[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/30900] New: objdump: heap-buffer-overflow at bfd/elf.c:256
From: |
yan.cs10 at nycu dot edu.tw |
Subject: |
[Bug binutils/30900] New: objdump: heap-buffer-overflow at bfd/elf.c:2562 in bfd_elf_print_symbol |
Date: |
Tue, 26 Sep 2023 01:34:36 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=30900
Bug ID: 30900
Summary: objdump: heap-buffer-overflow at bfd/elf.c:2562 in
bfd_elf_print_symbol
Product: binutils
Version: 2.42 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: yan.cs10 at nycu dot edu.tw
Target Milestone: ---
Created attachment 15133
--> https://sourceware.org/bugzilla/attachment.cgi?id=15133&action=edit
this poc with -T argument can crash objdump in the latest version
Summary:
A crash caused when using nm
AddressSanitizer reported it as heap-buffer-overflow
git commit, OS, Compiler and processor
git commit: be8e83130
gcc (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0
g++ (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0
Ubuntu 20.04.4 LTS
AMD Ryzen 5 3600X 6-Core Processor
Steps to reproduce:
$ cd binutils-gdb
$ export CFLAGS='-fsanitize=address -fsanitize-recover=address -g3'
$ export CXXFLAGS='-fsanitize=address -fsanitize-recover=address -g3'
$ make
$ binutils/objdump -T ./poc_55
AddressSanitizer report:
$ /home/pt/sytseng/binutils-gdb-asan/binutils/objdump -T ./poc_55
/home/pt/sytseng/binutils-gdb-asan/binutils/objdump: option -P/--private not
supported by this file
=================================================================
==2509832==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x621000007866 at pc 0x7ff945486dcb bp 0x7ffe2a9f1ac0 sp 0x7ffe2a9f1238
READ of size 1 at 0x621000007866 thread T0
#0 0x7ff945486dca in printf_common
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:546
#1 0x7ff945487fb6 in __interceptor_vfprintf
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1604
#2 0x7ff9454880be in __interceptor_fprintf
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1661
#3 0x55f25b2ba18e in bfd_elf_print_symbol
/home/pt/sytseng/binutils-gdb-asan/bfd/elf.c:2562
#4 0x55f25b0e8e01 in dump_symbols objdump.c:5162
#5 0x55f25b0eb4e1 in dump_bfd objdump.c:5670
#6 0x55f25b0eb8cd in display_object_bfd objdump.c:5750
#7 0x55f25b0ebc05 in display_any_bfd objdump.c:5837
#8 0x55f25b0ebc7f in display_file objdump.c:5858
#9 0x55f25b0ed633 in main objdump.c:6269
#10 0x7ff945216082 in __libc_start_main ../csu/libc-start.c:308
#11 0x55f25b0d137d in _start
(/home/pt/sytseng/binutils-gdb-asan/binutils/objdump+0x13737d)
0x621000007866 is located 902 bytes to the right of 4064-byte region
[0x621000006500,0x6210000074e0)
allocated by thread T0 here:
#0 0x7ff9454f7808 in __interceptor_malloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x55f25b4d2bf2 in _objalloc_alloc objalloc.c:159
#2 0x55f25b22e60c in bfd_alloc
/home/pt/sytseng/binutils-gdb-asan/bfd/libbfd.c:452
#3 0x55f25b2a81f9 in _bfd_alloc_and_read
/home/pt/sytseng/binutils-gdb-asan/bfd/libbfd.h:886
#4 0x55f25b2b7bfe in _bfd_elf_get_dynamic_symbols
/home/pt/sytseng/binutils-gdb-asan/bfd/elf.c:2105
#5 0x55f25b29e7a5 in bfd_elf64_object_p
/home/pt/sytseng/binutils-gdb-asan/bfd/elfcode.h:861
#6 0x55f25b229e02 in bfd_check_format_matches
/home/pt/sytseng/binutils-gdb-asan/bfd/format.c:365
#7 0x55f25b0eb8b5 in display_object_bfd objdump.c:5748
#8 0x55f25b0ebc05 in display_any_bfd objdump.c:5837
#9 0x55f25b0ebc7f in display_file objdump.c:5858
#10 0x55f25b0ed633 in main objdump.c:6269
#11 0x7ff945216082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:546
in printf_common
Shadow bytes around the buggy address:
0x0c427fff8eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c427fff8f00: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
0x0c427fff8f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8f20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c427fff8f30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c427fff8f40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c427fff8f50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2509832==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/30900] New: objdump: heap-buffer-overflow at bfd/elf.c:2562 in bfd_elf_print_symbol,
yan.cs10 at nycu dot edu.tw <=