[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/30885] New: nm: heap-buffer-overflow at elfcode.h:1507 in
From: |
yan.cs10 at nycu dot edu.tw |
Subject: |
[Bug binutils/30885] New: nm: heap-buffer-overflow at elfcode.h:1507 in bfd_elf64_slurp_symbol_table |
Date: |
Mon, 25 Sep 2023 12:23:10 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=30885
Bug ID: 30885
Summary: nm: heap-buffer-overflow at elfcode.h:1507 in
bfd_elf64_slurp_symbol_table
Product: binutils
Version: 2.42 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: yan.cs10 at nycu dot edu.tw
Target Milestone: ---
Created attachment 15124
--> https://sourceware.org/bugzilla/attachment.cgi?id=15124&action=edit
this poc with -D -l argument can crash nm-new in the latest version
Summary:
A crash caused when using nm
AddressSanitizer reported it as heap-buffer-overflow
git commit, OS, Compiler and processor
git commit: be8e83130
gcc (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0
g++ (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0
Ubuntu 20.04.4 LTS
AMD Ryzen 5 3600X 6-Core Processor
Steps to reproduce:
$ cd binutils-gdb
$ export CFLAGS='-fsanitize=address -fsanitize-recover=address -g3'
$ export CXXFLAGS='-fsanitize=address -fsanitize-recover=address -g3'
$ make
$ binutils/nm-new -D -l ./poc_0
AddressSanitizer report:
$ /home/pt/sytseng/binutils-gdb-asan/binutils/nm-new -D -l ./poc_0
BFD: warning: ./pocs/poc_0 has a program header with invalid alignment
=================================================================
==666905==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000000598 at pc 0x564fd90fc26d bp 0x7ffd7c1e0ad0 sp 0x7ffd7c1e0ac0
WRITE of size 8 at 0x602000000598 thread T0
#0 0x564fd90fc26c in bfd_elf64_slurp_symbol_table
/home/pt/sytseng/binutils-gdb-asan/bfd/elfcode.h:1507
#1 0x564fd91425cc in _bfd_elf_canonicalize_symtab
/home/pt/sytseng/binutils-gdb-asan/bfd/elf.c:9273
#2 0x564fd906450a in print_symbol
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:1252
#3 0x564fd90654e7 in print_symbols
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:1388
#4 0x564fd906602e in display_rel_file
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:1503
#5 0x564fd9066838 in display_file
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:1649
#6 0x564fd9068827 in main
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:2161
#7 0x7f51463e5082 in __libc_start_main ../csu/libc-start.c:308
#8 0x564fd905f15d in _start
(/home/pt/sytseng/binutils-gdb-asan/binutils/nm-new+0xa315d)
0x602000000598 is located 0 bytes to the right of 8-byte region
[0x602000000590,0x602000000598)
allocated by thread T0 here:
#0 0x7f51466c6808 in __interceptor_malloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x564fd9371f63 in xmalloc xmalloc.c:149
#2 0x564fd906445c in print_symbol
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:1251
#3 0x564fd90654e7 in print_symbols
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:1388
#4 0x564fd906602e in display_rel_file
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:1503
#5 0x564fd9066838 in display_file
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:1649
#6 0x564fd9068827 in main
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:2161
#7 0x7f51463e5082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/pt/sytseng/binutils-gdb-asan/bfd/elfcode.h:1507 in
bfd_elf64_slurp_symbol_table
Shadow bytes around the buggy address:
0x0c047fff8060: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
0x0c047fff8070: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8080: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8090: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
0x0c047fff80a0: fa fa fd fd fa fa fd fa fa fa fd fd fa fa 04 fa
=>0x0c047fff80b0: fa fa 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==666905==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/30885] New: nm: heap-buffer-overflow at elfcode.h:1507 in bfd_elf64_slurp_symbol_table,
yan.cs10 at nycu dot edu.tw <=