[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/30903] New: nm: heap-buffer-overflow at bfd/bfd.c:2677 in
From: |
yan.cs10 at nycu dot edu.tw |
Subject: |
[Bug binutils/30903] New: nm: heap-buffer-overflow at bfd/bfd.c:2677 in bfd_demangle |
Date: |
Tue, 26 Sep 2023 02:25:21 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=30903
Bug ID: 30903
Summary: nm: heap-buffer-overflow at bfd/bfd.c:2677 in
bfd_demangle
Product: binutils
Version: 2.42 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: yan.cs10 at nycu dot edu.tw
Target Milestone: ---
Created attachment 15136
--> https://sourceware.org/bugzilla/attachment.cgi?id=15136&action=edit
this poc with -D argument can crash nm-new in the latest version
Summary:
A crash caused when using nm
AddressSanitizer reported it as heap-buffer-overflow
git commit, OS, Compiler and processor
git commit: be8e83130
gcc (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0
g++ (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0
Ubuntu 20.04.4 LTS
AMD Ryzen 5 3600X 6-Core Processor
Steps to reproduce:
$ cd binutils-gdb
$ export CFLAGS='-fsanitize=address -fsanitize-recover=address -g3'
$ export CXXFLAGS='-fsanitize=address -fsanitize-recover=address -g3'
$ make
$ binutils/nm-new -D ./poc_83
AddressSanitizer report:
$ /home/pt/sytseng/binutils-gdb-asan/binutils/nm-new -D ./poc_83
BFD: warning: ./pocs/poc_83 has a program header with invalid alignment
=================================================================
==4058725==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6210000010e0 at pc 0x7fb331b9fccd bp 0x7ffc82fbe790 sp 0x7ffc82fbdf38
READ of size 354 at 0x6210000010e0 thread T0
#0 0x7fb331b9fccc in __interceptor_strchr
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:671
#1 0x559a49bea133 in bfd_demangle
/home/pt/sytseng/binutils-gdb-asan/bfd/bfd.c:2677
#2 0x559a49bcb3fe in print_symname
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:700
#3 0x559a49bd1a11 in print_symbol_info_posix
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:1934
#4 0x559a49bce2c1 in print_symbol
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:1228
#5 0x559a49bcf4e7 in print_symbols
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:1388
#6 0x559a49bd002e in display_rel_file
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:1503
#7 0x559a49bd0838 in display_file
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:1649
#8 0x559a49bd2827 in main
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:2161
#9 0x7fb331957082 in __libc_start_main ../csu/libc-start.c:308
#10 0x559a49bc915d in _start
(/home/pt/sytseng/binutils-gdb-asan/binutils/nm-new+0xa315d)
0x6210000010e0 is located 0 bytes to the right of 4064-byte region
[0x621000000100,0x6210000010e0)
allocated by thread T0 here:
#0 0x7fb331c38808 in __interceptor_malloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x559a49ed0ffa in objalloc_create objalloc.c:95
#2 0x559a49bf5b3a in _bfd_new_bfd
/home/pt/sytseng/binutils-gdb-asan/bfd/opncls.c:92
#3 0x559a49bf63a2 in bfd_fopen
/home/pt/sytseng/binutils-gdb-asan/bfd/opncls.c:265
#4 0x559a49bf67f4 in bfd_openr
/home/pt/sytseng/binutils-gdb-asan/bfd/opncls.c:361
#5 0x559a49bd070b in display_file
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:1630
#6 0x559a49bd2827 in main
/home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:2161
#7 0x7fb331957082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:671
in __interceptor_strchr
Shadow bytes around the buggy address:
0x0c427fff81c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff81d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff81e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff81f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fff8210: 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa
0x0c427fff8220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==4058725==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Bug binutils/30903] New: nm: heap-buffer-overflow at bfd/bfd.c:2677 in bfd_demangle,
yan.cs10 at nycu dot edu.tw <=