bug-binutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/29482] New: strip: heap-buffer-overflow in binutils latest

From: tricker51449 at gmail dot com
Subject: [Bug binutils/29482] New: strip: heap-buffer-overflow in binutils latest commit
Date: Sat, 13 Aug 2022 05:15:22 +0000 
https://sourceware.org/bugzilla/show_bug.cgi?id=29482

            Bug ID: 29482
           Summary: strip: heap-buffer-overflow in binutils latest commit
           Product: binutils
           Version: 2.40 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: tricker51449 at gmail dot com
  Target Milestone: ---

Created attachment 14274
  --> https://sourceware.org/bugzilla/attachment.cgi?id=14274&action=edit
Crash input

Hi, binutils developers

Recently, I tested the binary strip instrumented with ASAN. Unfortunately, it
incurred a crash with the following error information and I‘m not sure of the
cause. 

The crash can be triggered in the latest binutils-gdb version:

https://github.com/bminor/binutils-gdb/commits/master
commit: 901dd67d0d68ac5e0be145d137533f03de495272

Any help would be greatly appreciated from you :D

Thanks & Best Regards


# ./binutils/strip -o out_file strip_crash_input

=================================================================
==130497==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6020000000f1 at pc 0x556dbdbf5de5 bp 0x7ffee7a158c0 sp 0x7ffee7a158b8
READ of size 1 at 0x6020000000f1 thread T0
    #0 0x556dbdbf5de4 in bfd_getl32
(/workspace/test/binutils-gdb/binutils/strip-new+0x25fde4) (BuildId:
35a9c6af570fac13ead5254910cec2f0379f6e81)
    #1 0x556dbde98083 in coff_set_section_contents pe-x86_64.c
    #2 0x556dbdc01038 in bfd_set_section_contents
(/workspace/test/binutils-gdb/binutils/strip-new+0x26b038) (BuildId:
35a9c6af570fac13ead5254910cec2f0379f6e81)
    #3 0x556dbdb7303c in copy_section objcopy.c
    #4 0x556dbdc00aaa in bfd_map_over_sections
(/workspace/test/binutils-gdb/binutils/strip-new+0x26aaaa) (BuildId:
35a9c6af570fac13ead5254910cec2f0379f6e81)
    #5 0x556dbdb69abb in copy_object objcopy.c
    #6 0x556dbdb6400f in copy_file objcopy.c
    #7 0x556dbdb5e2d6 in strip_main objcopy.c
    #8 0x556dbdb5d661 in main
(/workspace/test/binutils-gdb/binutils/strip-new+0x1c7661) (BuildId:
35a9c6af570fac13ead5254910cec2f0379f6e81)
    #9 0x7f515d81ed8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId:
69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
    #10 0x7f515d81ee3f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId:
69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
    #11 0x556dbda9f5b4 in _start
(/workspace/test/binutils-gdb/binutils/strip-new+0x1095b4) (BuildId:
35a9c6af570fac13ead5254910cec2f0379f6e81)

0x6020000000f1 is located 0 bytes to the right of 1-byte region
[0x6020000000f0,0x6020000000f1)
allocated by thread T0 here:
    #0 0x556dbdb223fe in __interceptor_malloc
(/workspace/test/binutils-gdb/binutils/strip-new+0x18c3fe) (BuildId:
35a9c6af570fac13ead5254910cec2f0379f6e81)
    #1 0x556dbdbf4e22 in bfd_malloc
(/workspace/test/binutils-gdb/binutils/strip-new+0x25ee22) (BuildId:
35a9c6af570fac13ead5254910cec2f0379f6e81)
    #2 0x556dbdbe4d40 in bfd_get_full_section_contents
(/workspace/test/binutils-gdb/binutils/strip-new+0x24ed40) (BuildId:
35a9c6af570fac13ead5254910cec2f0379f6e81)
    #3 0x556dbdb727db in copy_section objcopy.c
    #4 0x556dbdc00aaa in bfd_map_over_sections
(/workspace/test/binutils-gdb/binutils/strip-new+0x26aaaa) (BuildId:
35a9c6af570fac13ead5254910cec2f0379f6e81)
    #5 0x556dbdb69abb in copy_object objcopy.c
    #6 0x556dbdb6400f in copy_file objcopy.c
    #7 0x556dbdb5e2d6 in strip_main objcopy.c
    #8 0x556dbdb5d661 in main
(/workspace/test/binutils-gdb/binutils/strip-new+0x1c7661) (BuildId:
35a9c6af570fac13ead5254910cec2f0379f6e81)
    #9 0x7f515d81ed8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId:
69389d485a9793dbe873f0ea2c93e02efaa9aa3d)

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/workspace/test/binutils-gdb/binutils/strip-new+0x25fde4) (BuildId:
35a9c6af570fac13ead5254910cec2f0379f6e81) in bfd_getl32
Shadow bytes around the buggy address:
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c047fff8010: fa fa 00 01 fa fa fd fa fa fa 00 fa fa fa[01]fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==130497==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]