[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/26929] New: [readelf] crash with ASAN in print_dynamic_sym
|
From: |
hao-wang20 at mails dot tsinghua.edu.cn |
|
Subject: |
[Bug binutils/26929] New: [readelf] crash with ASAN in print_dynamic_symbol |
|
Date: |
Sat, 21 Nov 2020 17:27:41 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=26929
Bug ID: 26929
Summary: [readelf] crash with ASAN in print_dynamic_symbol
Product: binutils
Version: 2.35.1
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: hao-wang20 at mails dot tsinghua.edu.cn
Target Milestone: ---
Created attachment 12991
--> https://sourceware.org/bugzilla/attachment.cgi?id=12991&action=edit
crash test case
Hello,
I found a crash in readelf when doing fuzzing experiments.
I downloaded source code from ftp server, and I built it with Ubuntu 18.04 with
gcc 7.5.0 with ASAN, and the following command to build readelf from the
source:
CFLAGS="-O1 -fsanitize=address -U_FORTIFY_SOURCE" ./configure; make clean all;
You can reproduce the crash with the following command:
./readelf --dyn-syms <attached file>
The AddressSanitizer message of the crash is:
==90332==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffd502affe0 at pc 0x7f8ed10b98f9 bp 0x7ffd502afd00 sp 0x7ffd502af490
WRITE of size 364 at 0x7ffd502affe0 thread T0
#0 0x7f8ed10b98f8 in __interceptor_vsprintf
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0x9e8f8)
#1 0x7f8ed10b9c86 in __interceptor_sprintf
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0x9ec86)
#2 0x55d1d3eaeb01 in print_dynamic_symbol
(/home/vul337/rfuzz/psrc/binutils-2.35.1/binutils/readelf+0xd3b01)
#3 0x55d1d3eaf9c9 in process_symbol_table
(/home/vul337/rfuzz/psrc/binutils-2.35.1/binutils/readelf+0xd49c9)
#4 0x55d1d3ed59b3 in process_object
(/home/vul337/rfuzz/psrc/binutils-2.35.1/binutils/readelf+0xfa9b3)
#5 0x55d1d3ede499 in main
(/home/vul337/rfuzz/psrc/binutils-2.35.1/binutils/readelf+0x103499)
#6 0x7f8ed0c4bbf6 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
#7 0x55d1d3e83a59 in _start
(/home/vul337/rfuzz/psrc/binutils-2.35.1/binutils/readelf+0xa8a59)
Address 0x7ffd502affe0 is located in stack of thread T0 at offset 416 in frame
#0 0x55d1d3eadd8d in print_dynamic_symbol
(/home/vul337/rfuzz/psrc/binutils-2.35.1/binutils/readelf+0xd2d8d)
This frame has 3 object(s):
[32, 34) 'vna_other'
[96, 100) 'sym_info'
[160, 416) 'buffer' <== Memory access at offset 416 overflows this variable
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/26929] New: [readelf] crash with ASAN in print_dynamic_symbol,
hao-wang20 at mails dot tsinghua.edu.cn <=
- [Bug binutils/26929] [readelf] crash with ASAN in print_dynamic_symbol, hao-wang20 at mails dot tsinghua.edu.cn, 2020/11/21
- [Bug binutils/26929] [readelf] crash with ASAN in print_dynamic_symbol, hao-wang20 at mails dot tsinghua.edu.cn, 2020/11/21
- [Bug binutils/26929] [readelf] crash with ASAN in print_dynamic_symbol, cvs-commit at gcc dot gnu.org, 2020/11/22
- [Bug binutils/26929] [readelf] crash with ASAN in print_dynamic_symbol, amodra at gmail dot com, 2020/11/22
- [Bug binutils/26929] [readelf] crash with ASAN in print_dynamic_symbol, hao-wang20 at mails dot tsinghua.edu.cn, 2020/11/22