[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/24236] New: size: Heap buffer overflow in _bfd_archive_64_
From: |
spinpx at gmail dot com |
Subject: |
[Bug binutils/24236] New: size: Heap buffer overflow in _bfd_archive_64_bit_slurp_armap |
Date: |
Tue, 19 Feb 2019 12:21:21 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=24236
Bug ID: 24236
Summary: size: Heap buffer overflow in
_bfd_archive_64_bit_slurp_armap
Product: binutils
Version: 2.33 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: spinpx at gmail dot com
Target Milestone: ---
- Intel Xeon Gold 5118 processors and 256 GB memory
- Linux n18-065-139 4.19.0-1-amd64 #1 SMP Debian 4.19.12-1 (2018-12-22) x86_64
GNU/Linux
- clang version 4.0.0 (tags/RELEASE_400/final)
- version: commit c72e75a64030b0f6535a80481f37968ad55c333a (Feb 19 2019)
- run: size input_file
- Exploitable:
Description: Heap error
Short description: HeapError (10/22)
Hash: 0ab5d0005e74fc041576aa73a2a94770.f78de5a987638de0bf17f6470949c81d
Exploitability Classification: EXPLOITABLE
Explanation: The target's backtrace indicates that libc has detected a heap
error or that the target was executing a heap function when it stopped. This
could be due to heap corruption, passing a bad pointer to a heap function such
as free(), etc. Since heap errors might include buffer overflows,
use-after-free situations, etc. they are generally considered exploitable.
Other tags: AbortSignal (20/22)
- stack:
#0 __GI_raise (address@hidden) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007fb7ebcef535 in __GI_abort () at abort.c:79
#2 0x00007fb7ebd46778 in __libc_message (address@hidden,
address@hidden \"%s\\n\") at ../sysdeps/posix/libc_fatal.c:181
#3 0x00007fb7ebd4ce6a in malloc_printerr (address@hidden
\"double free or corruption (!prev)\") at malloc.c:5341
#4 0x00007fb7ebd4e98c in _int_free (av=0x7fb7ebe88c40 <main_arena>,
p=0xc49ac0, have_lock=<optimized out>) at malloc.c:4309
#5 0x00000000005b6a64 in objalloc_free (o=0xc46780) at
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/objalloc.c:187
#6 0x00000000004227f9 in _bfd_delete_bfd (abfd=0xc46660) at
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/opncls.c:126
#7 bfd_close_all_done (abfd=0xc46660) at
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/opncls.c:773
#8 0x00000000004225e8 in bfd_close (abfd=0xc46660) at
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/opncls.c:735"
#9 0x00000000004043dd in display_file (filename=0x7ffceb73e23b
\"/mnt/raid/user/chenpeng/FuzzingBench/size/crashes_matryoshka_cmin_crash/id:000000-crash_2\")
at
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:409
#10 0x0000000000403cc5 in main (argc=<optimized out>, argv=0x7fb7ebd048bb
<__GI_raise+267>) at
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:241"
- asan report:
==1423785==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x621000004e78 at pc 0x0000007f787c bp 0x7ffff511d170 sp 0x7ffff511d168
WRITE of size 1 at 0x621000004e78 thread T0
#0 0x7f787b in _bfd_archive_64_bit_slurp_armap
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/archive64.c:126:15
#1 0x4fcfd6 in bfd_slurp_armap
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/archive.c:1152:14
#2 0x4fc895 in bfd_generic_archive_p
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/archive.c:875:8
#3 0x5207e5 in bfd_check_format_matches
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/format.c:315:14
#4 0x51f82e in bfd_check_format
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/format.c:94:10
#5 0x4f1eb5 in display_file
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:431:7
#6 0x4f1aa5 in main
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:260:7
#7 0x7f0399a5209a in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
#8 0x41d5e9 in _start
(/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size+0x41d5e9)
0x621000004e78 is located 0 bytes to the right of 4472-byte region
[0x621000003d00,0x621000004e78)
allocated by thread T0 here:
#0 0x4c42dc in malloc
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66:3
#1 0x8affb0 in _objalloc_alloc
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/objalloc.c:143:22
#2 0x52e450 in bfd_alloc
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/opncls.c:949:9
#3 0x52c5cc in bfd_zalloc
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/opncls.c:998:9
#4 0x7f74c7 in _bfd_archive_64_bit_slurp_armap
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/archive64.c:98:39
#5 0x4fcfd6 in bfd_slurp_armap
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/archive.c:1152:14
#6 0x4fc895 in bfd_generic_archive_p
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/archive.c:875:8
#7 0x5207e5 in bfd_check_format_matches
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/format.c:315:14
#8 0x51f82e in bfd_check_format
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/format.c:94:10
#9 0x4f1eb5 in display_file
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:431:7
#10 0x4f1aa5 in main
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:260:7
#11 0x7f0399a5209a in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/archive64.c:126:15
in _bfd_archive_64_bit_slurp_armap
Shadow bytes around the buggy address:
0x0c427fff8970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff89a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff89b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fff89c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
0x0c427fff89d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff89e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff89f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1423785==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/24236] New: size: Heap buffer overflow in _bfd_archive_64_bit_slurp_armap,
spinpx at gmail dot com <=