Summary: | Out of bound read at `case DST__K_INCR_LINUM` handler in function `parse_module` | ||
---|---|---|---|
Product: | binutils | Reporter: | 2019 <r3tr0spect2019> |
Component: | binutils | Assignee: | Alan Modra <amodra> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | P2 | ||
Version: | 2.40 | ||
Target Milestone: | 2.40 | ||
Host: | Target: | ||
Build: | Last reconfirmed: | 2022-12-12 00:00:00 | |
Attachments: | PoC |
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=77c225bdeb410cf60da804879ad41622f5f1aa44 commit 77c225bdeb410cf60da804879ad41622f5f1aa44 Author: Alan Modra <amodra@gmail.com> Date: Mon Dec 12 18:28:49 2022 +1030 Lack of bounds checking in vms-alpha.c parse_module PR 29873 PR 29874 PR 29875 PR 29876 PR 29877 PR 29878 PR 29879 PR 29880 PR 29881 PR 29882 PR 29883 PR 29884 PR 29885 PR 29886 PR 29887 PR 29888 PR 29889 PR 29890 PR 29891 * vms-alpha.c (parse_module): Make length param bfd_size_type. Delete length == -1 checks. Sanity check record_length. Sanity check DST__K_MODBEG, DST__K_RTNBEG, DST__K_RTNEND lengths. Sanity check DST__K_SOURCE and DST__K_LINE_NUM elements before accessing. (build_module_list): Pass dst_section size to parse_module. . |
Created attachment 14495 [details] PoC # Reproduce ```bash cd binutils-gdb git reset --hard f2f58a399cf3f946983398cdfe52d0eaa72bf877 mkdir build && cd build ../configure --disable-gdb --disable-gdbserver --disable-gdbsupport --disable-libdecnumber --disable-readline --disable-sim --disable-libbacktrace --disable-gas --disable-ld --disable-werror --enable-targets=all CPPFLAGS=-DDEBUG CFLAGS="-g -O0 -fsanitize=address" make all-binutils MAKEINFO=true && true binutils/addr2line -e poc.bin 0 ``` # Output ``` binutils/addr2line: DST__K_SET_PC not implemented binutils/addr2line: DST__K_SET_LINUM_INCR not implemented binutils/addr2line: DST__K_BEG_STMT_MODE not implemented binutils/addr2line: DST__K_SET_LINUM_INCR not implemented binutils/addr2line: unknown line command 30 binutils/addr2line: unknown line command 75 binutils/addr2line: unknown line command 69 binutils/addr2line: unknown line command 80 binutils/addr2line: unknown line command 36 binutils/addr2line: DST__K_END_STMT_MODE not implemented binutils/addr2line: unknown line command 108 binutils/addr2line: unknown line command 80 binutils/addr2line: unknown line command 44 binutils/addr2line: DST__K_SET_LINUM_INCR not implemented binutils/addr2line: unknown line command 24 binutils/addr2line: unknown line command 50 binutils/addr2line: DST__K_RESET_LINUM_INCR not implemented binutils/addr2line: DST__K_SET_LINUM_INCR not implemented binutils/addr2line: unknown line command 87 binutils/addr2line: unknown line command 99 binutils/addr2line: unknown line command 73 binutils/addr2line: DST__K_END_STMT_MODE not implemented binutils/addr2line: unknown line command 72 binutils/addr2line: unknown line command 104 binutils/addr2line: unknown line command 76 binutils/addr2line: unknown line command 99 binutils/addr2line: unknown line command 102 binutils/addr2line: unknown line command 75 binutils/addr2line: unknown line command 120 binutils/addr2line: unknown line command 73 binutils/addr2line: unknown line command 28 binutils/addr2line: unknown line command 127 binutils/addr2line: DST__K_SET_LINUM_INCR_W not implemented binutils/addr2line: DST__K_SET_LINUM_INCR_W not implemented binutils/addr2line: unknown line command 100 binutils/addr2line: unknown line command 59 binutils/addr2line: unknown line command 115 binutils/addr2line: unknown line command 100 binutils/addr2line: unknown line command 40 binutils/addr2line: unknown line command 127 binutils/addr2line: unknown line command 67 binutils/addr2line: unknown line command 72 binutils/addr2line: unknown line command 67 binutils/addr2line: unknown line command 76 binutils/addr2line: unknown line command 99 binutils/addr2line: unknown line command 116 binutils/addr2line: unknown line command 76 binutils/addr2line: unknown line command 115 binutils/addr2line: unknown line command 73 binutils/addr2line: unknown line command 125 binutils/addr2line: DST__K_SET_LINUM_INCR not implemented binutils/addr2line: DST__K_SET_PC_L not implemented binutils/addr2line: unknown line command 72 binutils/addr2line: unknown line command 49 binutils/addr2line: unknown line command 68 binutils/addr2line: unknown line command 115 binutils/addr2line: unknown line command 68 binutils/addr2line: unknown line command 26 binutils/addr2line: unknown line command 82 binutils/addr2line: unknown line command 76 binutils/addr2line: unknown line command 83 binutils/addr2line: unknown line command 32 binutils/addr2line: unknown line command 99 binutils/addr2line: unknown line command 25 binutils/addr2line: DST__K_BEG_STMT_MODE not implemented binutils/addr2line: unknown line command 116 binutils/addr2line: DST__K_END_STMT_MODE not implemented binutils/addr2line: unknown line command 38 binutils/addr2line: unknown line command 112 binutils/addr2line: DST__K_BEG_STMT_MODE not implemented binutils/addr2line: DST__K_SET_LINUM_INCR not implemented binutils/addr2line: unknown line command 42 binutils/addr2line: unknown line command 80 binutils/addr2line: unknown line command 71 binutils/addr2line: DST__K_SET_LINUM_INCR not implemented binutils/addr2line: DST__K_END_STMT_MODE not implemented binutils/addr2line: unknown line command 118 binutils/addr2line: DST__K_END_STMT_MODE not implemented binutils/addr2line: DST__K_SET_PC_W not implemented binutils/addr2line: DST__K_SET_PC not implemented binutils/addr2line: DST__K_RESET_LINUM_INCR not implemented binutils/addr2line: unknown line command 90 binutils/addr2line: DST__K_RESET_LINUM_INCR not implemented binutils/addr2line: DST__K_SET_LINUM_INCR not implemented binutils/addr2line: unknown line command 42 binutils/addr2line: unknown line command 90 binutils/addr2line: unknown line command 64 binutils/addr2line: DST__K_BEG_STMT_MODE not implemented binutils/addr2line: DST__K_END_STMT_MODE not implemented binutils/addr2line: unknown line command 85 binutils/addr2line: unknown line command 32 binutils/addr2line: DST__K_END_STMT_MODE not implemented binutils/addr2line: unknown line command 48 binutils/addr2line: DST__K_SET_PC not implemented binutils/addr2line: unknown line command 32 binutils/addr2line: unknown line command 48 binutils/addr2line: DST__K_SET_PC_L not implemented binutils/addr2line: DST__K_END_STMT_MODE not implemented binutils/addr2line: unknown line command 82 binutils/addr2line: unknown line command 72 binutils/addr2line: unknown line command 95 binutils/addr2line: unknown line command 73 binutils/addr2line: unknown line command 49 binutils/addr2line: unknown line command 82 binutils/addr2line: unknown line command 28 binutils/addr2line: unknown line command 111 binutils/addr2line: unknown line command 84 binutils/addr2line: unknown line command 126 binutils/addr2line: unknown line command 26 binutils/addr2line: unknown line command 92 binutils/addr2line: DST__K_SET_PC_W not implemented binutils/addr2line: unknown line command 33 binutils/addr2line: DST__K_SET_LINUM_INCR not implemented binutils/addr2line: DST__K_END_STMT_MODE not implemented binutils/addr2line: unknown line command 82 binutils/addr2line: unknown line command 26 binutils/addr2line: unknown line command 64 binutils/addr2line: unknown line command 83 binutils/addr2line: unknown line command 55 binutils/addr2line: unknown line command 26 binutils/addr2line: unknown line command 112 binutils/addr2line: unknown line command 36 binutils/addr2line: unknown line command 116 binutils/addr2line: DST__K_BEG_STMT_MODE not implemented binutils/addr2line: DST__K_SET_PC not implemented binutils/addr2line: unknown line command 69 binutils/addr2line: DST__K_BEG_STMT_MODE not implemented binutils/addr2line: DST__K_SET_PC not implemented binutils/addr2line: unknown line command 38 binutils/addr2line: DST__K_SET_PC_W not implemented binutils/addr2line: unknown line command 112 binutils/addr2line: DST__K_RESET_LINUM_INCR not implemented binutils/addr2line: DST__K_SET_LINUM_INCR not implemented binutils/addr2line: unknown line command 42 binutils/addr2line: unknown line command 80 binutils/addr2line: unknown line command 71 binutils/addr2line: DST__K_SET_LINUM_INCR not implemented binutils/addr2line: DST__K_SET_PC_W not implemented binutils/addr2line: DST__K_SET_PC not implemented binutils/addr2line: unknown line command 48 binutils/addr2line: DST__K_SET_PC_W not implemented binutils/addr2line: unknown line command 118 binutils/addr2line: DST__K_SET_PC not implemented binutils/addr2line: DST__K_SET_LINUM_INCR not implemented binutils/addr2line: DST__K_SET_LINUM_INCR not implemented binutils/addr2line: unknown line command 89 binutils/addr2line: DST__K_RESET_LINUM_INCR not implemented binutils/addr2line: DST__K_SET_LINUM_INCR not implemented binutils/addr2line: unknown line command 42 binutils/addr2line: unknown line command 89 binutils/addr2line: unknown line command 64 binutils/addr2line: DST__K_BEG_STMT_MODE not implemented binutils/addr2line: DST__K_END_STMT_MODE not implemented binutils/addr2line: DST__K_SET_LINUM_INCR_W not implemented binutils/addr2line: unknown line command 32 binutils/addr2line: unknown line command 48 binutils/addr2line: unknown line command 107 binutils/addr2line: unknown line command 112 binutils/addr2line: unknown line command 101 binutils/addr2line: unknown line command 32 binutils/addr2line: unknown line command 36 binutils/addr2line: unknown line command 55 binutils/addr2line: unknown line command 54 binutils/addr2line: DST__K_END_STMT_MODE not implemented binutils/addr2line: DST__K_SET_PC not implemented binutils/addr2line: unknown line command 23 binutils/addr2line: unknown line command 22 binutils/addr2line: DST__K_SET_PC not implemented binutils/addr2line: DST__K_END_STMT_MODE not implemented binutils/addr2line: unknown line command 116 binutils/addr2line: DST__K_SET_PC not implemented binutils/addr2line: unknown line command 39 binutils/addr2line: DST__K_SET_PC_W not implemented binutils/addr2line: DST__K_RESET_LINUM_INCR not implemented binutils/addr2line: DST__K_SET_LINUM_INCR not implemented binutils/addr2line: unknown line command 117 binutils/addr2line: unknown line command 42 binutils/addr2line: unknown line command 80 binutils/addr2line: unknown line command 72 binutils/addr2line: DST__K_SET_LINUM_INCR not implemented binutils/addr2line: unknown line command 113 binutils/addr2line: DST__K_SET_PC_W not implemented binutils/addr2line: DST__K_SET_PC not implemented binutils/addr2line: DST__K_SET_PC_W not implemented binutils/addr2line: unknown line command 119 binutils/addr2line: DST__K_SET_PC not implemented binutils/addr2line: unknown line command 32 binutils/addr2line: unknown line command 115 binutils/addr2line: unknown line command 32 binutils/addr2line: unknown line command 83 binutils/addr2line: DST__K_BEG_STMT_MODE not implemented binutils/addr2line: DST__K_SET_LINUM_INCR not implemented binutils/addr2line: unknown line command 42 binutils/addr2line: unknown line command 83 binutils/addr2line: unknown line command 64 binutils/addr2line: DST__K_SET_LINUM_INCR not implemented binutils/addr2line: DST__K_END_STMT_MODE not implemented binutils/addr2line: unknown line command 32 binutils/addr2line: unknown line command 100 binutils/addr2line: unknown line command 28 binutils/addr2line: unknown line command 49 binutils/addr2line: unknown line command 59 binutils/addr2line: unknown line command 41 binutils/addr2line: DST__K_END_STMT_MODE not implemented binutils/addr2line: DST__K_SET_PC_W not implemented binutils/addr2line: unknown line command 26 binutils/addr2line: DST__K_END_STMT_MODE not implemented binutils/addr2line: DST__K_SET_PC_W not implemented binutils/addr2line: DST__K_SET_LINUM_INCR not implemented binutils/addr2line: unknown line command 83 binutils/addr2line: unknown line command 121 binutils/addr2line: DST__K_SET_LINUM_INCR not implemented binutils/addr2line: unknown line command 42 binutils/addr2line: DST__K_RESET_LINUM_INCR not implemented binutils/addr2line: unknown line command 58 binutils/addr2line: unknown line command 42 binutils/addr2line: unknown line command 80 binutils/addr2line: unknown line command 72 binutils/addr2line: unknown line command 80 binutils/addr2line: DST__K_SET_PC not implemented binutils/addr2line: unknown line command 53 binutils/addr2line: unknown line command 50 binutils/addr2line: DST__K_SET_LINUM_INCR not implemented binutils/addr2line: unknown line command 122 binutils/addr2line: DST__K_SET_PC_W not implemented binutils/addr2line: DST__K_SET_LINUM_INCR not implemented binutils/addr2line: unknown line command 56 binutils/addr2line: unknown line command 32 binutils/addr2line: DST__K_SET_LINUM_INCR not implemented binutils/addr2line: DST__K_SET_PC_L not implemented ================================================================= ==178983==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a000000b80 at pc 0x55832f8db039 bp 0x7ffd3eb22c50 sp 0x7ffd3eb22c40 READ of size 1 at 0x61a000000b80 thread T0 #0 0x55832f8db038 in parse_module ../../bfd/vms-alpha.c:4601 #1 0x55832f8dbfad in module_find_nearest_line ../../bfd/vms-alpha.c:4902 #2 0x55832f8dc911 in _bfd_vms_find_nearest_line ../../bfd/vms-alpha.c:4982 #3 0x55832f308b1e in find_address_in_section ../../binutils/addr2line.c:197 #4 0x55832f323f43 in bfd_map_over_sections ../../bfd/section.c:1366 #5 0x55832f3098eb in translate_addresses ../../binutils/addr2line.c:337 #6 0x55832f309fbc in process_file ../../binutils/addr2line.c:470 #7 0x55832f30a5b1 in main ../../binutils/addr2line.c:579 #8 0x7f11a5e25d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #9 0x7f11a5e25e3f in __libc_start_main_impl ../csu/libc-start.c:392 #10 0x55832f308244 in _start (/binutils-gdb/build/binutils/addr2line+0x343244) 0x61a000000b80 is located 0 bytes to the right of 1280-byte region [0x61a000000680,0x61a000000b80) allocated by thread T0 here: #0 0x7f11a60d8867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x55832f31a8d5 in bfd_malloc ../../bfd/libbfd.c:289 #2 0x55832f8c513a in _bfd_malloc_and_read ../../bfd/libbfd.h:970 #3 0x55832f8dbf77 in module_find_nearest_line ../../bfd/vms-alpha.c:4896 #4 0x55832f8dc911 in _bfd_vms_find_nearest_line ../../bfd/vms-alpha.c:4982 #5 0x55832f308b1e in find_address_in_section ../../binutils/addr2line.c:197 #6 0x55832f323f43 in bfd_map_over_sections ../../bfd/section.c:1366 #7 0x55832f3098eb in translate_addresses ../../binutils/addr2line.c:337 #8 0x55832f309fbc in process_file ../../binutils/addr2line.c:470 #9 0x55832f30a5b1 in main ../../binutils/addr2line.c:579 #10 0x7f11a5e25d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 SUMMARY: AddressSanitizer: heap-buffer-overflow ../../bfd/vms-alpha.c:4601 in parse_module Shadow bytes around the buggy address: 0x0c347fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fff8150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fff8160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c347fff8170:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==178983==ABORTING Aborted (core dumped) ``` # Analysis `pcl_ptr[DST_S_B_PCLINE_UNSBYTE]` is accessed without bound check.