[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/30285] New: heap-buffer-overflow in _bfd_elf_print_private
From: |
13579and24680 at gmail dot com |
Subject: |
[Bug binutils/30285] New: heap-buffer-overflow in _bfd_elf_print_private_bfd_data() at /binutils-gdb/bfd/elf.c:1844 (SIGSEGV) |
Date: |
Wed, 29 Mar 2023 12:25:24 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=30285
Bug ID: 30285
Summary: heap-buffer-overflow in
_bfd_elf_print_private_bfd_data() at
/binutils-gdb/bfd/elf.c:1844 (SIGSEGV)
Product: binutils
Version: 2.40
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: 13579and24680 at gmail dot com
Target Milestone: ---
Created attachment 14787
--> https://sourceware.org/bugzilla/attachment.cgi?id=14787&action=edit
found by my fuzzer, trimed with afl-tmin
found by my fuzzer, trimed with afl-tmin
# version
$ ./binutils-gdb/binutils/objdump --version
GNU objdump (GNU Binutils) 2.40.50.20230329
Copyright (C) 2023 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.
---------------------------------------------------------------------
# git log
$ git log --oneline -1
a6e5abae4e9 (HEAD -> master, origin/master, origin/HEAD) gdb: move
displaced_step_dump_bytes into gdbsupport (and rename)
---------------------------------------------------------------------
# make
$ git clone git://sourceware.org/git/binutils-gdb.git
$ cd binutils-gdb
$ ./configure
$ make
---------------------------------------------------------------------
# crash
$ ./binutils-gdb/binutils/objdump -x pocmin
BFD: warning: pocmin has a section extending past end of file
pocmin: file format elf64-little
pocmin
architecture: UNKNOWN!, flags 0x00000110:
HAS_SYMS, D_PAGED
start address 0x3030303030303030
Program Header:
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off 0x3030303030303030 vaddr 0x3030303030303030 paddr
0x3030303030303030 align 2**4
filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
Version definitions:
fish: Job 1, './binutils-gdb/binutils/objdump…' terminated by signal SIGSEGV
(Address boundary error)
---------------------------------------------------------------------
# ASAN report
=================================================================
==335384==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x62100000c500 at pc 0x55699bd767f8 bp 0x7fff4c0724e0 sp 0x7fff4c0724d0
READ of size 8 at 0x62100000c500 thread T0
#0 0x55699bd767f7 in _bfd_elf_print_private_bfd_data
/home/fuzzer/szuwei/test/report/binutils-gdb_asan/bfd/elf.c:1844
#1 0x55699bbad6e4 in dump_bfd_private_header objdump.c:4906
#2 0x55699bbb0e77 in dump_bfd objdump.c:5595
#3 0x55699bbb1699 in display_object_bfd objdump.c:5746
#4 0x55699bbb19d1 in display_any_bfd objdump.c:5833
#5 0x55699bbb1a4b in display_file objdump.c:5854
#6 0x55699bbb33ee in main objdump.c:6265
#7 0x7f8e1a078082 in __libc_start_main ../csu/libc-start.c:308
#8 0x55699bb9739d in _start
(/home/fuzzer/szuwei/test/report/binutils-gdb_asan/binutils/objdump+0x13639d)
0x62100000c500 is located 32 bytes to the right of 4064-byte region
[0x62100000b500,0x62100000c4e0)
allocated by thread T0 here:
#0 0x7f8e1a359808 in __interceptor_malloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x55699bf872c9 in _objalloc_alloc objalloc.c:159
#2 0x55699bcf5d48 in bfd_alloc
/home/fuzzer/szuwei/test/report/binutils-gdb_asan/bfd/opncls.c:1032
#3 0x55699bcf5dd0 in bfd_zalloc
/home/fuzzer/szuwei/test/report/binutils-gdb_asan/bfd/opncls.c:1057
#4 0x55699bd7d120 in _bfd_elf_new_section_hook
/home/fuzzer/szuwei/test/report/binutils-gdb_asan/bfd/elf.c:2861
#5 0x55699bcf8dba in bfd_section_init
/home/fuzzer/szuwei/test/report/binutils-gdb_asan/bfd/section.c:825
#6 0x55699bcf9a65 in bfd_make_section_anyway_with_flags
/home/fuzzer/szuwei/test/report/binutils-gdb_asan/bfd/section.c:1185
#7 0x55699bcf9a93 in bfd_make_section_anyway
/home/fuzzer/szuwei/test/report/binutils-gdb_asan/bfd/section.c:1208
#8 0x55699bd707d3 in _bfd_elf_make_section_from_shdr
/home/fuzzer/szuwei/test/report/binutils-gdb_asan/bfd/elf.c:1000
#9 0x55699bd7c19b in bfd_section_from_shdr
/home/fuzzer/szuwei/test/report/binutils-gdb_asan/bfd/elf.c:2505
#10 0x55699bd5f61a in bfd_elf64_object_p
/home/fuzzer/szuwei/test/report/binutils-gdb_asan/bfd/elfcode.h:841
#11 0x55699bcec710 in bfd_check_format_matches
/home/fuzzer/szuwei/test/report/binutils-gdb_asan/bfd/format.c:387
#12 0x55699bbb1681 in display_object_bfd objdump.c:5744
#13 0x55699bbb19d1 in display_any_bfd objdump.c:5833
#14 0x55699bbb1a4b in display_file objdump.c:5854
#15 0x55699bbb33ee in main objdump.c:6265
#16 0x7f8e1a078082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/fuzzer/szuwei/test/report/binutils-gdb_asan/bfd/elf.c:1844 in
_bfd_elf_print_private_bfd_data
Shadow bytes around the buggy address:
0x0c427fff9850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff9860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff9870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff9880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff9890: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
=>0x0c427fff98a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff98b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff98c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff98d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff98e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff98f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==335384==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/30285] New: heap-buffer-overflow in _bfd_elf_print_private_bfd_data() at /binutils-gdb/bfd/elf.c:1844 (SIGSEGV),
13579and24680 at gmail dot com <=