https://sourceware.org/bugzilla/show_bug.cgi?id=26188
Bug ID: 26188 Summary: buff overflow in bfd, coff_find_nearest_line_with_names Product: binutils Version: 2.35 (HEAD) Status: UNCONFIRMED Severity: critical Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: featherrain26 at gmail dot com Target Milestone: --- Created attachment 12673 --> https://sourceware.org/bugzilla/attachment.cgi?id=12673&action=edit POC input Hi, there. There is a heap overflow in bfd modules, triggered by nm. To reproduce, compile it with ASAN. then run nm -al input Here is the trace reported by ASAN: ==118507==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001dce8 at pc 0x000000785a12 bp 0x7ffda050c060 sp 0x7ffda050c050 READ of size 2 at 0x62100001dce8 thread T0 #0 0x785a11 in coff_find_nearest_line_with_names ../../bfd/coffgen.c:2482 #1 0x40e128 in print_symbol ../../binutils/nm.c:992 #2 0x40f860 in print_symbols ../../binutils/nm.c:1088 #3 0x40f860 in display_rel_file ../../binutils/nm.c:1212 #4 0x4129ec in display_file ../../binutils/nm.c:1379 #5 0x4081a7 in main ../../binutils/nm.c:1860 #6 0x7f566827082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #7 0x40a248 in _start (/mnt/data/playground/binutils-2.34-a/build/binutils/nm-new+0x40a248) 0x62100001dce8 is located 8 bytes to the right of 4064-byte region [0x62100001cd00,0x62100001dce0) allocated by thread T0 here: #0 0x7f56688b6662 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98662) #1 0x93a8a0 in objalloc_create ../../libiberty/objalloc.c:95 SUMMARY: AddressSanitizer: heap-buffer-overflow ../../bfd/coffgen.c:2482 coff_find_nearest_line_with_names Shadow bytes around the buggy address: 0x0c427fffbb40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffbb50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffbb60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffbb70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffbb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c427fffbb90: 00 00 00 00 00 00 00 00 00 00 00 00 fa[fa]fa fa 0x0c427fffbba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffbbb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffbbc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffbbd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffbbe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==118507==ABORTING -- You are receiving this mail because: You are on the CC list for the bug.