[Bug binutils/30903] New: nm: heap-buffer-overflow at bfd/bfd.c:2677 in

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/30903] New: nm: heap-buffer-overflow at bfd/bfd.c:2677 in

From:	yan.cs10 at nycu dot edu.tw
Subject:	[Bug binutils/30903] New: nm: heap-buffer-overflow at bfd/bfd.c:2677 in bfd_demangle
Date:	Tue, 26 Sep 2023 02:25:21 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=30903

            Bug ID: 30903
           Summary: nm: heap-buffer-overflow at bfd/bfd.c:2677 in
                    bfd_demangle
           Product: binutils
           Version: 2.42 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: yan.cs10 at nycu dot edu.tw
  Target Milestone: ---

Created attachment 15136
  --> https://sourceware.org/bugzilla/attachment.cgi?id=15136&action=edit
this poc with -D argument can crash nm-new in the latest version

Summary:

A crash caused when using nm
AddressSanitizer reported it as heap-buffer-overflow

git commit, OS, Compiler and processor

git commit: be8e83130
gcc (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0
g++ (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0
Ubuntu 20.04.4 LTS
AMD Ryzen 5 3600X 6-Core Processor

Steps to reproduce:

$ cd binutils-gdb
$ export CFLAGS='-fsanitize=address -fsanitize-recover=address -g3'
$ export CXXFLAGS='-fsanitize=address -fsanitize-recover=address -g3'
$ make
$ binutils/nm-new -D ./poc_83

AddressSanitizer report:

$ /home/pt/sytseng/binutils-gdb-asan/binutils/nm-new -D ./poc_83

BFD: warning: ./pocs/poc_83 has a program header with invalid alignment
=================================================================
==4058725==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6210000010e0 at pc 0x7fb331b9fccd bp 0x7ffc82fbe790 sp 0x7ffc82fbdf38
READ of size 354 at 0x6210000010e0 thread T0
    #0 0x7fb331b9fccc in __interceptor_strchr
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:671
    #1 0x559a49bea133 in bfd_demangle
/home/pt/sytseng/binutils-gdb-asan/bfd/bfd.c:2677
    #2 0x559a49bcb3fe in print_symname
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:700
    #3 0x559a49bd1a11 in print_symbol_info_posix
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:1934
    #4 0x559a49bce2c1 in print_symbol
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:1228
    #5 0x559a49bcf4e7 in print_symbols
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:1388
    #6 0x559a49bd002e in display_rel_file
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:1503
    #7 0x559a49bd0838 in display_file
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:1649
    #8 0x559a49bd2827 in main
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:2161
    #9 0x7fb331957082 in __libc_start_main ../csu/libc-start.c:308
    #10 0x559a49bc915d in _start
(/home/pt/sytseng/binutils-gdb-asan/binutils/nm-new+0xa315d)

0x6210000010e0 is located 0 bytes to the right of 4064-byte region
[0x621000000100,0x6210000010e0)
allocated by thread T0 here:
    #0 0x7fb331c38808 in __interceptor_malloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x559a49ed0ffa in objalloc_create objalloc.c:95
    #2 0x559a49bf5b3a in _bfd_new_bfd
/home/pt/sytseng/binutils-gdb-asan/bfd/opncls.c:92
    #3 0x559a49bf63a2 in bfd_fopen
/home/pt/sytseng/binutils-gdb-asan/bfd/opncls.c:265
    #4 0x559a49bf67f4 in bfd_openr
/home/pt/sytseng/binutils-gdb-asan/bfd/opncls.c:361
    #5 0x559a49bd070b in display_file
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:1630
    #6 0x559a49bd2827 in main
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:2161
    #7 0x7fb331957082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:671
in __interceptor_strchr
Shadow bytes around the buggy address:
  0x0c427fff81c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff81d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff81e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff81f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fff8210: 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa
  0x0c427fff8220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==4058725==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/30903] New: nm: heap-buffer-overflow at bfd/bfd.c:2677 in bfd_demangle, yan.cs10 at nycu dot edu.tw <=

Prev by Date: [Bug binutils/30888] nm: SEGV on unknow address at bfd/elf.c:9543 in _bfd_elf_slurp_version_tables
Next by Date: [Bug gprofng/30897] Support source view for "referenced" source (e.g. bison)
Previous by thread: [Bug binutils/30902] New: nm: stack-overflow at rust-demangle.c:1572 in str_buf_append
Next by thread: [Bug binutils/30904] New: nm: SEGV at bfd/elf.c:2267 in _bfd_elf_get_dynamic_symbols
Index(es):
- Date
- Thread