[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/22957] New: Heap out of bounds read in pop_bincl()
|
From: |
fumfi.255 at gmail dot com |
|
Subject: |
[Bug binutils/22957] New: Heap out of bounds read in pop_bincl() |
|
Date: |
Tue, 13 Mar 2018 11:37:07 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=22957
Bug ID: 22957
Summary: Heap out of bounds read in pop_bincl()
Product: binutils
Version: 2.30
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: fumfi.255 at gmail dot com
Target Milestone: ---
Created attachment 10891
--> https://sourceware.org/bugzilla/attachment.cgi?id=10891&action=edit
Crashing test case (objdump)
After some fuzz testing I found a crashing test case.
Version: 2.30
Command: objdump -x -D -S -s -G -g -e -t -T -r -R objdump_hoobr_pop_bincl
ASAN Context:
==2062==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000db70
at pc 0x000000535b77 bp 0x7ffeaf342190 sp 0x7ffeaf342180
READ of size 8 at 0x60200000db70 thread T0
#0 0x535b76 in pop_bincl XYZ/binutils-2.30.0/binutils/stabs.c:3213
#1 0x535b76 in parse_stab XYZ/binutils-2.30.0/binutils/stabs.c:565
#2 0x4ebd89 in read_section_stabs_debugging_info
XYZ/binutils-2.30.0/binutils/rddbg.c:239
#3 0x4ebd89 in read_debugging_info XYZ/binutils-2.30.0/binutils/rddbg.c:56
#4 0x41f654 in dump_bfd objdump.c:3607
#5 0x421a77 in display_object_bfd objdump.c:3658
#6 0x421a77 in display_any_bfd objdump.c:3747
#7 0x40ea81 in display_file objdump.c:3768
#8 0x40ea81 in main objdump.c:4070
#9 0x7f36620ed82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#10 0x411ca8 in _start (/usr/local/bin/objdump+0x411ca8)
0x60200000db71 is located 0 bytes to the right of 1-byte region
[0x60200000db70,0x60200000db71)
allocated by thread T0 here:
#0 0x7f3662733602 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0xb57fec in xmalloc xmalloc.c:147
SUMMARY: AddressSanitizer: heap-buffer-overflow
XYZ/binutils-2.30.0/binutils/stabs.c:3213 pop_bincl
Shadow bytes around the buggy address:
0x0c047fff9b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9b60: fa fa fa fa fa fa 00 fa fa fa 01 fa fa fa[01]fa
0x0c047fff9b70: fa fa 00 00 fa fa 00 00 fa fa 07 fa fa fa 01 fa
0x0c047fff9b80: fa fa 00 00 fa fa 00 fa fa fa 00 00 fa fa 00 00
0x0c047fff9b90: fa fa 00 07 fa fa 01 fa fa fa 01 fa fa fa 00 00
0x0c047fff9ba0: fa fa 00 00 fa fa 00 01 fa fa 05 fa fa fa 04 fa
0x0c047fff9bb0: fa fa 00 01 fa fa 01 fa fa fa 01 fa fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==2062==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/22957] New: Heap out of bounds read in pop_bincl(),
fumfi.255 at gmail dot com <=