bug-binutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/30885] New: nm: heap-buffer-overflow at elfcode.h:1507 in

From: yan.cs10 at nycu dot edu.tw
Subject: [Bug binutils/30885] New: nm: heap-buffer-overflow at elfcode.h:1507 in bfd_elf64_slurp_symbol_table
Date: Mon, 25 Sep 2023 12:23:10 +0000 
https://sourceware.org/bugzilla/show_bug.cgi?id=30885

            Bug ID: 30885
           Summary: nm: heap-buffer-overflow at elfcode.h:1507 in
                    bfd_elf64_slurp_symbol_table
           Product: binutils
           Version: 2.42 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: yan.cs10 at nycu dot edu.tw
  Target Milestone: ---

Created attachment 15124
  --> https://sourceware.org/bugzilla/attachment.cgi?id=15124&action=edit
this poc with -D -l argument can crash nm-new in the latest version

Summary:

A crash caused when using nm
AddressSanitizer reported it as heap-buffer-overflow

git commit, OS, Compiler and processor

git commit: be8e83130
gcc (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0
g++ (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0
Ubuntu 20.04.4 LTS
AMD Ryzen 5 3600X 6-Core Processor

Steps to reproduce:

$ cd binutils-gdb
$ export CFLAGS='-fsanitize=address -fsanitize-recover=address -g3'
$ export CXXFLAGS='-fsanitize=address -fsanitize-recover=address -g3'
$ make
$ binutils/nm-new -D -l ./poc_0

AddressSanitizer report:

$ /home/pt/sytseng/binutils-gdb-asan/binutils/nm-new -D -l ./poc_0

BFD: warning: ./pocs/poc_0 has a program header with invalid alignment
=================================================================
==666905==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000000598 at pc 0x564fd90fc26d bp 0x7ffd7c1e0ad0 sp 0x7ffd7c1e0ac0
WRITE of size 8 at 0x602000000598 thread T0
    #0 0x564fd90fc26c in bfd_elf64_slurp_symbol_table
/home/pt/sytseng/binutils-gdb-asan/bfd/elfcode.h:1507
    #1 0x564fd91425cc in _bfd_elf_canonicalize_symtab
/home/pt/sytseng/binutils-gdb-asan/bfd/elf.c:9273
    #2 0x564fd906450a in print_symbol
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:1252
    #3 0x564fd90654e7 in print_symbols
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:1388
    #4 0x564fd906602e in display_rel_file
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:1503
    #5 0x564fd9066838 in display_file
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:1649
    #6 0x564fd9068827 in main
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:2161
    #7 0x7f51463e5082 in __libc_start_main ../csu/libc-start.c:308
    #8 0x564fd905f15d in _start
(/home/pt/sytseng/binutils-gdb-asan/binutils/nm-new+0xa315d)

0x602000000598 is located 0 bytes to the right of 8-byte region
[0x602000000590,0x602000000598)
allocated by thread T0 here:
    #0 0x7f51466c6808 in __interceptor_malloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x564fd9371f63 in xmalloc xmalloc.c:149
    #2 0x564fd906445c in print_symbol
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:1251
    #3 0x564fd90654e7 in print_symbols
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:1388
    #4 0x564fd906602e in display_rel_file
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:1503
    #5 0x564fd9066838 in display_file
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:1649
    #6 0x564fd9068827 in main
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:2161
    #7 0x7f51463e5082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/pt/sytseng/binutils-gdb-asan/bfd/elfcode.h:1507 in
bfd_elf64_slurp_symbol_table
Shadow bytes around the buggy address:
  0x0c047fff8060: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
  0x0c047fff8070: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8080: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8090: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
  0x0c047fff80a0: fa fa fd fd fa fa fd fa fa fa fd fd fa fa 04 fa
=>0x0c047fff80b0: fa fa 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==666905==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]