https://sourceware.org/bugzilla/show_bug.cgi?id=30900

            Bug ID: 30900
           Summary: objdump: heap-buffer-overflow at bfd/elf.c:2562 in
                    bfd_elf_print_symbol
           Product: binutils
           Version: 2.42 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: yan.cs10 at nycu dot edu.tw
  Target Milestone: ---

Created attachment 15133
  --> https://sourceware.org/bugzilla/attachment.cgi?id=15133&action=edit
this poc with -T argument can crash objdump in the latest version

Summary:

A crash caused when using nm
AddressSanitizer reported it as heap-buffer-overflow

git commit, OS, Compiler and processor

git commit: be8e83130
gcc (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0
g++ (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0
Ubuntu 20.04.4 LTS
AMD Ryzen 5 3600X 6-Core Processor

Steps to reproduce:

$ cd binutils-gdb
$ export CFLAGS='-fsanitize=address -fsanitize-recover=address -g3'
$ export CXXFLAGS='-fsanitize=address -fsanitize-recover=address -g3'
$ make
$ binutils/objdump -T ./poc_55

AddressSanitizer report:

$ /home/pt/sytseng/binutils-gdb-asan/binutils/objdump -T ./poc_55

/home/pt/sytseng/binutils-gdb-asan/binutils/objdump: option -P/--private not
supported by this file
=================================================================
==2509832==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x621000007866 at pc 0x7ff945486dcb bp 0x7ffe2a9f1ac0 sp 0x7ffe2a9f1238
READ of size 1 at 0x621000007866 thread T0
    #0 0x7ff945486dca in printf_common
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:546
    #1 0x7ff945487fb6 in __interceptor_vfprintf
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1604
    #2 0x7ff9454880be in __interceptor_fprintf
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1661
    #3 0x55f25b2ba18e in bfd_elf_print_symbol
/home/pt/sytseng/binutils-gdb-asan/bfd/elf.c:2562
    #4 0x55f25b0e8e01 in dump_symbols objdump.c:5162
    #5 0x55f25b0eb4e1 in dump_bfd objdump.c:5670
    #6 0x55f25b0eb8cd in display_object_bfd objdump.c:5750
    #7 0x55f25b0ebc05 in display_any_bfd objdump.c:5837
    #8 0x55f25b0ebc7f in display_file objdump.c:5858
    #9 0x55f25b0ed633 in main objdump.c:6269
    #10 0x7ff945216082 in __libc_start_main ../csu/libc-start.c:308
    #11 0x55f25b0d137d in _start
(/home/pt/sytseng/binutils-gdb-asan/binutils/objdump+0x13737d)

0x621000007866 is located 902 bytes to the right of 4064-byte region
[0x621000006500,0x6210000074e0)
allocated by thread T0 here:
    #0 0x7ff9454f7808 in __interceptor_malloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x55f25b4d2bf2 in _objalloc_alloc objalloc.c:159
    #2 0x55f25b22e60c in bfd_alloc
/home/pt/sytseng/binutils-gdb-asan/bfd/libbfd.c:452
    #3 0x55f25b2a81f9 in _bfd_alloc_and_read
/home/pt/sytseng/binutils-gdb-asan/bfd/libbfd.h:886
    #4 0x55f25b2b7bfe in _bfd_elf_get_dynamic_symbols
/home/pt/sytseng/binutils-gdb-asan/bfd/elf.c:2105
    #5 0x55f25b29e7a5 in bfd_elf64_object_p
/home/pt/sytseng/binutils-gdb-asan/bfd/elfcode.h:861
    #6 0x55f25b229e02 in bfd_check_format_matches
/home/pt/sytseng/binutils-gdb-asan/bfd/format.c:365
    #7 0x55f25b0eb8b5 in display_object_bfd objdump.c:5748
    #8 0x55f25b0ebc05 in display_any_bfd objdump.c:5837
    #9 0x55f25b0ebc7f in display_file objdump.c:5858
    #10 0x55f25b0ed633 in main objdump.c:6269
    #11 0x7ff945216082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:546
in printf_common
Shadow bytes around the buggy address:
  0x0c427fff8eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c427fff8f00: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
  0x0c427fff8f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8f20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fff8f30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fff8f40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fff8f50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2509832==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Reply via email to