[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/27879] New: stash-buffer-overflow on sysdump
|
From: |
shaohua.li at inf dot ethz.ch |
|
Subject: |
[Bug binutils/27879] New: stash-buffer-overflow on sysdump |
|
Date: |
Mon, 17 May 2021 22:30:33 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=27879
Bug ID: 27879
Summary: stash-buffer-overflow on sysdump
Product: binutils
Version: 2.37 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: shaohua.li at inf dot ethz.ch
Target Milestone: ---
Created attachment 13456
--> https://sourceware.org/bugzilla/attachment.cgi?id=13456&action=edit
poc
Hi there,
I found a stack-buffer-overflow on sysdump with a fuzzer. I attached the poc
file.
Compiler: clang12
Compile args: -fsanitize=address
Reproduce: `sysdump poc`
AddressSanitizer output:
==30955==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffeaa74a95f at pc 0x000000496b07 bp 0x7ffeaa74a830 sp 0x7ffeaa749ff8
READ of size 255 at 0x7ffeaa74a95f thread T0
#0 0x496b06 in __asan_memcpy
(/data/clean/binutils-gdb-asan/binutils/sysdump+0x496b06)
#1 0x4d9725 in getBARRAY
/data/clean/binutils-gdb-asan/binutils/sysdump.c:146:17
#2 0x4d9725 in sysroff_swap_ob_in
/data/clean/binutils-gdb-asan/binutils/./sysroff.c:1296:15
#3 0x4e4839 in getone
/data/clean/binutils-gdb-asan/binutils/sysdump.c:419:2
#4 0x4e4839 in module
/data/clean/binutils-gdb-asan/binutils/sysdump.c:618:10
#5 0x4e4839 in main /data/clean/binutils-gdb-asan/binutils/sysdump.c:709:3
#6 0x7fd3cf0db0b2 in __libc_start_main
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#7 0x41c4fd in _start
(/data/clean/binutils-gdb-asan/binutils/sysdump+0x41c4fd)
Address 0x7ffeaa74a95f is located in stack of thread T0 at offset 287 in frame
#0 0x4d935f in sysroff_swap_ob_in
/data/clean/binutils-gdb-asan/binutils/./sysroff.c:1280
This frame has 2 object(s):
[32, 287) 'raw' (line 1281)
[352, 356) 'idx' (line 1282) <== Memory access at offset 287 partially
underflows this variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
(/data/clean/binutils-gdb-asan/binutils/sysdump+0x496b06) in __asan_memcpy
Shadow bytes around the buggy address:
0x1000554e14d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000554e14e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000554e14f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000554e1500: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
0x1000554e1510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000554e1520: 00 00 00 00 00 00 00 00 00 00 00[07]f2 f2 f2 f2
0x1000554e1530: f2 f2 f2 f2 04 f3 f3 f3 00 00 00 00 00 00 00 00
0x1000554e1540: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x1000554e1550: f8 f2 f8 f2 f8 f2 f8 f2 f8 f2 f8 f8 f8 f8 f8 f8
0x1000554e1560: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
0x1000554e1570: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==30955==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/27879] New: stash-buffer-overflow on sysdump,
shaohua.li at inf dot ethz.ch <=