[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/22421] New: Heap overflow in bfd_getl32
From: |
insu at gatech dot edu |
Subject: |
[Bug binutils/22421] New: Heap overflow in bfd_getl32 |
Date: |
Sat, 11 Nov 2017 14:07:23 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=22421
Bug ID: 22421
Summary: Heap overflow in bfd_getl32
Product: binutils
Version: 2.30 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: insu at gatech dot edu
Target Milestone: ---
Created attachment 10581
--> https://sourceware.org/bugzilla/attachment.cgi?id=10581&action=edit
POC to trigger heap buffer overflow (objdump)
Using our hybrid fuzzer, we found a crashing test case
.
Version: f617a0f6ceeb34dfd39d8673b0ab225c9127aab6(git)
Command: ./objdump -x
../output-1/afl-1/crashes/id:000000,sig:06,sync:qsym,src:00381
ASAN:
=================================================================
==7340==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700000df84
at pc 0x0000005fa23e bp 0x7fffffffd8b0 sp 0x7fffffffd8a0
READ of size 4 at 0x60700000df84 thread T0
#0 0x5fa23d in bfd_getl32
/home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/libbfd.c:558
#1 0x71befd in elfcore_grok_nto_status
/home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/elf.c:10217
#2 0x71befd in elfcore_grok_nto_note
/home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/elf.c:10302
#3 0x6b5e88 in elf_parse_notes
/home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/elf.c:11017
#4 0x6d9c31 in elf_read_notes
/home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/elf.c:11066
#5 0x6d9c31 in bfd_section_from_phdr
/home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/elf.c:2993
#6 0x6a9bc9 in bfd_elf64_core_file_p
/home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/elfcore.h:277
#7 0x5ef092 in bfd_check_format_matches
/home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/format.c:311
#8 0x421aab in display_object_bfd objdump.c:3629
#9 0x421aab in display_any_bfd objdump.c:3700
#10 0x40e771 in display_file objdump.c:3721
#11 0x40e771 in main objdump.c:4023
#12 0x7ffff68bc82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#13 0x411c48 in _start
(/home/insu/projects/qsym-eval/apps/binutils/out2/objdump+0x411c48)
0x60700000df85 is located 0 bytes to the right of 69-byte region
[0x60700000df40,0x60700000df85)
allocated by thread T0 here:
#0 0x7ffff6f02602 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x5f8bfa in bfd_malloc
/home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/libbfd.c:193
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/insu/projects/qsym-eval/apps/binutils/binutils-gdb/bfd/libbfd.c:558
bfd_getl32
Shadow bytes around the buggy address:
0x0c0e7fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff9be0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c0e7fff9bf0:[05]fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
0x0c0e7fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==7340==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/22421] New: Heap overflow in bfd_getl32,
insu at gatech dot edu <=