[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/28167] New: objdump: heap-buffer-overflow on bfd_getl32 in
From: |
shaohua.li at inf dot ethz.ch |
Subject: |
[Bug binutils/28167] New: objdump: heap-buffer-overflow on bfd_getl32 in libbfd.c:727 |
Date: |
Mon, 02 Aug 2021 14:14:52 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=28167
Bug ID: 28167
Summary: objdump: heap-buffer-overflow on bfd_getl32 in
libbfd.c:727
Product: binutils
Version: 2.38 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: shaohua.li at inf dot ethz.ch
Target Milestone: ---
Created attachment 13578
--> https://sourceware.org/bugzilla/attachment.cgi?id=13578&action=edit
poc
Hi there,
I found a heap-buffer-overflow with a fuzzer.
- binutils version: 2.38(Head), commit af51804103a08cd1e12edc4f4a30eec2c5c4f9e8
- Compiler: clang12
- Platform: Ubuntu 18.04.5 LTS, x86_64
- Reproduce: run `objdump -S poc`
AddressSanitizer report:
==382==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d000001290
at pc 0x000000b033dd bp 0x7ffc9c0d1720 sp 0x7ffc9c0d1718
READ of size 1 at 0x61d000001290 thread T0
#0 0xb033dc in bfd_getl32 /binutils_latest/repo/bfd/libbfd.c:727:23
#1 0x11ed458 in build_module_list
/binutils_latest/repo/bfd/vms-alpha.c:4830:20
#2 0x11c25cd in _bfd_vms_find_nearest_line
/binutils_latest/repo/bfd/vms-alpha.c:4965:24
#3 0x4e496a in show_line /binutils_latest/repo/binutils/./objdump.c:1784:9
#4 0x4e0b1f in disassemble_bytes
/binutils_latest/repo/binutils/./objdump.c:2770:6
#5 0x4dae9a in disassemble_section
/binutils_latest/repo/binutils/./objdump.c:3455:4
#6 0xb0e04a in bfd_map_over_sections
/binutils_latest/repo/bfd/section.c:1383:5
#7 0x4d1ae0 in disassemble_data
/binutils_latest/repo/binutils/./objdump.c:3599:3
#8 0x4cda84 in dump_bfd /binutils_latest/repo/binutils/./objdump.c:5006:5
#9 0x4ccb9f in display_object_bfd
/binutils_latest/repo/binutils/./objdump.c:5068:7
#10 0x4ccaa9 in display_any_bfd
/binutils_latest/repo/binutils/./objdump.c:5158:5
#11 0x4cc65c in display_file
/binutils_latest/repo/binutils/./objdump.c:5179:3
#12 0x4cb063 in main /binutils_latest/repo/binutils/./objdump.c:5529:6
#13 0x7f98b34b50b2 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#14 0x41c61d in _start (/out_bin/objdump+0x41c61d)
0x61d000001290 is located 0 bytes to the right of 2064-byte region
[0x61d000000a80,0x61d000001290)
allocated by thread T0 here:
#0 0x4974dd in malloc (/out_bin/objdump+0x4974dd)
#1 0x1c205c5 in _objalloc_alloc
/binutils_latest/repo/libiberty/./objalloc.c:143:22
#2 0xb08bf0 in bfd_alloc /binutils_latest/repo/bfd/opncls.c:1032:9
#3 0x11ed391 in build_module_list
/binutils_latest/repo/bfd/vms-alpha.c:4799:31
#4 0x11c25cd in _bfd_vms_find_nearest_line
/binutils_latest/repo/bfd/vms-alpha.c:4965:24
#5 0x4e496a in show_line /binutils_latest/repo/binutils/./objdump.c:1784:9
#6 0x4e0b1f in disassemble_bytes
/binutils_latest/repo/binutils/./objdump.c:2770:6
#7 0x4dae9a in disassemble_section
/binutils_latest/repo/binutils/./objdump.c:3455:4
#8 0xb0e04a in bfd_map_over_sections
/binutils_latest/repo/bfd/section.c:1383:5
#9 0x4d1ae0 in disassemble_data
/binutils_latest/repo/binutils/./objdump.c:3599:3
#10 0x4cda84 in dump_bfd /binutils_latest/repo/binutils/./objdump.c:5006:5
#11 0x4ccb9f in display_object_bfd
/binutils_latest/repo/binutils/./objdump.c:5068:7
#12 0x4ccaa9 in display_any_bfd
/binutils_latest/repo/binutils/./objdump.c:5158:5
#13 0x4cc65c in display_file
/binutils_latest/repo/binutils/./objdump.c:5179:3
#14 0x4cb063 in main /binutils_latest/repo/binutils/./objdump.c:5529:6
#15 0x7f98b34b50b2 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/binutils_latest/repo/bfd/libbfd.c:727:23 in bfd_getl32
Shadow bytes around the buggy address:
0x0c3a7fff8200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fff8210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fff8220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fff8230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fff8240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a7fff8250: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fff8260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fff8270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fff8280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fff8290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fff82a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==382==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/28167] New: objdump: heap-buffer-overflow on bfd_getl32 in libbfd.c:727,
shaohua.li at inf dot ethz.ch <=