[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug gold/20949] New: GOLD: Reading beyond buffer during parsing
From: |
boehme.marcel at gmail dot com |
Subject: |
[Bug gold/20949] New: GOLD: Reading beyond buffer during parsing |
Date: |
Thu, 08 Dec 2016 08:42:07 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=20949
Bug ID: 20949
Summary: GOLD: Reading beyond buffer during parsing
Product: binutils
Version: 2.28 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: gold
Assignee: ccoutant at gmail dot com
Reporter: boehme.marcel at gmail dot com
CC: ian at airs dot com
Target Milestone: ---
Dear all,
The following bug was found with AFLFast, a fork of AFL, in a 24 hour fuzzing
session on Binutils. Thanks also to Van-Thuan Pham.
Valgrind reports a a read of size 1 in the lexer of the linker for the
following executions on Binutils in trunk and pre-installed v2.24 on Ubuntu
14.04.
For this execution Valgrind points out two locations (script.cc:810,
script.cc:825):
$ printf "\x0d" > test
$ gold/ld-new test
For this execution, there is only one location (script.cc:825):
$ printf "\x80" > test
$ gold/ld-new test
ASAN says:
==116723==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60300000434a at pc 0x0000016367e1 bp 0x7ffec7190920 sp 0x7ffec7190918
READ of size 1 at 0x60300000434a thread T0
#0 0x16367e0 in gold::Lex::get_token(char const**) ../../gold/script.cc:825
#1 0x1637151 in gold::Lex::next_token() ../../gold/script.cc:875
#2 0x164ba27 in gold::Parser_closure::next_token()
../../gold/script.cc:1339
#3 0x164224b in yylex ../../gold/script.cc:2574
#4 0x17473e2 in yyparse
/home/ubuntu/subjects/binutils-gdb_fixed/obj-gold-asan/gold/yyscript.c:1964
#5 0x163b238 in gold::read_input_script(gold::Workqueue*,
gold::Symbol_table*, gold::Layout*, gold::Dirsearch*, int,
gold::Input_objects*, gold::Mapfile*, gold::Input_group*, gold::Input_argument
const*, gold::Input_file*, gold::Task_token*, bool*) ../../gold/script.cc:1500
#6 0x1542934 in gold::Read_script::run(gold::Workqueue*)
../../gold/readsyms.cc:913
#7 0x1741207 in gold::Workqueue::find_and_run_task(int)
../../gold/workqueue.cc:319
#8 0x1742951 in gold::Workqueue::process(int) ../../gold/workqueue.cc:495
#9 0x405d95 in main ../../gold/main.cc:252
#10 0x7fbb1bba9f44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#11 0x405147
(/home/ubuntu/subjects/binutils-gdb_fixed/obj-gold-asan/gold/ld-new+0x405147)
0x60300000434a is located 0 bytes to the right of 26-byte region
[0x603000004330,0x60300000434a)
allocated by thread T0 here:
#0 0x7fbb1d02d270 in operator new(unsigned long)
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc3270)
#1 0x1998df8 in std::string::_Rep::_S_create(unsigned long, unsigned long,
std::allocator<char> const&)
(/home/ubuntu/subjects/binutils-gdb_fixed/obj-gold-asan/gold/ld-new+0x1998df8)
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../gold/script.cc:825 in
gold::Lex::get_token(char const**)
Best regards,
- Marcel
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug gold/20949] New: GOLD: Reading beyond buffer during parsing,
boehme.marcel at gmail dot com <=