858 
(/home/ubuntu/subjects/binutils-gdb/obj-asan/gas/as-new+0x403858)

0x60b00000a5b0 is located 0 bytes to the right of 112-byte region
[0x60b00000a540,0x60b00000a5b0)
allocated by thread T0 here:
    #0 0x7f2c36740710 in __interceptor_realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2710)
    #1 0x928e38 in xrealloc ../../libiberty/xmalloc.c:180
    #2 0x473fa1 in sb_check ../../gas/sb.c:150
    #3 0x47436d in sb_add_buffer ../../gas/sb.c:187
    #4 0x4656a6 in get_line_sb ../../gas/read.c:2658
    #5 0x465730 in get_non_macro_line_sb ../../gas/read.c:2672
    #6 0x44ee8f in buffer_and_nest ../../gas/macro.c:241
    #7 0x45a0fd in expand_irp ../../gas/macro.c:1323
    #8 0x4645a0 in s_irp ../../gas/read.c:2366
    #9 0x45f518 in read_a_source_file ../../gas/read.c:1146
    #10 0x40c417 in perform_an_assembly_pass ../../gas/as.c:1172
    #11 0x40c86c in main ../../gas/as.c:1296
    #12 0x7f2c353bff44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../gas/read.c:5533 in
next_char_of_string



Valgrind reports several reads of size 1:
==123176== Invalid read of size 1
==123176==    at 0x4CEB0F: next_char_of_string (read.c:5533)
==123176==    by 0x4CEB0F: demand_copy_string (read.c:5741)
==123176==    by 0x4D1B89: s_app_line (read.c:2039)
==123176==    by 0x470328: buffer_and_nest (macro.c:231)
==123176==    by 0x4755D3: expand_irp (macro.c:1323)
==123176==    by 0x482DE4: s_irp (read.c:2366)
==123176==    by 0x4B5BAF: read_a_source_file (read.c:1146)
==123176==    by 0x407ED1: perform_an_assembly_pass (as.c:1172)
==123176==    by 0x407ED1: main (as.c:1296)
...
==123176== Invalid read of size 1
==123176==    at 0x4D1BE7: get_linefile_number (read.c:1985)
==123176==    by 0x4D1BE7: s_app_line (read.c:2045)
==123176==    by 0x470328: buffer_and_nest (macro.c:231)
==123176==    by 0x4755D3: expand_irp (macro.c:1323)
==123176==    by 0x482DE4: s_irp (read.c:2366)
==123176==    by 0x4B5BAF: read_a_source_file (read.c:1146)
==123176==    by 0x407ED1: perform_an_assembly_pass (as.c:1172)
==123176==    by 0x407ED1: main (as.c:1296)
==123176==  Address 0x57ebf12 is 30 bytes before a block of size 74,304 in
arena "client"
==123176== 
==123176== Invalid read of size 1
==123176==    at 0x4D0C3B: ignore_rest_of_line (read.c:3758)
==123176==    by 0x4D0C3B: s_app_line (read.c:2098)
==123176==    by 0x470328: buffer_and_nest (macro.c:231)
==123176==    by 0x4755D3: expand_irp (macro.c:1323)
==123176==    by 0x482DE4: s_irp (read.c:2366)
==123176==    by 0x4B5BAF: read_a_source_file (read.c:1146)
==123176==    by 0x407ED1: perform_an_assembly_pass (as.c:1172)
==123176==    by 0x407ED1: main (as.c:1296)
==123176==  Address 0x57ebf12 is 30 bytes before a block of size 74,304 in
arena "client"

Best regards,
- Marcel

-- 
You are receiving this mail because:
You are on the CC list for the bug.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]