[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/26188] New: buff overflow in bfd, coff_find_nearest_line_w
From: |
featherrain26 at gmail dot com |
Subject: |
[Bug binutils/26188] New: buff overflow in bfd, coff_find_nearest_line_with_names |
Date: |
Tue, 30 Jun 2020 16:05:28 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=26188
Bug ID: 26188
Summary: buff overflow in bfd,
coff_find_nearest_line_with_names
Product: binutils
Version: 2.35 (HEAD)
Status: UNCONFIRMED
Severity: critical
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: featherrain26 at gmail dot com
Target Milestone: ---
Created attachment 12673
--> https://sourceware.org/bugzilla/attachment.cgi?id=12673&action=edit
POC input
Hi, there.
There is a heap overflow in bfd modules, triggered by nm.
To reproduce, compile it with ASAN.
then run
nm -al input
Here is the trace reported by ASAN:
==118507==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x62100001dce8 at pc 0x000000785a12 bp 0x7ffda050c060 sp 0x7ffda050c050
READ of size 2 at 0x62100001dce8 thread T0
#0 0x785a11 in coff_find_nearest_line_with_names ../../bfd/coffgen.c:2482
#1 0x40e128 in print_symbol ../../binutils/nm.c:992
#2 0x40f860 in print_symbols ../../binutils/nm.c:1088
#3 0x40f860 in display_rel_file ../../binutils/nm.c:1212
#4 0x4129ec in display_file ../../binutils/nm.c:1379
#5 0x4081a7 in main ../../binutils/nm.c:1860
#6 0x7f566827082f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#7 0x40a248 in _start
(/mnt/data/playground/binutils-2.34-a/build/binutils/nm-new+0x40a248)
0x62100001dce8 is located 8 bytes to the right of 4064-byte region
[0x62100001cd00,0x62100001dce0)
allocated by thread T0 here:
#0 0x7f56688b6662 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98662)
#1 0x93a8a0 in objalloc_create ../../libiberty/objalloc.c:95
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../bfd/coffgen.c:2482
coff_find_nearest_line_with_names
Shadow bytes around the buggy address:
0x0c427fffbb40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffbb50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffbb60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffbb70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffbb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fffbb90: 00 00 00 00 00 00 00 00 00 00 00 00 fa[fa]fa fa
0x0c427fffbba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffbbb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffbbc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffbbd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffbbe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==118507==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Bug binutils/26188] New: buff overflow in bfd, coff_find_nearest_line_with_names,
featherrain26 at gmail dot com <=