bug-binutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/21438] New: heap buffer overflow in prinf_common

From: dungnguy at comp dot nus.edu.sg
Subject: [Bug binutils/21438] New: heap buffer overflow in prinf_common
Date: Thu, 27 Apr 2017 02:26:42 +0000 
https://sourceware.org/bugzilla/show_bug.cgi?id=21438

            Bug ID: 21438
           Summary: heap buffer overflow in prinf_common
           Product: binutils
           Version: 2.28
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: dungnguy at comp dot nus.edu.sg
  Target Milestone: ---

Created attachment 10024
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10024&action=edit
Input with objdump

Dear All,

This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks also
to Marcel Böhme and Van-Thuan Pham.

This bug was found on Ubuntu 14.04 64-bit & binutils was checked out from main
repository at git://sourceware.org/git/binutils-gdb.git. Its commit is
a49abe0bb18e04d3a4b692995fcfae70cd470775 (Tue Apr 25 00:00:36 2017).

binutils was built with ASAN using gcc-6.2 and clang-3.4. The configure command
was:

CC=clang CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all
-fsanitize=undefined,address -fno-omit-frame-pointer -g -Wno-error"
../configure --disable-shared --disable-gdb --disable-libdecnumber
--disable-readline --disable-sim

To reproduce:
Download the attached file - bug_3
objdump -W bug_3

ASAN says:
==4884==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800000befd
at pc 0x000000491c12 bp 0x7ffc7763a5e0 sp 0x7ffc77639d90
READ of size 1 at 0x60800000befd thread T0
    #0 0x491c11 in printf_common(void*, char const*, __va_list_tag*)
(/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/objdump+0x491c11)
    #1 0x4919d0 in printf_common(void*, char const*, __va_list_tag*)
(/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/objdump+0x4919d0)
    #2 0x4927da in __interceptor_vprintf
(/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/objdump+0x4927da)
    #3 0x492897 in __interceptor_printf
(/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/objdump+0x492897)
    #4 0x59dacc in process_extended_line_op
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/dwarf.c:483:7
    #5 0x58d39c in display_debug_lines_raw
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/dwarf.c:3324:18
    #6 0x55692e in display_debug_lines
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/dwarf.c:4190:17
    #7 0x50844f in dump_dwarf_section
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objdump.c:2623:6
    #8 0x7b437c in bfd_map_over_sections
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/section.c:1395:5
    #9 0x500415 in dump_dwarf
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objdump.c:2689:3
    #10 0x4fac4b in dump_bfd
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objdump.c:3527:5
    #11 0x4f9d41 in display_object_bfd
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objdump.c:3594:7
    #12 0x4f9c1a in display_any_bfd
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objdump.c:3683:5
    #13 0x4f91f7 in display_file
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objdump.c:3704:3
    #14 0x4f8344 in main
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objdump.c:4006:6
    #15 0x7f34db2b8f44 in __libc_start_main
/build/eglibc-MjiXCM/eglibc-2.19/csu/libc-start.c:287
    #16 0x41b5f5 in _start
(/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/objdump+0x41b5f5)

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/objdump+0x491c11)
in printf_common(void*, char const*, __va_list_tag*)

VALGRIND says:
==152201== Invalid read of size 1
==152201==    at 0x5086943: vfprintf (vfprintf.c:1661)
==152201==    by 0x5147B27: __printf_chk (printf_chk.c:35)
==152201==    by 0x417DB1: printf (stdio2.h:104)
==152201==    by 0x417DB1: process_extended_line_op (dwarf.c:483)
==152201==    by 0x417DB1: display_debug_lines_raw (dwarf.c:3324)
==152201==    by 0x417DB1: display_debug_lines (dwarf.c:4190)
==152201==    by 0x40AF71: dump_dwarf_section (objdump.c:2623)
==152201==    by 0x44F7FB: bfd_map_over_sections (section.c:1395)
==152201==    by 0x406E13: dump_dwarf (objdump.c:2689)
==152201==    by 0x40812D: dump_bfd (objdump.c:3527)
==152201==    by 0x4089BF: display_object_bfd (objdump.c:3594)
==152201==    by 0x4089BF: display_any_bfd (objdump.c:3683)
==152201==    by 0x40ABC3: display_file (objdump.c:3704)
==152201==    by 0x404CDD: main (objdump.c:4006)
==152201==  Address 0x5410edd is 0 bytes after a block of size 93 alloc'd
==152201==    at 0x4C2AB80: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==152201==    by 0x44C9FD: bfd_malloc (libbfd.c:184)
==152201==    by 0x44AD97: bfd_get_full_section_contents (compress.c:248)
==152201==    by 0x40AD15: load_specific_debug_section (objdump.c:2468)
==152201==    by 0x40AF58: dump_dwarf_section (objdump.c:2620)
==152201==    by 0x44F7FB: bfd_map_over_sections (section.c:1395)
==152201==    by 0x406E13: dump_dwarf (objdump.c:2689)
==152201==    by 0x40812D: dump_bfd (objdump.c:3527)
==152201==    by 0x4089BF: display_object_bfd (objdump.c:3594)
==152201==    by 0x4089BF: display_any_bfd (objdump.c:3683)
==152201==    by 0x40ABC3: display_file (objdump.c:3704)
==152201==    by 0x404CDD: main (objdump.c:4006)

-- 
You are receiving this mail because:
You are on the CC list for the bug.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]