[Bug binutils/28736] New: Heap-buffer-overflow in ada

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/28736] New: Heap-buffer-overflow in ada_demangle function

From:	duzhengjie100 at gmail dot com
Subject:	[Bug binutils/28736] New: Heap-buffer-overflow in ada_demangle function with nm-new
Date:	Sun, 02 Jan 2022 04:31:35 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=28736

            Bug ID: 28736
           Summary: Heap-buffer-overflow in ada_demangle function with
                    nm-new
           Product: binutils
           Version: 2.38 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: duzhengjie100 at gmail dot com
  Target Milestone: ---

Created attachment 13887
  --> https://sourceware.org/bugzilla/attachment.cgi?id=13887&action=edit
the poc file which can trigger this bug

Hi, we found a heap-buffer-overflow in ada_demangle function with nm-new.
To reproduce it, we have attached the poc file.

ENV : Ubuntu 20.04.2 LTS
      clang version 12.0.0

COMPILE CMD: CC=clang CFLAGS="-g -fsanitize=address -fPIE" LDFLAGAS="
             -fsanitize=address -fPIE" ./configure

EXE CMD: ./binutils/nm-new --demangle=gnat poc_file

ASAN OUTPUT:

=================================================================
==21131==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x603000000177 at pc 0x000000482df8 bp 0x7ffc767d9cf0 sp 0x7ffc767d94b0
WRITE of size 8 at 0x603000000177 thread T0
    #0 0x482df7 in strcpy
(/src/projects/binutils-2.37/test/build/binutils/nm-new+0x482df7)
    #1 0x85c490 in ada_demangle
/src/projects/binutils-2.37/test/build/libiberty/./cplus-dem.c:338:11
    #2 0x85b095 in cplus_demangle
/src/projects/binutils-2.37/test/build/libiberty/./cplus-dem.c:187:12
    #3 0x4ed717 in bfd_demangle
/src/projects/binutils-2.37/test/build/bfd/bfd.c:2428:9
    #4 0x4cc0ba in print_symname
/src/projects/binutils-2.37/test/build/binutils/nm.c:694:15
    #5 0x4cad43 in print_symbol_info_bsd
/src/projects/binutils-2.37/test/build/binutils/nm.c:1944:3
    #6 0x4d2d15 in print_symbol
/src/projects/binutils-2.37/test/build/binutils/nm.c:1212:3
    #7 0x4d08db in print_symbols
/src/projects/binutils-2.37/test/build/binutils/nm.c:1396:7
    #8 0x4cf02e in display_rel_file
/src/projects/binutils-2.37/test/build/binutils/nm.c:1523:5
    #9 0x4ca3b2 in display_file
/src/projects/binutils-2.37/test/build/binutils/nm.c:1690:7
    #10 0x4c9798 in main
/src/projects/binutils-2.37/test/build/binutils/nm.c:2227:12
    #11 0x7f64b8f280b2 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #12 0x41c50d in _start
(/src/projects/binutils-2.37/test/build/binutils/nm-new+0x41c50d)
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/src/projects/binutils-2.37/test/build/binutils/nm-new+0x482df7) in strcpy
Shadow bytes around the buggy address:
  0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff8000: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa fd fd
  0x0c067fff8010: fd fa fa fa fd fd fd fa fa fa 00 00 00 fa fa fa
=>0x0c067fff8020: fd fd fd fa fa fa fd fd fd fa fa fa 00 00[07]fa
  0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==21131==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/28736] New: Heap-buffer-overflow in ada_demangle function with nm-new, duzhengjie100 at gmail dot com <=
- [Bug binutils/28736] Heap-buffer-overflow in ada_demangle function with nm-new, duzhengjie100 at gmail dot com, 2022/01/01
- [Bug binutils/28736] Heap-buffer-overflow in ada_demangle function with nm-new, amodra at gmail dot com, 2022/01/02
- [Bug binutils/28736] Heap-buffer-overflow in ada_demangle function with nm-new, duzhengjie100 at gmail dot com, 2022/01/02

Prev by Date: [Bug ld/28735] relocation truncated to fit: R_OR1K_GOT16 on OpenRISC, building libgeos
Next by Date: [Bug binutils/28736] Heap-buffer-overflow in ada_demangle function with nm-new
Previous by thread: [Bug ld/21464] relocation truncated to fit: R_OR1K_GOT16 on OpenRISC, when linking libQtGui.so.4.8.7
Next by thread: [Bug binutils/28736] Heap-buffer-overflow in ada_demangle function with nm-new
Index(es):
- Date
- Thread