bug-binutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Information leakage in nm-2.32

From: Natalie
Subject: Information leakage in nm-2.32
Date: Tue, 20 Aug 2019 20:36:58 +0800 (CST)
Dear team,

I found a crash with AFL and used valgrind to run it. Looks like it is information leakage problem. Detailed information shows below.
Could you possibly fix this issue? It would be very nice if a CVE number can be assigned to this.
Also a poc is attched to the email.

Best regards,
Xianya Mi

===== Information with valgrind =====
$ valgrind --leak-check=full --show-leak-kinds=all nm -C ./file39
==6673== Memcheck, a memory error detector
==6673== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==6673== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==6673== Command: nm -C ./file39
==6673== 
nm: warning: ./file39(acl_add_perm.o) has a corrupt section with a size (af22) larger than the file size
nm: ./file39(acl_add_perm.o): invalid string offset 6976 >= 95 for section `.shstrtab'
nm: warning: ./file39(acl_add_perm.o) has a corrupt section with a size (af22) larger than the file size
nm: ./file39(acl_add_perm.o): invalid string offset 6976 >= 95 for section `.shstrtab'
nm: acl_add_perm.o: bad value
nm: warning: ./file39(acl_calc_mask.o) has a corrupt section with a size (610000000120) larger than the file size

acl_calc_mask.o:
nm: acl_calc_mask.o: no symbols
==6673== 
==6673== HEAP SUMMARY:
==6673==     in use at exit: 46,439 bytes in 30 blocks
==6673==   total heap usage: 230 allocs, 200 frees, 74,113 bytes allocated
==6673== 
==6673== 9 bytes in 1 blocks are still reachable in loss record 1 of 19
==6673==    at 0x483874F: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==6673==    by 0x1E8127: xmalloc (xmalloc.c:147)
==6673==    by 0x1E81E9: xstrdup (xstrdup.c:34)
==6673==    by 0x147C7F: bfd_fopen (opncls.c:234)
==6673==    by 0x13BDCB: display_file (nm.c:1316)
==6673==    by 0x139C45: main (nm.c:1816)
==6673== 
==6673== 24 bytes in 1 blocks are still reachable in loss record 2 of 19
==6673==    at 0x483874F: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==6673==    by 0x1E739A: objalloc_create (objalloc.c:91)
==6673==    by 0x147A83: _bfd_new_bfd (opncls.c:74)
==6673==    by 0x147C37: bfd_fopen (opncls.c:200)
==6673==    by 0x13BDCB: display_file (nm.c:1316)
==6673==    by 0x139C45: main (nm.c:1816)
==6673== 
==6673== 24 bytes in 1 blocks are still reachable in loss record 3 of 19
==6673==    at 0x483874F: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==6673==    by 0x1E739A: objalloc_create (objalloc.c:91)
==6673==    by 0x145BBE: bfd_hash_table_init_n (hash.c:385)
==6673==    by 0x147AB7: _bfd_new_bfd (opncls.c:84)
==6673==    by 0x147C37: bfd_fopen (opncls.c:200)
==6673==    by 0x13BDCB: display_file (nm.c:1316)
==6673==    by 0x139C45: main (nm.c:1816)
==6673== 
==6673== 31 bytes in 2 blocks are still reachable in loss record 4 of 19
==6673==    at 0x483874F: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==6673==    by 0x1E8127: xmalloc (xmalloc.c:147)
==6673==    by 0x1E81E9: xstrdup (xstrdup.c:34)
==6673==    by 0x13E61B: _bfd_get_elt_at_filepos (archive.c:724)
==6673==    by 0x13E61B: _bfd_get_elt_at_filepos (archive.c:645)
==6673==    by 0x13BE85: display_archive (nm.c:1261)
==6673==    by 0x13BE85: display_file (nm.c:1329)
==6673==    by 0x139C45: main (nm.c:1816)
==6673== 
==6673== 48 bytes in 2 blocks are still reachable in loss record 5 of 19
==6673==    at 0x483874F: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==6673==    by 0x1E739A: objalloc_create (objalloc.c:91)
==6673==    by 0x147A83: _bfd_new_bfd (opncls.c:74)
==6673==    by 0x147B18: _bfd_new_bfd_contained_in (opncls.c:103)
==6673==    by 0x13E547: _bfd_create_empty_archive_element_shell (archive.c:279)
==6673==    by 0x13E547: _bfd_get_elt_at_filepos (archive.c:706)
==6673==    by 0x13E547: _bfd_get_elt_at_filepos (archive.c:645)
==6673==    by 0x13BE85: display_archive (nm.c:1261)
==6673==    by 0x13BE85: display_file (nm.c:1329)
==6673==    by 0x139C45: main (nm.c:1816)
==6673== 
==6673== 48 bytes in 2 blocks are still reachable in loss record 6 of 19
==6673==    at 0x483874F: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==6673==    by 0x1E739A: objalloc_create (objalloc.c:91)
==6673==    by 0x145BBE: bfd_hash_table_init_n (hash.c:385)
==6673==    by 0x147AB7: _bfd_new_bfd (opncls.c:84)
==6673==    by 0x147B18: _bfd_new_bfd_contained_in (opncls.c:103)
==6673==    by 0x13E547: _bfd_create_empty_archive_element_shell (archive.c:279)
==6673==    by 0x13E547: _bfd_get_elt_at_filepos (archive.c:706)
==6673==    by 0x13E547: _bfd_get_elt_at_filepos (archive.c:645)
==6673==    by 0x13BE85: display_archive (nm.c:1261)
==6673==    by 0x13BE85: display_file (nm.c:1329)
==6673==    by 0x139C45: main (nm.c:1816)
==6673== 
==6673== 112 bytes in 1 blocks are still reachable in loss record 7 of 19
==6673==    at 0x483AB35: calloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==6673==    by 0x1E5BC8: htab_create_typed_alloc (hashtab.c:357)
==6673==    by 0x1E5C4D: htab_create_alloc (hashtab.c:285)
==6673==    by 0x13DF47: _bfd_add_bfd_to_archive_cache (archive.c:361)
==6673==    by 0x13E5C6: _bfd_get_elt_at_filepos (archive.c:737)
==6673==    by 0x13E5C6: _bfd_get_elt_at_filepos (archive.c:645)
==6673==    by 0x13BE85: display_archive (nm.c:1261)
==6673==    by 0x13BE85: display_file (nm.c:1329)
==6673==    by 0x139C45: main (nm.c:1816)
==6673== 
==6673== 248 bytes in 1 blocks are still reachable in loss record 8 of 19
==6673==    at 0x483AB35: calloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==6673==    by 0x1E5BDC: htab_create_typed_alloc (hashtab.c:360)
==6673==    by 0x1E5C4D: htab_create_alloc (hashtab.c:285)
==6673==    by 0x13DF47: _bfd_add_bfd_to_archive_cache (archive.c:361)
==6673==    by 0x13E5C6: _bfd_get_elt_at_filepos (archive.c:737)
==6673==    by 0x13E5C6: _bfd_get_elt_at_filepos (archive.c:645)
==6673==    by 0x13BE85: display_archive (nm.c:1261)
==6673==    by 0x13BE85: display_file (nm.c:1329)
==6673==    by 0x139C45: main (nm.c:1816)
==6673== 
==6673== 263 bytes in 2 blocks are still reachable in loss record 9 of 19
==6673==    at 0x483874F: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==6673==    by 0x146891: bfd_malloc (libbfd.c:275)
==6673==    by 0x146A18: bfd_zmalloc (libbfd.c:360)
==6673==    by 0x13E08E: _bfd_generic_read_ar_hdr_mag (archive.c:589)
==6673==    by 0x13E475: _bfd_get_elt_at_filepos (archive.c:658)
==6673==    by 0x13E475: _bfd_get_elt_at_filepos (archive.c:645)
==6673==    by 0x13BE85: display_archive (nm.c:1261)
==6673==    by 0x13BE85: display_file (nm.c:1329)
==6673==    by 0x139C45: main (nm.c:1816)
==6673== 
==6673== 280 bytes in 1 blocks are still reachable in loss record 10 of 19
==6673==    at 0x483874F: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==6673==    by 0x146891: bfd_malloc (libbfd.c:275)
==6673==    by 0x146A18: bfd_zmalloc (libbfd.c:360)
==6673==    by 0x147A5A: _bfd_new_bfd (opncls.c:62)
==6673==    by 0x147C37: bfd_fopen (opncls.c:200)
==6673==    by 0x13BDCB: display_file (nm.c:1316)
==6673==    by 0x139C45: main (nm.c:1816)
==6673== 
==6673== 552 bytes in 1 blocks are still reachable in loss record 11 of 19
==6673==    at 0x483874F: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==6673==    by 0x48EB3B9: __fopen_internal (iofopen.c:65)
==6673==    by 0x48EB3B9: fopen@@GLIBC_2.2.5 (iofopen.c:86)
==6673==    by 0x143B3A: _bfd_real_fopen (bfdio.c:120)
==6673==    by 0x147D07: bfd_fopen (opncls.c:222)
==6673==    by 0x13BDCB: display_file (nm.c:1316)
==6673==    by 0x139C45: main (nm.c:1816)
==6673== 
==6673== 560 bytes in 2 blocks are still reachable in loss record 12 of 19
==6673==    at 0x483874F: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==6673==    by 0x146891: bfd_malloc (libbfd.c:275)
==6673==    by 0x146A18: bfd_zmalloc (libbfd.c:360)
==6673==    by 0x147A5A: _bfd_new_bfd (opncls.c:62)
==6673==    by 0x147B18: _bfd_new_bfd_contained_in (opncls.c:103)
==6673==    by 0x13E547: _bfd_create_empty_archive_element_shell (archive.c:279)
==6673==    by 0x13E547: _bfd_get_elt_at_filepos (archive.c:706)
==6673==    by 0x13E547: _bfd_get_elt_at_filepos (archive.c:645)
==6673==    by 0x13BE85: display_archive (nm.c:1261)
==6673==    by 0x13BE85: display_file (nm.c:1329)
==6673==    by 0x139C45: main (nm.c:1816)
==6673== 
==6673== 1,952 bytes in 2 blocks are still reachable in loss record 13 of 19
==6673==    at 0x483874F: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==6673==    by 0x1E742D: _objalloc_alloc (objalloc.c:143)
==6673==    by 0x148279: bfd_alloc (opncls.c:949)
==6673==    by 0x15DBE2: bfd_elf64_object_p (elfcode.h:692)
==6673==    by 0x1454D6: bfd_check_format_matches (format.c:315)
==6673==    by 0x13BEA1: display_archive (nm.c:1270)
==6673==    by 0x13BEA1: display_file (nm.c:1329)
==6673==    by 0x139C45: main (nm.c:1816)
==6673== 
==6673== 4,064 bytes in 1 blocks are still reachable in loss record 14 of 19
==6673==    at 0x483874F: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==6673==    by 0x1E73AC: objalloc_create (objalloc.c:95)
==6673==    by 0x147A83: _bfd_new_bfd (opncls.c:74)
==6673==    by 0x147C37: bfd_fopen (opncls.c:200)
==6673==    by 0x13BDCB: display_file (nm.c:1316)
==6673==    by 0x139C45: main (nm.c:1816)
==6673== 
==6673== 4,064 bytes in 1 blocks are still reachable in loss record 15 of 19
==6673==    at 0x483874F: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==6673==    by 0x1E73AC: objalloc_create (objalloc.c:95)
==6673==    by 0x145BBE: bfd_hash_table_init_n (hash.c:385)
==6673==    by 0x147AB7: _bfd_new_bfd (opncls.c:84)
==6673==    by 0x147C37: bfd_fopen (opncls.c:200)
==6673==    by 0x13BDCB: display_file (nm.c:1316)
==6673==    by 0x139C45: main (nm.c:1816)
==6673== 
==6673== 8,128 bytes in 2 blocks are still reachable in loss record 16 of 19
==6673==    at 0x483874F: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==6673==    by 0x1E73AC: objalloc_create (objalloc.c:95)
==6673==    by 0x147A83: _bfd_new_bfd (opncls.c:74)
==6673==    by 0x147B18: _bfd_new_bfd_contained_in (opncls.c:103)
==6673==    by 0x13E547: _bfd_create_empty_archive_element_shell (archive.c:279)
==6673==    by 0x13E547: _bfd_get_elt_at_filepos (archive.c:706)
==6673==    by 0x13E547: _bfd_get_elt_at_filepos (archive.c:645)
==6673==    by 0x13BE85: display_archive (nm.c:1261)
==6673==    by 0x13BE85: display_file (nm.c:1329)
==6673==    by 0x139C45: main (nm.c:1816)
==6673== 
==6673== 8,128 bytes in 2 blocks are still reachable in loss record 17 of 19
==6673==    at 0x483874F: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==6673==    by 0x1E73AC: objalloc_create (objalloc.c:95)
==6673==    by 0x145BBE: bfd_hash_table_init_n (hash.c:385)
==6673==    by 0x147AB7: _bfd_new_bfd (opncls.c:84)
==6673==    by 0x147B18: _bfd_new_bfd_contained_in (opncls.c:103)
==6673==    by 0x13E547: _bfd_create_empty_archive_element_shell (archive.c:279)
==6673==    by 0x13E547: _bfd_get_elt_at_filepos (archive.c:706)
==6673==    by 0x13E547: _bfd_get_elt_at_filepos (archive.c:645)
==6673==    by 0x13BE85: display_archive (nm.c:1261)
==6673==    by 0x13BE85: display_file (nm.c:1329)
==6673==    by 0x139C45: main (nm.c:1816)
==6673== 
==6673== 8,128 bytes in 2 blocks are still reachable in loss record 18 of 19
==6673==    at 0x483874F: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==6673==    by 0x1E747E: _objalloc_alloc (objalloc.c:159)
==6673==    by 0x148279: bfd_alloc (opncls.c:949)
==6673==    by 0x148778: bfd_zalloc (opncls.c:998)
==6673==    by 0x163CB9: _bfd_elf_new_section_hook (elf.c:2850)
==6673==    by 0x148E2E: bfd_section_init (section.c:834)
==6673==    by 0x162B13: _bfd_elf_make_section_from_shdr (elf.c:1008)
==6673==    by 0x162B13: _bfd_elf_make_section_from_shdr (elf.c:996)
==6673==    by 0x161E67: bfd_section_from_shdr (elf.c:2535)
==6673==    by 0x15D926: bfd_elf64_object_p (elfcode.h:818)
==6673==    by 0x1454D6: bfd_check_format_matches (format.c:315)
==6673==    by 0x13BEA1: display_archive (nm.c:1270)
==6673==    by 0x13BEA1: display_file (nm.c:1329)
==6673==    by 0x139C45: main (nm.c:1816)
==6673== 
==6673== 9,776 bytes in 3 blocks are still reachable in loss record 19 of 19
==6673==    at 0x483874F: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==6673==    by 0x1E742D: _objalloc_alloc (objalloc.c:143)
==6673==    by 0x148279: bfd_alloc (opncls.c:949)
==6673==    by 0x148778: bfd_zalloc (opncls.c:998)
==6673==    by 0x1609BF: bfd_elf_allocate_object (elf.c:243)
==6673==    by 0x15D7DA: bfd_elf64_object_p (elfcode.h:551)
==6673==    by 0x1454D6: bfd_check_format_matches (format.c:315)
==6673==    by 0x13BEA1: display_archive (nm.c:1270)
==6673==    by 0x13BEA1: display_file (nm.c:1329)
==6673==    by 0x139C45: main (nm.c:1816)
==6673== 
==6673== LEAK SUMMARY:
==6673==    definitely lost: 0 bytes in 0 blocks
==6673==    indirectly lost: 0 bytes in 0 blocks
==6673==      possibly lost: 0 bytes in 0 blocks
==6673==    still reachable: 46,439 bytes in 30 blocks
==6673==         suppressed: 0 bytes in 0 blocks
==6673== 
==6673== For counts of detected and suppressed errors, rerun with: -v
==6673== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)



 

Attachment: crash.zip
Description: Zip compressed data

reply via email to
[Prev in Thread] Current Thread [Next in Thread]