[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/24791] New: Heap Overflow issue in cp-demangle
From: |
featherrain26 at gmail dot com |
Subject: |
[Bug binutils/24791] New: Heap Overflow issue in cp-demangle |
Date: |
Tue, 09 Jul 2019 14:34:58 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=24791
Bug ID: 24791
Summary: Heap Overflow issue in cp-demangle
Product: binutils
Version: 2.33 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: featherrain26 at gmail dot com
Target Milestone: ---
Created attachment 11897
--> https://sourceware.org/bugzilla/attachment.cgi?id=11897&action=edit
POC input
Hi, there.
There is a heap overflow in nm.
To reproduce the issue, the complie flag is:
CFLAGS="-g -O0 -m32 -fsanitize=address,undefined" ./configure;make
then,
nm-new -C -a -l --synthetic input
Here are the details reported by ASAN:
==178966==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4e02883
at pc 0x085d6167 bp 0xffe086d8 sp 0xffe086c8
READ of size 1 at 0xf4e02883 thread T0
#0 0x85d6166 in d_expression_1 cp-demangle.c:3356
#1 0x85d4f12 in d_expression_1 cp-demangle.c:3449
#2 0x85d4f12 in d_expression_1 cp-demangle.c:3449
#3 0x85d4f12 in d_expression_1 cp-demangle.c:3449
#4 0x85d4f12 in d_expression_1 cp-demangle.c:3449
#5 0x85d4f12 in d_expression_1 cp-demangle.c:3449
#6 0x85d4f12 in d_expression_1 cp-demangle.c:3449
#7 0x85d4f12 in d_expression_1 cp-demangle.c:3449
#8 0x85d4f12 in d_expression_1 cp-demangle.c:3449
#9 0x85c8395 in d_expression cp-demangle.c:3531
#10 0x85c8395 in d_array_type cp-demangle.c:3011
#11 0x85c8395 in cplus_demangle_type cp-demangle.c:2463
#12 0x85ca143 in d_parmlist cp-demangle.c:2908
#13 0x85d907c in d_bare_function_type cp-demangle.c:2962
#14 0x85d907c in d_encoding cp-demangle.c:1343
#15 0x85dc451 in cplus_demangle_mangled_name cp-demangle.c:1234
#16 0x85e29ed in d_demangle_callback cp-demangle.c:6292
#17 0x85e29ed in d_demangle cp-demangle.c:6343
#18 0x85e29ed in cplus_demangle_v3 cp-demangle.c:6500
#19 0x858e46c in cplus_demangle cplus-dem.c:165
#20 0x808ea57 in bfd_demangle
/mnt/data/playground/binutils-2.32-a/bfd/bfd.c:2254
#21 0x805f51f in print_symname
/mnt/data/playground/binutils-2.32-a/binutils/nm.c:423
#22 0x805f51f in print_symbol_info_bsd
/mnt/data/playground/binutils-2.32-a/binutils/nm.c:1565
#23 0x8053fcf in print_symbol
/mnt/data/playground/binutils-2.32-a/binutils/nm.c:903
#24 0x80571b5 in print_symbols
/mnt/data/playground/binutils-2.32-a/binutils/nm.c:1102
#25 0x80571b5 in display_rel_file
/mnt/data/playground/binutils-2.32-a/binutils/nm.c:1215
#26 0x805adb1 in display_file
/mnt/data/playground/binutils-2.32-a/binutils/nm.c:1335
#27 0x804f98a in main
/mnt/data/playground/binutils-2.32-a/binutils/nm.c:1816
#28 0xf7000636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
#29 0x805154b
(/mnt/data/playground/binutils-2.32-a/binutils/nm-new+0x805154b)
0xf4e02883 is located 0 bytes to the right of 99-byte region
[0xf4e02820,0xf4e02883)
allocated by thread T0 here:
#0 0xf7239dee in malloc (/usr/lib32/libasan.so.2+0x96dee)
#1 0x80abadd in bfd_malloc
/mnt/data/playground/binutils-2.32-a/bfd/libbfd.c:275
SUMMARY: AddressSanitizer: heap-buffer-overflow cp-demangle.c:3356
d_expression_1
Shadow bytes around the buggy address:
0x3e9c04c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e9c04d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e9c04e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e9c04f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e9c0500: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x3e9c0510:[03]fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
0x3e9c0520: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
0x3e9c0530: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
0x3e9c0540: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
0x3e9c0550: 00 00 00 fa fa fa fa fa fa fa fa fa 00 00 00 00
0x3e9c0560: 00 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==178966==ABORTING
The attachment is the POC input.
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/24791] New: Heap Overflow issue in cp-demangle,
featherrain26 at gmail dot com <=