[Bug binutils/21417] New: heap buffer overflow in ar

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/21417] New: heap buffer overflow in ar

From:	dungnguy at comp dot nus.edu.sg
Subject:	[Bug binutils/21417] New: heap buffer overflow in ar
Date:	Sat, 22 Apr 2017 06:42:29 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=21417

            Bug ID: 21417
           Summary: heap buffer overflow in ar
           Product: binutils
           Version: 2.28
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: dungnguy at comp dot nus.edu.sg
  Target Milestone: ---

Dear All,

This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks also
to Marcel Böhme and Van-Thuan Pham.

This bug was found on Ubuntu 14.04 64-bit & binutils was checked out from main
repository at git://sourceware.org/git/binutils-gdb.git. Its commit is
a6c21d4a553de184562fd8409a5bcd3f2cc2561a (Wed Apr 19 13:16:05 2017).

binutils was built with ASAN using gcc-6.2 and clang-3.4. The configure command
was:

CC=clang CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all
-fsanitize=undefined,address -fno-omit-frame-pointer -g -Wno-error"
../configure --disable-shared --disable-gdb --disable-libdecnumber
--disable-readline --disable-sim

To reproduce:
ar d

ASAN says:
==148384==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60300000ef98 at pc 0x0000004e7efc bp 0x7ffe38a5e8f0 sp 0x7ffe38a5e8e8
READ of size 8 at 0x60300000ef98 thread T0
    #0 0x4e7efb in main
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/ar.c:792:12
    #1 0x7f0f4a636f44 in __libc_start_main
/build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
    #2 0x4c9fbc in _start
(/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/ar+0x4c9fbc)

VALGRIND says:
==148386== Invalid read of size 8
==148386==    at 0x405F88: main (ar.c:792)
==148386==  Address 0x5401838 is 0 bytes after a block of size 24 alloc'd
==148386==    at 0x4C2AB80: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==148386==    by 0x50F27E: xmalloc (xmalloc.c:147)
==148386==    by 0x4056FA: decode_options (ar.c:451)
==148386==    by 0x405D73: main (ar.c:731)
==148386== 
==148386== Syscall param stat(file_name) points to unaddressable byte(s)
==148386==    at 0x5126045: _xstat (xstat.c:35)
==148386==    by 0x40619D: open_inarch (ar.c:872)
==148386==    by 0x405FD5: main (ar.c:797)
==148386==  Address 0x0 is not stack'd, malloc'd or (recently) free'd

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/21417] New: heap buffer overflow in ar, dungnguy at comp dot nus.edu.sg <=
- [Bug binutils/21417] heap buffer overflow in ar, boehme.marcel at gmail dot com, 2017/04/22
- [Bug binutils/21417] heap buffer overflow in ar, amodra at gmail dot com, 2017/04/23
- [Bug binutils/21417] heap buffer overflow in ar, cvs-commit at gcc dot gnu.org, 2017/04/23
- [Bug binutils/21417] heap buffer overflow in ar, amodra at gmail dot com, 2017/04/23

Prev by Date: [Bug binutils/21409] objdump segfault - null pointer dereferencing
Next by Date: [Bug binutils/21418] New: ar segfault - null pointer dereferencing
Previous by thread: [Bug binutils/21416] New: readelf segfault - null pointer dereferencing
Next by thread: [Bug binutils/21417] heap buffer overflow in ar
Index(es):
- Date
- Thread