[Bug binutils/22416] New: heap-buffer-overflow in bfd

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/22416] New: heap-buffer-overflow in bfd_getl16

From:	jgj212 at gmail dot com
Subject:	[Bug binutils/22416] New: heap-buffer-overflow in bfd_getl16
Date:	Fri, 10 Nov 2017 09:24:48 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=22416

            Bug ID: 22416
           Summary: heap-buffer-overflow in bfd_getl16
           Product: binutils
           Version: 2.29
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: jgj212 at gmail dot com
  Target Milestone: ---

Created attachment 10578
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10578&action=edit
heap-buffer-overflow-in-bfd_getl16

Hi:
  I found a heap-buffer-overflow in bfd_getl16  about objdump 2.29.1.
  Here is the asan-output:

==5178==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x617000000371
at pc 0x00000064bc77 bp 0x7ffcbd59cd00 sp 0x7ffcbd59ccf8
READ of size 1 at 0x617000000371 thread T0
    #0 0x64bc76 in bfd_getl16 binutils-2.29.1/bfd/libbfd.c:505:11
    #1 0x8b7cbf in _bfd_pei_swap_debugdir_in
binutils-2.29.1/bfd/peigen.c:1121:22
    #2 0x894164 in pe_bfd_read_buildid binutils-2.29.1/bfd/./peicode.h:1353:7
    #3 0x88cc2f in pe_bfd_object_p binutils-2.29.1/bfd/./peicode.h:1497:7
    #4 0x64538c in bfd_check_format_matches binutils-2.29.1/bfd/format.c:311:14
    #5 0x51785f in display_object_bfd
binutils-2.29.1/binutils/./objdump.c:3601:7
    #6 0x517769 in display_any_bfd binutils-2.29.1/binutils/./objdump.c:3692:5
    #7 0x5172aa in display_file binutils-2.29.1/binutils/./objdump.c:3713:3
    #8 0x516b04 in main binutils-2.29.1/binutils/./objdump.c:4015:6
    #9 0x7f5074958f44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #10 0x41b74b in _start (binutils-2.29.1/binutils/objdump+0x41b74b)

0x617000000371 is located 1 bytes to the right of 752-byte region
[0x617000000080,0x617000000370)
allocated by thread T0 here:
    #0 0x4df116 in malloc asan_malloc_linux.cc:66
    #1 0x64b51e in bfd_malloc binutils-2.29.1/bfd/libbfd.c:193:9
    #2 0x6415cb in bfd_get_full_section_contents
binutils-2.29.1/bfd/compress.c:248:21
    #3 0x658d04 in bfd_malloc_and_get_section
binutils-2.29.1/bfd/section.c:1640:10
    #4 0x89403a in pe_bfd_read_buildid binutils-2.29.1/bfd/./peicode.h:1339:8
    #5 0x88cc2f in pe_bfd_object_p binutils-2.29.1/bfd/./peicode.h:1497:7
    #6 0x64538c in bfd_check_format_matches binutils-2.29.1/bfd/format.c:311:14
    #7 0x51785f in display_object_bfd
binutils-2.29.1/binutils/./objdump.c:3601:7
    #8 0x517769 in display_any_bfd binutils-2.29.1/binutils/./objdump.c:3692:5
    #9 0x5172aa in display_file binutils-2.29.1/binutils/./objdump.c:3713:3
    #10 0x516b04 in main binutils-2.29.1/binutils/./objdump.c:4015:6
    #11 0x7f5074958f44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

SUMMARY: AddressSanitizer: heap-buffer-overflow
binutils-2.29.1/bfd/libbfd.c:505:11 in bfd_getl16
Shadow bytes around the buggy address:
  0x0c2e7fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e7fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e7fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e7fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e7fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2e7fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa
  0x0c2e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5178==ABORTING


Credit: ADLab of VenusTech

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/22416] New: heap-buffer-overflow in bfd_getl16, jgj212 at gmail dot com <=
- [Bug binutils/22416] heap-buffer-overflow in bfd_getl16, amodra at gmail dot com, 2017/11/29

Prev by Date: [Bug gold/22291] GOLD silently produces an nonworking dynamic executable
Next by Date: [Bug gas/21874] x86: Multiple segment registers in the address are not detected with -masm=intel
Previous by thread: [Bug gold/22291] GOLD silently produces an nonworking dynamic executable
Next by thread: [Bug binutils/22416] heap-buffer-overflow in bfd_getl16
Index(es):
- Date
- Thread