[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/30361] New: [Objdump] heap-buffer-overflow at byte_get_lit
From: |
ziqiaokong at gmail dot com |
Subject: |
[Bug binutils/30361] New: [Objdump] heap-buffer-overflow at byte_get_little_endian |
Date: |
Mon, 17 Apr 2023 09:32:54 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=30361
Bug ID: 30361
Summary: [Objdump] heap-buffer-overflow at
byte_get_little_endian
Product: binutils
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: ziqiaokong at gmail dot com
Target Milestone: ---
Created attachment 14831
--> https://sourceware.org/bugzilla/attachment.cgi?id=14831&action=edit
Full logs and object file
Git commit hash: 93c6e8c3c14bf81020ca7571fe752250a34f5bc9
Steps to reproduce:
```
export CC=afl-clang-fast
export CXX=afl-clang-fast++
export AFL_USE_ASAN=1
export CFLAGS="-latomic --ld-path=/usr/bin/ld.lld-14"
export CFLAGS_FOR_TARGETS="-latomic --ld-path=/usr/bin/ld.lld-14"
export CXXFLAGS="-latomic --ld-path=/usr/bin/ld.lld-14"
./configure
make -j
./binutils/objdump -g /path/to/obj
```
Note this doesn't have to be reproduced with AFL++ but gdbserver fails to build
with just specifying `CFLAGS=-fsanitize=address` due to `-Wl,--no-undefined`,
which `afl-clang-fast++` will handle automatically and make things easy.
ASAN logs:
```
<some objdump logs...>
/out/asan_noins/objdump: Error: read LEB value is too large to store in
destination variable
=================================================================
==5088==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a00000007c
at pc 0x5567712adfb1 bp 0x7ffd1eaff740 sp 0x7ffd1eaff738
READ of size 1 at 0x61a00000007c thread T0
#0 0x5567712adfb0 in byte_get_little_endian
/binutils/binutils/elfcomm.c:118:26
#1 0x55677126db03 in fetch_indexed_string
/binutils/binutils/./dwarf.c:683:16
#2 0x5567712553ef in display_debug_macro
/binutils/binutils/./dwarf.c:6317:3
#3 0x556771228c90 in dump_dwarf_section
/binutils/binutils/./objdump.c:4425:6
#4 0x556771349c5b in bfd_map_over_sections /binutils/bfd/section.c:1366:5
#5 0x556771227b4c in dump_dwarf /binutils/binutils/./objdump.c:4463:3
#6 0x556771226708 in dump_bfd /binutils/binutils/./objdump.c:5707:4
#7 0x5567712238dd in display_object_bfd /binutils/binutils/./objdump.c
#8 0x5567712238dd in display_any_bfd /binutils/binutils/./objdump.c:5831:5
#9 0x556771221f03 in display_file /binutils/binutils/./objdump.c:5852:3
#10 0x556771221f03 in main /binutils/binutils/./objdump.c:6263:6
#11 0x7fbd3fc44d8f in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#12 0x7fbd3fc44e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#13 0x556771162654 in _start (/out/asan_noins/objdump+0x1d1654) (BuildId:
813539ae82b68bf436716e5400b37ebb3ab40c5e)
0x61a00000007c is located 4 bytes to the left of 1385-byte region
[0x61a000000080,0x61a0000005e9)
allocated by thread T0 here:
#0 0x5567711e549e in __interceptor_malloc
(/out/asan_noins/objdump+0x25449e) (BuildId:
813539ae82b68bf436716e5400b37ebb3ab40c5e)
#1 0x55677156de88 in xmalloc /binutils/libiberty/./xmalloc.c:149:12
#2 0x55677123b92f in load_separate_debug_files
/binutils/binutils/./dwarf.c:12037:7
#3 0x5567712238dd in display_object_bfd /binutils/binutils/./objdump.c
#4 0x5567712238dd in display_any_bfd /binutils/binutils/./objdump.c:5831:5
#5 0x556771221f03 in display_file /binutils/binutils/./objdump.c:5852:3
#6 0x556771221f03 in main /binutils/binutils/./objdump.c:6263:6
#7 0x7fbd3fc44d8f in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: heap-buffer-overflow
/binutils/binutils/elfcomm.c:118:26 in byte_get_little_endian
Shadow bytes around the buggy address:
0x0c347fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c347fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x0c347fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==5088==ABORTING
```
See attached for the full logs.
System environment:
```
[afl++ c338ba581e56] / # clang --version
Ubuntu clang version 14.0.6
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
[afl++ c338ba581e56] / # clang++ --version
Ubuntu clang version 14.0.6
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
[afl++ c338ba581e56] / # ld.lld-14 --version
Ubuntu LLD 14.0.6 (compatible with GNU linkers)
[afl++ c338ba581e56] / # uname -a
Linux c338ba581e56 5.4.0-146-generic #163-Ubuntu SMP Fri Mar 17 18:26:02 UTC
2023 x86_64 x86_64 x86_64 GNU/Linux
[afl++ c338ba581e56] / #
```
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/30361] New: [Objdump] heap-buffer-overflow at byte_get_little_endian,
ziqiaokong at gmail dot com <=
- [Bug binutils/30361] [Objdump] heap-buffer-overflow at byte_get_little_endian (display_debug_macro), ziqiaokong at gmail dot com, 2023/04/17
- [Bug binutils/30361] [Objdump] heap-buffer-overflow at byte_get_little_endian (display_debug_macro), amodra at gmail dot com, 2023/04/17
- [Bug binutils/30361] [Objdump] heap-buffer-overflow at byte_get_little_endian (display_debug_macro), amodra at gmail dot com, 2023/04/17
- [Bug binutils/30361] [Objdump] heap-buffer-overflow at byte_get_little_endian (display_debug_macro), cvs-commit at gcc dot gnu.org, 2023/04/17
- [Bug binutils/30361] [Objdump] heap-buffer-overflow at byte_get_little_endian (display_debug_macro), amodra at gmail dot com, 2023/04/17