[Bug gprof/30657] New: gprof heap buffer overflow

[mengda2020 at iscas dot ac.cn]

https://sourceware.org/bugzilla/show_bug.cgi?id=30657

            Bug ID: 30657
           Summary: gprof heap buffer overflow
           Product: binutils
           Version: 2.39
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: gprof
          Assignee: unassigned at sourceware dot org
          Reporter: mengda2020 at iscas dot ac.cn
  Target Milestone: ---

Created attachment 14989
  --> https://sourceware.org/bugzilla/attachment.cgi?id=14989&action=edit
PoC file

Hello, Binutils developers!
We found a heap buffer overflow bug in gprof: i386.c:43.
Please confirm.
Thanks!
Test Environment
Ubuntu 20.04, 64 bit binutils (version: v2.39)

How to trigger
Compile the program with AddressSanitizer
Run command $ ./gprof -c $PoC 
Details
ASAN report
$./gprof -c $PoC 
```
=================================================================
==882455==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6160000005a2 at pc 0x00000050f506 bp 0x7fffb5353310 sp 0x7fffb5353308
READ of size 1 at 0x6160000005a2 thread T0
    #0 0x50f505 in i386_iscall /root/Binutils/binutils_aflpp/gprof/i386.c:43:7
    #1 0x50ef49 in i386_find_call
/root/Binutils/binutils_aflpp/gprof/i386.c:63:11
    #2 0x4eaed6 in find_call
/root/Binutils/binutils_aflpp/gprof/corefile.c:307:7
    #3 0x4d4439 in cg_assemble
/root/Binutils/binutils_aflpp/gprof/cg_arcs.c:626:2
    #4 0x4fd380 in main /root/Binutils/binutils_aflpp/gprof/gprof.c:591:12
    #5 0x7f90cd4b1082 in __libc_start_main
/build/glibc-5hggjy/glibc-2.31/csu/../csu/libc-start.c:308:16
    #6 0x41d54d in _start
(/root/Binutils/binutils_aflpp/install/bin/gprof+0x41d54d)

0x6160000005a2 is located 0 bytes to the right of 546-byte region
[0x616000000380,0x6160000005a2)
allocated by thread T0 here:
    #0 0x499cfd in __interceptor_malloc
(/root/Binutils/binutils_aflpp/install/bin/gprof+0x499cfd)
    #1 0x4ea821 in core_get_text_space
/root/Binutils/binutils_aflpp/gprof/corefile.c:274:21
    #2 0x4fca59 in main /root/Binutils/binutils_aflpp/gprof/gprof.c:528:5
    #3 0x7f90cd4b1082 in __libc_start_main
/build/glibc-5hggjy/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow
/root/Binutils/binutils_aflpp/gprof/i386.c:43:7 in i386_iscall
Shadow bytes around the buggy address:
  0x0c2c7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff8090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff80a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2c7fff80b0: 00 00 00 00[02]fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fff80d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff80e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff80f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==882455==ABORTING
```

-- 
You are receiving this mail because:
You are on the CC list for the bug.