bug-binutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/22543] New: heap-buffer-overflow in bfd_getl32 (libbfd.c)

From: yli044 at e dot ntu.edu.sg
Subject: [Bug binutils/22543] New: heap-buffer-overflow in bfd_getl32 (libbfd.c)
Date: Mon, 04 Dec 2017 09:10:31 +0000 
https://sourceware.org/bugzilla/show_bug.cgi?id=22543

            Bug ID: 22543
           Summary: heap-buffer-overflow in bfd_getl32 (libbfd.c)
           Product: binutils
           Version: 2.29
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: yli044 at e dot ntu.edu.sg
  Target Milestone: ---

Created attachment 10661
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10661&action=edit
the PoC file

Hi guys,

When we were testing "nm-new" with our fuzzer (FOT), we found a
read-out-of-bound in bfd_getl32 in libbfd.c.

The command to reproduce is:
nm-new -l -D $POC

The dump from AddressSanitizer is:
=================================================================
==5736==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ebd1
at pc 0x00000042806b bp 0x7fff0513a3e0 sp 0x7fff0513a3d0
READ of size 1 at 0x60200000ebd1 thread T0
    #0 0x42806a in bfd_getl32 ../../bfd/libbfd.c:558
    #1 0x539a81 in parse_die ../../bfd/dwarf1.c:192
    #2 0x53b696 in _bfd_dwarf1_find_nearest_line ../../bfd/dwarf1.c:521
    #3 0x4bffcb in _bfd_elf_find_nearest_line ../../bfd/elf.c:8641
    #4 0x406ba2 in print_symbol ../../binutils/nm.c:1006
    #5 0x4070a2 in print_symbols ../../binutils/nm.c:1086
    #6 0x407a26 in display_rel_file ../../binutils/nm.c:1202
    #7 0x408205 in display_file ../../binutils/nm.c:1320
    #8 0x409dcd in main ../../binutils/nm.c:1794
    #9 0x7f496bfa582f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #10 0x402e78 in _start
(/media/lyk/DATA/binutils-2.29/fot-tests/nm/nm-new-veri+0x402e78)

0x60200000ebd1 is located 0 bytes to the right of 1-byte region
[0x60200000ebd0,0x60200000ebd1)
allocated by thread T0 here:
    #0 0x7f496c5eb602 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x427709 in bfd_malloc ../../bfd/libbfd.c:193
    #2 0x63ba1c in bfd_get_full_section_contents ../../bfd/compress.c:248
    #3 0x653c79 in bfd_simple_get_relocated_section_contents
../../bfd/simple.c:193
    #4 0x53b309 in _bfd_dwarf1_find_nearest_line ../../bfd/dwarf1.c:490
    #5 0x4bffcb in _bfd_elf_find_nearest_line ../../bfd/elf.c:8641
    #6 0x406ba2 in print_symbol ../../binutils/nm.c:1006
    #7 0x4070a2 in print_symbols ../../binutils/nm.c:1086
    #8 0x407a26 in display_rel_file ../../binutils/nm.c:1202
    #9 0x408205 in display_file ../../binutils/nm.c:1320
    #10 0x409dcd in main ../../binutils/nm.c:1794
    #11 0x7f496bfa582f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../bfd/libbfd.c:558
bfd_getl32
Shadow bytes around the buggy address:
  0x0c047fff9d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9d70: fa fa fa fa fa fa fa fa fa fa[01]fa fa fa fd fd
  0x0c047fff9d80: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff9d90: fa fa 00 fa fa fa fd fa fa fa fd fd fa fa fd fa
  0x0c047fff9da0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff9db0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff9dc0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==5736==ABORTING

The PoC is in the attachment

-- 
You are receiving this mail because:
You are on the CC list for the bug.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]