bug-binutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/24236] New: size: Heap buffer overflow in _bfd_archive_64_

From: spinpx at gmail dot com
Subject: [Bug binutils/24236] New: size: Heap buffer overflow in _bfd_archive_64_bit_slurp_armap
Date: Tue, 19 Feb 2019 12:21:21 +0000 
https://sourceware.org/bugzilla/show_bug.cgi?id=24236

            Bug ID: 24236
           Summary: size: Heap buffer overflow in
                    _bfd_archive_64_bit_slurp_armap
           Product: binutils
           Version: 2.33 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: spinpx at gmail dot com
  Target Milestone: ---

- Intel Xeon Gold 5118 processors and 256 GB memory
- Linux n18-065-139 4.19.0-1-amd64 #1 SMP Debian 4.19.12-1 (2018-12-22) x86_64
GNU/Linux
- clang version 4.0.0 (tags/RELEASE_400/final)
- version: commit c72e75a64030b0f6535a80481f37968ad55c333a (Feb 19 2019)
- run: size input_file

- Exploitable:
Description: Heap error
Short description: HeapError (10/22)
Hash: 0ab5d0005e74fc041576aa73a2a94770.f78de5a987638de0bf17f6470949c81d
Exploitability Classification: EXPLOITABLE
Explanation: The target's backtrace indicates that libc has detected a heap
error or that the target was executing a heap function when it stopped. This
could be due to heap corruption, passing a bad pointer to a heap function such
as free(), etc. Since heap errors might include buffer overflows,
use-after-free situations, etc. they are generally considered exploitable.
Other tags: AbortSignal (20/22)

- stack:
#0  __GI_raise (address@hidden) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007fb7ebcef535 in __GI_abort () at abort.c:79
#2  0x00007fb7ebd46778 in __libc_message (address@hidden,
address@hidden \"%s\\n\") at ../sysdeps/posix/libc_fatal.c:181
#3  0x00007fb7ebd4ce6a in malloc_printerr (address@hidden
\"double free or corruption (!prev)\") at malloc.c:5341
#4  0x00007fb7ebd4e98c in _int_free (av=0x7fb7ebe88c40 <main_arena>,
p=0xc49ac0, have_lock=<optimized out>) at malloc.c:4309
#5  0x00000000005b6a64 in objalloc_free (o=0xc46780) at
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/objalloc.c:187
#6  0x00000000004227f9 in _bfd_delete_bfd (abfd=0xc46660) at
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/opncls.c:126
#7  bfd_close_all_done (abfd=0xc46660) at
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/opncls.c:773
#8  0x00000000004225e8 in bfd_close (abfd=0xc46660) at
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/opncls.c:735"
#9  0x00000000004043dd in display_file (filename=0x7ffceb73e23b
\"/mnt/raid/user/chenpeng/FuzzingBench/size/crashes_matryoshka_cmin_crash/id:000000-crash_2\")
at
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:409
#10 0x0000000000403cc5 in main (argc=<optimized out>, argv=0x7fb7ebd048bb
<__GI_raise+267>) at
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:241"

- asan report:
==1423785==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x621000004e78 at pc 0x0000007f787c bp 0x7ffff511d170 sp 0x7ffff511d168
WRITE of size 1 at 0x621000004e78 thread T0
    #0 0x7f787b in _bfd_archive_64_bit_slurp_armap
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/archive64.c:126:15
    #1 0x4fcfd6 in bfd_slurp_armap
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/archive.c:1152:14
    #2 0x4fc895 in bfd_generic_archive_p
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/archive.c:875:8
    #3 0x5207e5 in bfd_check_format_matches
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/format.c:315:14
    #4 0x51f82e in bfd_check_format
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/format.c:94:10
    #5 0x4f1eb5 in display_file
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:431:7
    #6 0x4f1aa5 in main
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:260:7
    #7 0x7f0399a5209a in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #8 0x41d5e9 in _start
(/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size+0x41d5e9)

0x621000004e78 is located 0 bytes to the right of 4472-byte region
[0x621000003d00,0x621000004e78)
allocated by thread T0 here:
    #0 0x4c42dc in malloc
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66:3
    #1 0x8affb0 in _objalloc_alloc
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/objalloc.c:143:22
    #2 0x52e450 in bfd_alloc
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/opncls.c:949:9
    #3 0x52c5cc in bfd_zalloc
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/opncls.c:998:9
    #4 0x7f74c7 in _bfd_archive_64_bit_slurp_armap
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/archive64.c:98:39
    #5 0x4fcfd6 in bfd_slurp_armap
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/archive.c:1152:14
    #6 0x4fc895 in bfd_generic_archive_p
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/archive.c:875:8
    #7 0x5207e5 in bfd_check_format_matches
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/format.c:315:14
    #8 0x51f82e in bfd_check_format
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/format.c:94:10
    #9 0x4f1eb5 in display_file
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:431:7
    #10 0x4f1aa5 in main
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:260:7
    #11 0x7f0399a5209a in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/archive64.c:126:15
in _bfd_archive_64_bit_slurp_armap
Shadow bytes around the buggy address:
  0x0c427fff8970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff89a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff89b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fff89c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
  0x0c427fff89d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff89e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff89f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1423785==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]