[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/28564] New: sysdump: stack-buffer-overflow in sysdump.c:65
|
From: |
shaohua.li at inf dot ethz.ch |
|
Subject: |
[Bug binutils/28564] New: sysdump: stack-buffer-overflow in sysdump.c:65 |
|
Date: |
Mon, 08 Nov 2021 16:22:02 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=28564
Bug ID: 28564
Summary: sysdump: stack-buffer-overflow in sysdump.c:65
Product: binutils
Version: 2.38 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: shaohua.li at inf dot ethz.ch
Target Milestone: ---
Created attachment 13769
--> https://sourceware.org/bugzilla/attachment.cgi?id=13769&action=edit
poc_0
Hi there,
I found a stack-buffer-overflow when fuzzing `sysdump`. Another consequence of
this bug is when compiling with `-O0` and `-O2`, the compiled sysdump would
give out different results on the poc.
- Compiler: clang13 (compile with -fsanitize=address)
- Platform: Ubuntu 20.04.3 LTS, x86_64
- Reproduce: run `sysdump poc_0`
Address sanitizer report:
==636167==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffda83dbddf at pc 0x000000498067 bp 0x7ffda83dbc70 sp 0x7ffda83db438
READ of size 255 at 0x7ffda83dbddf thread T0
#0 0x498066 in __asan_memcpy
(/sysdump/analysis/debug/asan/clang13-O2/binutils/sysdump+0x498066)
#1 0x4e091f in getCHARS
/sysdump/analysis/debug/asan/clang13-O2/binutils/sysdump.c:65:3
#2 0x4e53f1 in sysroff_swap_du_in
/sysdump/analysis/debug/asan/clang13-O2/binutils/./sysroff.c:1353:15
#3 0x4f2105 in getone
/sysdump/analysis/debug/asan/clang13-O2/binutils/sysdump.c:438:2
#4 0x4f2105 in module
/sysdump/analysis/debug/asan/clang13-O2/binutils/sysdump.c:621:10
#5 0x4f2105 in main
/sysdump/analysis/debug/asan/clang13-O2/binutils/sysdump.c:712:3
#6 0x7f8a01af50b2 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#7 0x41c4fd in _start
(/sysdump/analysis/debug/asan/clang13-O2/binutils/sysdump+0x41c4fd)
Address 0x7ffda83dbddf is located in stack of thread T0 at offset 287 in frame
#0 0x4e48af in sysroff_swap_du_in
/sysdump/analysis/debug/asan/clang13-O2/binutils/./sysroff.c:1332
This frame has 2 object(s):
[32, 287) 'raw' (line 1333)
[352, 356) 'idx' (line 1334) <== Memory access at offset 287 partially
underflows this variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
(/sysdump/analysis/debug/asan/clang13-O2/binutils/sysdump+0x498066) in
__asan_memcpy
Shadow bytes around the buggy address:
0x100035073760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100035073770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100035073780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100035073790: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
0x1000350737a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000350737b0: 00 00 00 00 00 00 00 00 00 00 00[07]f2 f2 f2 f2
0x1000350737c0: f2 f2 f2 f2 04 f3 f3 f3 00 00 00 00 00 00 00 00
0x1000350737d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000350737e0: 00 00 00 00 f1 f1 f1 f1 f8 f8 f8 f8 f8 f8 f8 f8
0x1000350737f0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
0x100035073800: f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f2 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==636167==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/28564] New: sysdump: stack-buffer-overflow in sysdump.c:65,
shaohua.li at inf dot ethz.ch <=