https://sourceware.org/bugzilla/show_bug.cgi?id=30903
Bug ID: 30903 Summary: nm: heap-buffer-overflow at bfd/bfd.c:2677 in bfd_demangle Product: binutils Version: 2.42 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: yan.cs10 at nycu dot edu.tw Target Milestone: --- Created attachment 15136 --> https://sourceware.org/bugzilla/attachment.cgi?id=15136&action=edit this poc with -D argument can crash nm-new in the latest version Summary: A crash caused when using nm AddressSanitizer reported it as heap-buffer-overflow git commit, OS, Compiler and processor git commit: be8e83130 gcc (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0 g++ (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0 Ubuntu 20.04.4 LTS AMD Ryzen 5 3600X 6-Core Processor Steps to reproduce: $ cd binutils-gdb $ export CFLAGS='-fsanitize=address -fsanitize-recover=address -g3' $ export CXXFLAGS='-fsanitize=address -fsanitize-recover=address -g3' $ make $ binutils/nm-new -D ./poc_83 AddressSanitizer report: $ /home/pt/sytseng/binutils-gdb-asan/binutils/nm-new -D ./poc_83 BFD: warning: ./pocs/poc_83 has a program header with invalid alignment ================================================================= ==4058725==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6210000010e0 at pc 0x7fb331b9fccd bp 0x7ffc82fbe790 sp 0x7ffc82fbdf38 READ of size 354 at 0x6210000010e0 thread T0 #0 0x7fb331b9fccc in __interceptor_strchr ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:671 #1 0x559a49bea133 in bfd_demangle /home/pt/sytseng/binutils-gdb-asan/bfd/bfd.c:2677 #2 0x559a49bcb3fe in print_symname /home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:700 #3 0x559a49bd1a11 in print_symbol_info_posix /home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:1934 #4 0x559a49bce2c1 in print_symbol /home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:1228 #5 0x559a49bcf4e7 in print_symbols /home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:1388 #6 0x559a49bd002e in display_rel_file /home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:1503 #7 0x559a49bd0838 in display_file /home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:1649 #8 0x559a49bd2827 in main /home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:2161 #9 0x7fb331957082 in __libc_start_main ../csu/libc-start.c:308 #10 0x559a49bc915d in _start (/home/pt/sytseng/binutils-gdb-asan/binutils/nm-new+0xa315d) 0x6210000010e0 is located 0 bytes to the right of 4064-byte region [0x621000000100,0x6210000010e0) allocated by thread T0 here: #0 0x7fb331c38808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144 #1 0x559a49ed0ffa in objalloc_create objalloc.c:95 #2 0x559a49bf5b3a in _bfd_new_bfd /home/pt/sytseng/binutils-gdb-asan/bfd/opncls.c:92 #3 0x559a49bf63a2 in bfd_fopen /home/pt/sytseng/binutils-gdb-asan/bfd/opncls.c:265 #4 0x559a49bf67f4 in bfd_openr /home/pt/sytseng/binutils-gdb-asan/bfd/opncls.c:361 #5 0x559a49bd070b in display_file /home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:1630 #6 0x559a49bd2827 in main /home/pt/sytseng/binutils-gdb-asan/binutils/nm.c:2161 #7 0x7fb331957082 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:671 in __interceptor_strchr Shadow bytes around the buggy address: 0x0c427fff81c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fff81d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fff81e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fff81f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fff8200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c427fff8210: 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa 0x0c427fff8220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fff8260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==4058725==ABORTING -- You are receiving this mail because: You are on the CC list for the bug.