[Bug binutils/26009] New: [size] crash with ASAN in __interceptor

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/26009] New: [size] crash with ASAN in __interceptor_free

From:	dkcjd2000 at gmail dot com
Subject:	[Bug binutils/26009] New: [size] crash with ASAN in __interceptor_free
Date:	Mon, 18 May 2020 13:07:37 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=26009

            Bug ID: 26009
           Summary: [size] crash with ASAN in __interceptor_free
           Product: binutils
           Version: 2.35 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: dkcjd2000 at gmail dot com
  Target Milestone: ---

Created attachment 12555
  --> https://sourceware.org/bugzilla/attachment.cgi?id=12555&action=edit
crash test case

Hello,
I'm currently developing a new fuzzing feature, and I found a crash in size.

I downloaded from git master, and I built it with Ubuntu 16.04 with gcc 5.4.0
with ASAN, and the following command to build size from the source:
CFLAGS="-O1 -fsanitize=address -U_FORTIFY_SOURCE" ./configure; make clean all;

You can reproduce the crash with the following command:
./size <attached file>

The AddressSanitizer message of the crash is:
==10177==ERROR: AddressSanitizer: heap-use-after-free on address 0x621000015bdc
at pc 0x000000463778 bp 0x7ffc3541fd90 sp 0x7ffc3541fd80
WRITE of size 4 at 0x621000015bdc thread T0
    #0 0x463777 in bfd_section_from_shdr
(/home/cheong/results/crashes/size_crash/size.master_asan+0x463777)
    #1 0x4f8310 in bfd_elf32_object_p
(/home/cheong/results/crashes/size_crash/size.master_asan+0x4f8310)
    #2 0x418a29 in bfd_check_format_matches
(/home/cheong/results/crashes/size_crash/size.master_asan+0x418a29)
    #3 0x403989 in display_bfd
(/home/cheong/results/crashes/size_crash/size.master_asan+0x403989)
    #4 0x403c11 in display_file
(/home/cheong/results/crashes/size_crash/size.master_asan+0x403c11)
    #5 0x4040ed in main
(/home/cheong/results/crashes/size_crash/size.master_asan+0x4040ed)
    #6 0x7f6a32ff982f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #7 0x402bc8 in _start
(/home/cheong/results/crashes/size_crash/size.master_asan+0x402bc8)

0x621000015bdc is located 1756 bytes inside of 4064-byte region
[0x621000015500,0x6210000164e0)
freed by thread T0 here:
    #0 0x7f6a3363f2ca in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
    #1 0x5ae662 in objalloc_free_block
(/home/cheong/results/crashes/size_crash/size.master_asan+0x5ae662)

previously allocated by thread T0 here:
    #0 0x7f6a3363f602 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x5ae3d8 in _objalloc_alloc
(/home/cheong/results/crashes/size_crash/size.master_asan+0x5ae3d8)

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 bfd_section_from_shdr
Shadow bytes around the buggy address:
  0x0c427fffab20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fffab30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fffab40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fffab50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fffab60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c427fffab70: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd
  0x0c427fffab80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fffab90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fffaba0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fffabb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fffabc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==10177==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/26009] New: [size] crash with ASAN in __interceptor_free, dkcjd2000 at gmail dot com <=
- [Bug binutils/26009] [size] crash with ASAN in __interceptor_free, nickc at redhat dot com, 2020/05/18

Prev by Date: [Bug binutils/26008] New: [size] crash with ASAN, use after free
Next by Date: [Bug binutils/26010] New: [size] crash with ASAN check failed
Previous by thread: [Bug binutils/26008] New: [size] crash with ASAN, use after free
Next by thread: [Bug binutils/26009] [size] crash with ASAN in __interceptor_free
Index(es):
- Date
- Thread