[Bug binutils/26335] New: A stack-buffer-overflow in readelf.c:12096:20

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/26335] New: A stack-buffer-overflow in readelf.c:12096:20

From:	seviezhou at 163 dot com
Subject:	[Bug binutils/26335] New: A stack-buffer-overflow in readelf.c:12096:20 causes Segmentation fault
Date:	Tue, 04 Aug 2020 01:22:18 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=26335

            Bug ID: 26335
           Summary: A stack-buffer-overflow in readelf.c:12096:20 causes
                    Segmentation fault
           Product: binutils
           Version: 2.35
            Status: UNCONFIRMED
          Severity: critical
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: seviezhou at 163 dot com
  Target Milestone: ---

Created attachment 12745
  --> https://sourceware.org/bugzilla/attachment.cgi?id=12745&action=edit
stack-overflow-print_dynamic_symbol-readelf-12096

There is a stack-buffer-overflow in readelf.c:12096:20 that can cause readelf
to Segmentation fault.

## System info

Ubuntu X64, gcc (Ubuntu 5.5.0-12ubuntu1), binutils 2.35

## Configure

CFLAGS="-fno-stack-protector" ./configure
CFLAGS="-g -fsanitize=address" LDFLAGS="-fsanitize=address" ./configure

## Command line

./binutils/readelf -a @@

## Output

```
Symbol table '.dynsym' contains 73 entries:
   Num:    Value  Size Type    Bind   Vis      Ndx Name
     0: 00000000     0 NOTYPE  LOCAL  DEFAULT  UND ^P
Segmentation fault (core dumped)
```

## AddressSanitizer output

```
=================================================================
==74564==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffe1e0e0160 at pc 0x00000044792a bp 0x7ffe1e0dff20 sp 0x7ffe1e0df6d0
WRITE of size 335 at 0x7ffe1e0e0160 thread T0
    #0 0x447929 in vsprintf
(/home/seviezhou/binutils-2.35/binutils/readelf+0x447929)
    #1 0x447c56 in __interceptor_sprintf
(/home/seviezhou/binutils-2.35/binutils/readelf+0x447c56)
    #2 0x593686 in print_dynamic_symbol
/home/seviezhou/binutils-2.35/binutils/readelf.c:12096:20
    #3 0x533412 in process_symbol_table
/home/seviezhou/binutils-2.35/binutils/readelf.c:12221:6
    #4 0x533412 in process_object
/home/seviezhou/binutils-2.35/binutils/readelf.c:20333
    #5 0x5178f4 in process_file
/home/seviezhou/binutils-2.35/binutils/readelf.c:20795:13
    #6 0x5178f4 in main /home/seviezhou/binutils-2.35/binutils/readelf.c:20868
    #7 0x7fecc6418b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #8 0x41aa99 in _start
(/home/seviezhou/binutils-2.35/binutils/readelf+0x41aa99)

Address 0x7ffe1e0e0160 is located in stack of thread T0 at offset 320 in frame
    #0 0x591fcf in print_dynamic_symbol
/home/seviezhou/binutils-2.35/binutils/readelf.c:12053

  This frame has 3 object(s):
    [32, 36) 'sym_info' (line 12055)
    [48, 50) 'vna_other' (line 12056)
    [64, 320) 'buffer' (line 12094) <== Memory access at offset 320 overflows
this variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
(/home/seviezhou/binutils-2.35/binutils/readelf+0x447929) in vsprintf
Shadow bytes around the buggy address:
  0x100043c13fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100043c13fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100043c13ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100043c14000: 00 00 00 00 f1 f1 f1 f1 04 f2 02 f2 00 00 00 00
  0x100043c14010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100043c14020: 00 00 00 00 00 00 00 00 00 00 00 00[f3]f3 f3 f3
  0x100043c14030: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x100043c14040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100043c14050: f1 f1 f1 f1 f8 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8
  0x100043c14060: f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f8 f2 f2 f2
  0x100043c14070: f8 f8 f2 f2 f8 f8 f2 f2 f8 f8 f8 f2 f2 f2 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==74564==ABORTING
```

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/26335] New: A stack-buffer-overflow in readelf.c:12096:20 causes Segmentation fault, seviezhou at 163 dot com <=
- [Bug binutils/26335] A stack-buffer-overflow in readelf.c:12096:20 causes Segmentation fault, amodra at gmail dot com, 2020/08/04

Prev by Date: [Bug binutils/25202] objcopy --verilog-data-width doesn't respect target's endianness
Next by Date: [Bug binutils/26330] Malloc size error in objdump
Previous by thread: [Bug binutils/25202] objcopy --verilog-data-width doesn't respect target's endianness
Next by thread: [Bug binutils/26335] A stack-buffer-overflow in readelf.c:12096:20 causes Segmentation fault
Index(es):
- Date
- Thread