[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/27759] New: heap-buffer-overflow in srec_read_section
From: |
rubycccccccccc at gmail dot com |
Subject: |
[Bug binutils/27759] New: heap-buffer-overflow in srec_read_section |
Date: |
Tue, 20 Apr 2021 16:59:03 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=27759
Bug ID: 27759
Summary: heap-buffer-overflow in srec_read_section
Product: binutils
Version: 2.36.1
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: rubycccccccccc at gmail dot com
Target Milestone: ---
Created attachment 13391
--> https://sourceware.org/bugzilla/attachment.cgi?id=13391&action=edit
The file that reproduces this problem
OS : ubuntu 20.04.2
kernel : gnu/linux 5.8.0-48-generic
CPU : Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz
compiler : gcc version 9.3.0
Steps to Reproduce :
download the sample from the attachment
~/target/binutils-2.36.1-asan/binutils/objcopy -O tekhex ./sample01
ASan trace:
/home/ruby/target/binutils-2.36.1-asan/binutils/objcopy: BFD (GNU Binutils)
2.36.1 assertion fail srec.c:736
=================================================================
==1714453==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6040000000f8 at pc 0x55e4b9f21206 bp 0x7ffdda381c70 sp 0x7ffdda381c60
READ of size 1 at 0x6040000000f8 thread T0
#0 0x55e4b9f21205 in srec_read_section
/home/ruby/target/binutils-2.36.1-asan/bfd/srec.c:796
#1 0x55e4b9f21205 in srec_get_section_contents
/home/ruby/target/binutils-2.36.1-asan/bfd/srec.c:843
#2 0x55e4b9f21205 in srec_get_section_contents
/home/ruby/target/binutils-2.36.1-asan/bfd/srec.c:821
#3 0x55e4b9ed02d6 in bfd_get_full_section_contents
/home/ruby/target/binutils-2.36.1-asan/bfd/compress.c:288
#4 0x55e4b9e1d8c3 in copy_section
/home/ruby/target/binutils-2.36.1-asan/binutils/objcopy.c:4409
#5 0x55e4b9effc9e in bfd_map_over_sections
/home/ruby/target/binutils-2.36.1-asan/bfd/section.c:1382
#6 0x55e4b9e28a3e in copy_object
/home/ruby/target/binutils-2.36.1-asan/binutils/objcopy.c:3303
#7 0x55e4b9e3303a in copy_file
/home/ruby/target/binutils-2.36.1-asan/binutils/objcopy.c:3877
#8 0x55e4b9e0e79a in copy_main
/home/ruby/target/binutils-2.36.1-asan/binutils/objcopy.c:5930
#9 0x55e4b9e0e79a in main
/home/ruby/target/binutils-2.36.1-asan/binutils/objcopy.c:6057
#10 0x7fd915d4f0b2 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#11 0x55e4b9e1489d in _start
(/home/ruby/target/binutils-2.36.1-asan/binutils/objcopy+0xb689d)
0x6040000000f8 is located 0 bytes to the right of 40-byte region
[0x6040000000d0,0x6040000000f8)
allocated by thread T0 here:
#0 0x7fd91602dbc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x55e4b9ee6dcd in bfd_malloc
/home/ruby/target/binutils-2.36.1-asan/bfd/libbfd.c:275
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/ruby/target/binutils-2.36.1-asan/bfd/srec.c:796 in srec_read_section
Shadow bytes around the buggy address:
[7/36]
0x0c087fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c087fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c087fff8000: fa fa 00 00 00 00 01 fa fa fa fd fd fd fd fd fa
=>0x0c087fff8010: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00[fa]
0x0c087fff8020: fa fa 00 00 00 00 00 03 fa fa 00 00 00 00 00 fa
0x0c087fff8030: fa fa 00 00 00 00 00 06 fa fa fd fd fd fd fd fa
0x0c087fff8040: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 00
0x0c087fff8050: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 05
0x0c087fff8060: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1714453==ABORTING
It also causes the error at HEAD c5df7e44
~/binutils-gdb-new/binutils/objcopy -O tekhex ./sample01
/home/ruby/target/binutils-gdb-new-asan/binutils/objcopy: BFD (GNU Binutils)
2.36.50.20210420 assertion fail srec.c:736
[1] 1222672 segmentation fault ~/target/binutils-gdb-new/binutils/objcopy
-O tekhex ./sample01
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/27759] New: heap-buffer-overflow in srec_read_section,
rubycccccccccc at gmail dot com <=