bug-binutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/23064] New: Buffer overflow (read of size 8) in Dwarf


From: thuanpv at comp dot nus.edu.sg
Subject: [Bug binutils/23064] New: Buffer overflow (read of size 8) in Dwarf
Date: Sat, 14 Apr 2018 01:43:43 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=23064

            Bug ID: 23064
           Summary: Buffer overflow (read of size 8) in Dwarf
           Product: binutils
           Version: 2.31 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: thuanpv at comp dot nus.edu.sg
  Target Milestone: ---

Created attachment 10951
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10951&action=edit
Bug-revealing sample input

Dear all,

This bug was found with AFLSmart, an extension of AFL. Thanks also to Marcel
Böhme, Andrew Santosa and Alexandru Razvan Caciulescu. 

This bug was found on Ubuntu 16.04 64-bit & binutils was checked out from main
repository at git://sourceware.org/git/binutils-gdb.git. Its commit is
68e91e42492551e165b103d819c021c4953da10b (April 14 2018) 


To reproduce:

Compile binutils with ASAN enabled

CC=gcc-6 CXX=g++-6 CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all
-fsanitize=undefined,address -fno-omit-frame-pointer -g -Wno-error"
CXXFLAGS="$CFLAGS" ./configure --disable-shared --disable-gdb
--disable-libdecnumber --disable-readline --disable-sim

Download the attached file - bug3
readelf -w bug3

ASAN says:

readelf: Warning: Section 0 has an out of range sh_link value of 4160749568
readelf: Warning: Section 1 has an out of range sh_link value of 16769792
readelf: Warning: Section 2 has an out of range sh_link value of 33554432
readelf: Warning: Section 6 has an out of range sh_link value of 247
readelf: Warning: Section 7 has an out of range sh_link value of 2130706432
readelf: Warning: Section 11 has an out of range sh_link value of 774778414
readelf: Warning: Section 12 has an out of range sh_link value of 774778414
readelf: Warning: possibly corrupt ELF header - it has a non-zero program
header offset, but no program headers
readelf: Warning: could not find separate debug file ''
readelf: Warning: tried: /lib/debug/
readelf: Warning: tried: /usr/lib/debug/usr/
readelf: Warning: tried: /usr/lib/debug/
readelf: Warning: tried:
/home/thuan/experiments/binutils-gdb-asan-newest/binutils/.debug/
readelf: Warning: tried:
/home/thuan/experiments/binutils-gdb-asan-newest/binutils/
readelf: Warning: tried: .debug/
readelf: Warning: tried: 
=================================================================
==24671==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60700000dd58 at pc 0x0000004c0942 bp 0x7ffe992edb10 sp 0x7ffe992edb00
READ of size 8 at 0x60700000dd58 thread T0
    #0 0x4c0941 in process_cu_tu_index
/home/thuan/experiments/binutils-gdb-asan-newest/binutils/dwarf.c:9290
    #1 0x4c189f in load_cu_tu_indexes
/home/thuan/experiments/binutils-gdb-asan-newest/binutils/dwarf.c:9411
    #2 0x4c1926 in find_cu_tu_set
/home/thuan/experiments/binutils-gdb-asan-newest/binutils/dwarf.c:9429
    #3 0x461fe2 in display_debug_section
/home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:13703
    #4 0x4628ab in process_section_contents
/home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:13796
    #5 0x47c7ba in process_object
/home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:18684
    #6 0x47e9d0 in process_file
/home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:19104
    #7 0x47ed55 in main
/home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:19163
    #8 0x7f863ba9c82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x4025d8 in _start
(/home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf+0x4025d8)

0x60700000dd5f is located 0 bytes to the right of 79-byte region
[0x60700000dd10,0x60700000dd5f)
allocated by thread T0 here:
    #0 0x7f863cc2bf70 in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc6f70)
    #1 0x40b573 in get_data
/home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:421
    #2 0x4600d1 in load_specific_debug_section
/home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:13477
    #3 0x461605 in load_debug_section
/home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:13630
    #4 0x48e235 in load_debug_section_with_follow
/home/thuan/experiments/binutils-gdb-asan-newest/binutils/dwarf.c:2705
    #5 0x4c188c in load_cu_tu_indexes
/home/thuan/experiments/binutils-gdb-asan-newest/binutils/dwarf.c:9410
    #6 0x4c1926 in find_cu_tu_set
/home/thuan/experiments/binutils-gdb-asan-newest/binutils/dwarf.c:9429
    #7 0x461fe2 in display_debug_section
/home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:13703
    #8 0x4628ab in process_section_contents
/home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:13796
    #9 0x47c7ba in process_object
/home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:18684
    #10 0x47e9d0 in process_file
/home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:19104
    #11 0x47ed55 in main
/home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:19163
    #12 0x7f863ba9c82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/thuan/experiments/binutils-gdb-asan-newest/binutils/dwarf.c:9290 in
process_cu_tu_index
Shadow bytes around the buggy address:
  0x0c0e7fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9b70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0e7fff9ba0: fa fa 00 00 00 00 00 00 00 00 00[07]fa fa fa fa
  0x0c0e7fff9bb0: 00 00 00 00 00 00 00 00 05 fa fa fa fa fa 00 00
  0x0c0e7fff9bc0: 00 00 00 00 00 00 00 07 fa fa fa fa 00 00 00 00
  0x0c0e7fff9bd0: 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 00 00
  0x0c0e7fff9be0: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0e7fff9bf0: fd fd fa fa fa fa 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb


Thanks,

Thuan

-- 
You are receiving this mail because:
You are on the CC list for the bug.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]