[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/28168] New: objdump -S: stack-buffer-overflow
From: |
shaohua.li at inf dot ethz.ch |
Subject: |
[Bug binutils/28168] New: objdump -S: stack-buffer-overflow |
Date: |
Mon, 02 Aug 2021 14:18:12 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=28168
Bug ID: 28168
Summary: objdump -S: stack-buffer-overflow
Product: binutils
Version: 2.38 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: shaohua.li at inf dot ethz.ch
Target Milestone: ---
Created attachment 13579
--> https://sourceware.org/bugzilla/attachment.cgi?id=13579&action=edit
poc
Hi there,
I found a stack-buffer-overflow in `objdump -S` with a fuzzer.
- binutils version: 2.38(Head), commit af51804103a08cd1e12edc4f4a30eec2c5c4f9e8
- Compiler: clang12
- Platform: Ubuntu 18.04.5 LTS, x86_64
- Reproduce: run `objdump -S poc`
AddressSanitizer report:
==389==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff6d3f12c0
at pc 0x00000043ab44 bp 0x7fff6d3f1100 sp 0x7fff6d3f0898
WRITE of size 159 at 0x7fff6d3f12c0 thread T0
#0 0x43ab43 in vsprintf (/out_bin/objdump+0x43ab43)
#1 0x43bac3 in sprintf (/out_bin/objdump+0x43bac3)
#2 0x6d3bb6 in csky_output_operand
/binutils_latest/repo/opcodes/csky-dis.c:568:6
#3 0x6d1e82 in csky_print_operand
/binutils_latest/repo/opcodes/csky-dis.c:978:10
#4 0x6d18e6 in csky_print_operands
/binutils_latest/repo/opcodes/csky-dis.c:1001:8
#5 0x6d0995 in print_insn_csky
/binutils_latest/repo/opcodes/csky-dis.c:1206:11
#6 0x4e1829 in disassemble_bytes
/binutils_latest/repo/binutils/./objdump.c:2873:20
#7 0x4dae9a in disassemble_section
/binutils_latest/repo/binutils/./objdump.c:3455:4
#8 0xb0e04a in bfd_map_over_sections
/binutils_latest/repo/bfd/section.c:1383:5
#9 0x4d1ae0 in disassemble_data
/binutils_latest/repo/binutils/./objdump.c:3599:3
#10 0x4cda84 in dump_bfd /binutils_latest/repo/binutils/./objdump.c:5006:5
#11 0x4ccb9f in display_object_bfd
/binutils_latest/repo/binutils/./objdump.c:5068:7
#12 0x4ccaa9 in display_any_bfd
/binutils_latest/repo/binutils/./objdump.c:5158:5
#13 0x4cc65c in display_file
/binutils_latest/repo/binutils/./objdump.c:5179:3
#14 0x4cb063 in main /binutils_latest/repo/binutils/./objdump.c:5529:6
#15 0x7f92c662e0b2 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#16 0x41c61d in _start (/out_bin/objdump+0x41c61d)
Address 0x7fff6d3f12c0 is located in stack of thread T0 at offset 192 in frame
#0 0x6d1eaf in csky_output_operand
/binutils_latest/repo/opcodes/csky-dis.c:303
This frame has 12 object(s):
[32, 40) 'value' (line 307)
[64, 192) 'buf' (line 310)
[224, 352) 'num' (line 420) <== Memory access at offset 192 partially
underflows this variable
[384, 388) 'ibytes' (line 460)
[400, 408) 'ibytes259' (line 522)
[432, 440) 'f' (line 555)
[464, 468) 'ibytes336' (line 582)
[480, 488) 'valbytes' (line 622)
[512, 520) 'fvalue' (line 623)
[544, 548) 'f464' (line 674)
[560, 568) 'dvalue' (line 686)
[592, 600) 'd' (line 703)
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/out_bin/objdump+0x43ab43) in
vsprintf
Shadow bytes around the buggy address:
0x10006da76200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006da76210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006da76220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006da76230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006da76240: f1 f1 f1 f1 00 f2 f2 f2 00 00 00 00 00 00 00 00
=>0x10006da76250: 00 00 00 00 00 00 00 00[f2]f2 f2 f2 f8 f8 f8 f8
0x10006da76260: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2
0x10006da76270: f8 f2 00 f2 f2 f2 00 f2 f2 f2 f8 f2 f8 f2 f2 f2
0x10006da76280: f8 f2 f2 f2 f8 f2 f8 f2 f2 f2 f8 f3 f3 f3 f3 f3
0x10006da76290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006da762a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==389==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/28168] New: objdump -S: stack-buffer-overflow,
shaohua.li at inf dot ethz.ch <=
- [Bug binutils/28168] objdump -S: stack-buffer-overflow, amodra at gmail dot com, 2021/08/05
- [Bug binutils/28168] csky overflows disassembly stack buffer, amodra at gmail dot com, 2021/08/06
- [Bug binutils/28168] csky overflows disassembly stack buffer, address@hidden, 2021/08/09
- [Bug binutils/28168] csky overflows disassembly stack buffer, address@hidden, 2021/08/09
- [Bug binutils/28168] csky overflows disassembly stack buffer, cvs-commit at gcc dot gnu.org, 2021/08/13