bug-binutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/28167] New: objdump: heap-buffer-overflow on bfd_getl32 in

From: shaohua.li at inf dot ethz.ch
Subject: [Bug binutils/28167] New: objdump: heap-buffer-overflow on bfd_getl32 in libbfd.c:727
Date: Mon, 02 Aug 2021 14:14:52 +0000 
https://sourceware.org/bugzilla/show_bug.cgi?id=28167

            Bug ID: 28167
           Summary: objdump: heap-buffer-overflow on bfd_getl32 in
                    libbfd.c:727
           Product: binutils
           Version: 2.38 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: shaohua.li at inf dot ethz.ch
  Target Milestone: ---

Created attachment 13578
  --> https://sourceware.org/bugzilla/attachment.cgi?id=13578&action=edit
poc

Hi there,

I found a heap-buffer-overflow with a fuzzer.

- binutils version: 2.38(Head), commit af51804103a08cd1e12edc4f4a30eec2c5c4f9e8
- Compiler: clang12
- Platform: Ubuntu 18.04.5 LTS, x86_64
- Reproduce: run `objdump -S poc`

AddressSanitizer report:

==382==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d000001290
at pc 0x000000b033dd bp 0x7ffc9c0d1720 sp 0x7ffc9c0d1718
READ of size 1 at 0x61d000001290 thread T0
    #0 0xb033dc in bfd_getl32 /binutils_latest/repo/bfd/libbfd.c:727:23
    #1 0x11ed458 in build_module_list
/binutils_latest/repo/bfd/vms-alpha.c:4830:20
    #2 0x11c25cd in _bfd_vms_find_nearest_line
/binutils_latest/repo/bfd/vms-alpha.c:4965:24
    #3 0x4e496a in show_line /binutils_latest/repo/binutils/./objdump.c:1784:9
    #4 0x4e0b1f in disassemble_bytes
/binutils_latest/repo/binutils/./objdump.c:2770:6
    #5 0x4dae9a in disassemble_section
/binutils_latest/repo/binutils/./objdump.c:3455:4
    #6 0xb0e04a in bfd_map_over_sections
/binutils_latest/repo/bfd/section.c:1383:5
    #7 0x4d1ae0 in disassemble_data
/binutils_latest/repo/binutils/./objdump.c:3599:3
    #8 0x4cda84 in dump_bfd /binutils_latest/repo/binutils/./objdump.c:5006:5
    #9 0x4ccb9f in display_object_bfd
/binutils_latest/repo/binutils/./objdump.c:5068:7
    #10 0x4ccaa9 in display_any_bfd
/binutils_latest/repo/binutils/./objdump.c:5158:5
    #11 0x4cc65c in display_file
/binutils_latest/repo/binutils/./objdump.c:5179:3
    #12 0x4cb063 in main /binutils_latest/repo/binutils/./objdump.c:5529:6
    #13 0x7f98b34b50b2 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #14 0x41c61d in _start (/out_bin/objdump+0x41c61d)

0x61d000001290 is located 0 bytes to the right of 2064-byte region
[0x61d000000a80,0x61d000001290)
allocated by thread T0 here:
    #0 0x4974dd in malloc (/out_bin/objdump+0x4974dd)
    #1 0x1c205c5 in _objalloc_alloc
/binutils_latest/repo/libiberty/./objalloc.c:143:22
    #2 0xb08bf0 in bfd_alloc /binutils_latest/repo/bfd/opncls.c:1032:9
    #3 0x11ed391 in build_module_list
/binutils_latest/repo/bfd/vms-alpha.c:4799:31
    #4 0x11c25cd in _bfd_vms_find_nearest_line
/binutils_latest/repo/bfd/vms-alpha.c:4965:24
    #5 0x4e496a in show_line /binutils_latest/repo/binutils/./objdump.c:1784:9
    #6 0x4e0b1f in disassemble_bytes
/binutils_latest/repo/binutils/./objdump.c:2770:6
    #7 0x4dae9a in disassemble_section
/binutils_latest/repo/binutils/./objdump.c:3455:4
    #8 0xb0e04a in bfd_map_over_sections
/binutils_latest/repo/bfd/section.c:1383:5
    #9 0x4d1ae0 in disassemble_data
/binutils_latest/repo/binutils/./objdump.c:3599:3
    #10 0x4cda84 in dump_bfd /binutils_latest/repo/binutils/./objdump.c:5006:5
    #11 0x4ccb9f in display_object_bfd
/binutils_latest/repo/binutils/./objdump.c:5068:7
    #12 0x4ccaa9 in display_any_bfd
/binutils_latest/repo/binutils/./objdump.c:5158:5
    #13 0x4cc65c in display_file
/binutils_latest/repo/binutils/./objdump.c:5179:3
    #14 0x4cb063 in main /binutils_latest/repo/binutils/./objdump.c:5529:6
    #15 0x7f98b34b50b2 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/binutils_latest/repo/bfd/libbfd.c:727:23 in bfd_getl32
Shadow bytes around the buggy address:
  0x0c3a7fff8200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fff8210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fff8220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fff8230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fff8240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a7fff8250: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fff8260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fff8270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fff8280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fff8290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fff82a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==382==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]