Bug 26240

Summary: Heap overflow in libbfd.c
Product: binutils Reporter: Heqing HUANG <featherrain26>
Component: binutilsAssignee: Nick Clifton <nickc>
Status: RESOLVED FIXED    
Severity: normal CC: nickc
Priority: P2    
Version: 2.36   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed: 2020-07-15 00:00:00
Attachments: POC input

Description Heqing HUANG 2020-07-14 13:15:22 UTC
Created attachment 12699 [details]
POC input

Hi, there.

There is a heap overflow in the newest version of Binutils, libbfd.c

To reproduce,
run 
nm-new -C -a -l --synthetic poc 

Here is the trace reported by ASAN:
==15754==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61300000dfe8 at pc 0x00000045d9b3 bp 0x7ffe098a7ae0 sp 0x7ffe098a7ad0
READ of size 4 at 0x61300000dfe8 thread T0
    #0 0x45d9b2 in bfd_getl32 ../../bfd/libbfd.c:643
    #1 0x7c741a in _bfd_pex64i_swap_aux_in /mnt/data/playground/binutils-gdb/build/bfd/peXXigen.c:328
    #2 0x7857f2 in coff_get_normalized_symtab ../../bfd/coffgen.c:1830
    #3 0x7a4e04 in coff_slurp_symbol_table ../../bfd/coffcode.h:4494
    #4 0x770538 in coff_get_symtab_upper_bound ../../bfd/coffgen.c:411
    #5 0x47a425 in _bfd_generic_read_minisymbols ../../bfd/syms.c:802
    #6 0x40e9fd in display_rel_file ../../binutils/nm.c:1126
    #7 0x4123cb in display_file ../../binutils/nm.c:1393
    #8 0x407e93 in main ../../binutils/nm.c:1874
    #9 0x7f08d02fa82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #10 0x409e98 in _start (/mnt/data/playground/binutils-gdb/build/binutils/nm-new+0x409e98)

0x61300000dfe8 is located 0 bytes to the right of 360-byte region [0x61300000de80,0x61300000dfe8)
allocated by thread T0 here:
    #0 0x7f08d0940662 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98662)
    #1 0x45bff7 in bfd_malloc ../../bfd/libbfd.c:275

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../bfd/libbfd.c:643 bfd_getl32
Shadow bytes around the buggy address:
  0x0c267fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff9be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c267fff9bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa
  0x0c267fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==15754==ABORTING
Comment 1 Nick Clifton 2020-07-15 09:01:27 UTC
Investigating...
Comment 2 Nick Clifton 2020-07-15 10:16:46 UTC
Fixed - it was an off-by-one error in the check to make sure that the buffer containing the auxillary symbol data was not overrun.
Comment 3 Nick Clifton 2020-07-15 12:33:14 UTC
*** Bug 26241 has been marked as a duplicate of this bug. ***