bug-binutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/24048] memory leaks in readelf


From: 0x0keeper at gmail dot com
Subject: [Bug binutils/24048] memory leaks in readelf
Date: Mon, 31 Dec 2018 15:47:18 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=24048

--- Comment #2 from zerokeeper <0x0keeper at gmail dot com> ---
update,update!i'm so sorry.the second comment is bug 24049,i comment worng.

this first comment AddressSanitizer symbolize

==14781==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 528 byte(s) in 1 object(s) allocated from:
    #0 0x7fc1cf81e602 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x555afc in xmalloc xmalloc.c:147

SUMMARY: AddressSanitizer: 528 byte(s) leaked in 1 allocation(s).


now i fuzz a new poc to memory leak in readelf.c:425

➜  binutils-2.31 ./binutils/readelf -a binutils-readelf--memory-leak-filedata



ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              <unknown>: 1002
  Machine:                           Advanced Micro Devices X86-64
  Version:                           0x1
  Entry point address:               0x400720
  Start of program headers:          64 (bytes into file)
  Start of section headers:          28880 (bytes into file)
  Flags:                             0x0
  Size of this header:               64 (bytes)
  Size of program headers:           56 (bytes)
  Number of program headers:         10
  Size of section headers:           64 (bytes)
  Number of section headers:         37
  Section header string table index: 34

Section Headers:
  [Nr] Name              Type             Address           Offset
       Size              EntSize          Flags  Link  Info  Align
  [ 0]                   NULL             0000000000000000  00000000
       0000000000000000  0000000000000000           0     0     0
  [ 1] .intÿ             PROGBITS         0000000000400270  00000270
       000000000000001c  0000000000000000   A       0     0     1
  [ 2] .note.ABI-tag     NOTE             000000000040028c  0000028c
       0000000000000020  0000000000000000   A       0     0     4294967277
  [ 3] .gnu.hash
...........
...........
Version symbols section '.gnu.version' contains 11 entries:
 Addr: 0000000000400514  Offset: 0x000514  Link: 4 (.dynsym)
  000:   0 (*local*)       0 (*local*)       0 (*local*)       2 (GLIBCXX_3.4)
  004:   3 (GLIBC_2.2.5)   3 (GLIBC_2.2.5)   0 (*local*)       2 (GLIBCXX_3.4)
  008:   0 (*local*)       2 (GLIBCXX_3.4)   2 (GLIBCXX_3.4)

Version needs section '.gnu.version_r' contains 2 entries:
 Addr: 0x0000000000400530  Offset: 0x000530  Link: 5 (.dynstr)
  000000: Version: 1  File: libc.so.6  Cnt: 1
  0x0010:   Name: GLIBC_2.2.5  Flags: none  Version: 3
  0x0020: Version: 1  File: libstdc++.so.6  Cnt: 1
  0x0030:   Name: GLIBCXX_3.4  Flags: none  Version: 2

Displaying notes found in: .note.ABI-tag
readelf: Warning: Corrupt note: alignment 4294967277, expecting 4 or 8

=================================================================
==21374==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 33 byte(s) in 1 object(s) allocated from:
    #0 0x7f8f21c8b602 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x425ffb in get_data /root/fuzz/binutils-2.31/binutils/readelf.c:425

SUMMARY: AddressSanitizer: 33 byte(s) leaked in 1 allocation(s).




here is code readelf.c:425

  410
   411    if (fseek (filedata->handle, archive_file_offset + offset, SEEK_SET))
   412      {
   413        if (reason)
   414          error (_("Unable to seek to 0x%lx for %s\n"),
   415                 archive_file_offset + offset, reason);
   416        return NULL;
   417      }
   418
   419    mvar = var;
   420    if (mvar == NULL)
   421      {
   422        /* Check for overflow.  */
   423        if (nmemb < (~(bfd_size_type) 0 - 1) / size)
   424          /* + 1 so that we can '\0' terminate invalid string table
sections.  */
   425          mvar = malloc ((size_t) amt + 1);
   426
   427        if (mvar == NULL)
   428          {
   429            if (reason)
   430              error (_("Out of memory allocating %s bytes for %s\n"),
   431                     bfd_vmatoa ("u", amt), reason);
   432            return NULL;
   433          }

-- 
You are receiving this mail because:
You are on the CC list for the bug.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]