[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/26931] New: [nm] crash with ASAN in display_rel_file
From: |
hao-wang20 at mails dot tsinghua.edu.cn |
Subject: |
[Bug binutils/26931] New: [nm] crash with ASAN in display_rel_file |
Date: |
Sun, 22 Nov 2020 15:39:27 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=26931
Bug ID: 26931
Summary: [nm] crash with ASAN in display_rel_file
Product: binutils
Version: 2.35.1
Status: UNCONFIRMED
Severity: critical
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: hao-wang20 at mails dot tsinghua.edu.cn
Target Milestone: ---
Created attachment 12993
--> https://sourceware.org/bugzilla/attachment.cgi?id=12993&action=edit
crash test case
Hello,
I found a crash in nm-new when doing fuzzing experiments. And it can be
reproduced in the master branch.
I downloaded source code from git, and I built it with Ubuntu 18.04 with gcc
7.5.0 with ASAN, and the following command to build nm-new from the source:
CFLAGS="-O1 -fsanitize=address -g" ./configure; make clean all;
You can reproduce the crash with the following command:
nm-new --synthetic <attached file>
The AddressSanitizer message of the crash is:
==85112==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000000228
at pc 0x56518d01ceeb bp 0x7fffbdc68af0 sp 0x7fffbdc68ae0
READ of size 8 at 0x606000000228 thread T0
#0 0x56518d01ceea in _bfd_elf_slurp_secondary_reloc_section
/home/vul337/rfuzz/psrc/bintuils-asan/bfd/elf.c:12694
#1 0x56518d09b9a0 in bfd_elf32_slurp_reloc_table
/home/vul337/rfuzz/psrc/bintuils-asan/bfd/elfcode.h:1606
#2 0x56518d00df5e in _bfd_elf_canonicalize_dynamic_reloc
/home/vul337/rfuzz/psrc/bintuils-asan/bfd/elf.c:8667
#3 0x56518cfd6013 in _bfd_x86_elf_get_synthetic_symtab
/home/vul337/rfuzz/psrc/bintuils-asan/bfd/elfxx-x86.c:2111
#4 0x56518d09637f in elf_i386_get_synthetic_symtab
/home/vul337/rfuzz/psrc/bintuils-asan/bfd/elf32-i386.c:4293
#5 0x56518cf82cd4 in display_rel_file
/home/vul337/rfuzz/psrc/bintuils-asan/binutils/nm.c:1183
#6 0x56518cf84470 in display_file
/home/vul337/rfuzz/psrc/bintuils-asan/binutils/nm.c:1403
#7 0x56518cf84bed in main
/home/vul337/rfuzz/psrc/bintuils-asan/binutils/nm.c:1891
#8 0x7f65c0e04bf6 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
#9 0x56518cf7f1c9 in _start
(/home/vul337/rfuzz/psrc/bintuils-asan/binutils/nm-new+0x9b1c9)
0x606000000228 is located 40 bytes inside of 49-byte region
[0x606000000200,0x606000000231)
freed by thread T0 here:
#0 0x7f65c14b67a8 in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8)
#1 0x7f65c0e1818f (/lib/x86_64-linux-gnu/libc.so.6+0x3518f)
previously allocated by thread T0 here:
#0 0x7f65c14b6b40 in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
#1 0x7f65c0e17e10 (/lib/x86_64-linux-gnu/libc.so.6+0x34e10)
SUMMARY: AddressSanitizer: heap-use-after-free
/home/vul337/rfuzz/psrc/bintuils-asan/bfd/elf.c:12694 in
_bfd_elf_slurp_secondary_reloc_section
And I can also reproduce this bug in Ubuntu 16.04, the ASAN reports a
HeapOverflow bug. I checked the source code and using gdb to find the root
cause, the function bfd_get_symcount in elf.c:12644 returns incorrect num and
trigger a heap buffer overflow in elf.c:12690, which cause illegal memory
access in a freed chunk. We can add check for the return symcount at 12644.
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/26931] New: [nm] crash with ASAN in display_rel_file,
hao-wang20 at mails dot tsinghua.edu.cn <=
- [Bug binutils/26931] [nm] crash with ASAN in display_rel_file, hao-wang20 at mails dot tsinghua.edu.cn, 2020/11/23
- [Bug binutils/26931] [nm] crash with ASAN in display_rel_file, nickc at redhat dot com, 2020/11/23
- [Bug binutils/26931] [nm] crash with ASAN in display_rel_file, cvs-commit at gcc dot gnu.org, 2020/11/23
- [Bug binutils/26931] [nm] crash with ASAN in display_rel_file, nickc at redhat dot com, 2020/11/23
- [Bug binutils/26931] [nm] crash with ASAN in display_rel_file, hao-wang20 at mails dot tsinghua.edu.cn, 2020/11/23