Bug 29874

Summary: Out of bound read at `case DST__K_INCR_LINUM` handler in function `parse_module`
Product: binutils Reporter: 2019 <r3tr0spect2019>
Component: binutilsAssignee: Alan Modra <amodra>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P2    
Version: 2.40   
Target Milestone: 2.40   
Host: Target:
Build: Last reconfirmed: 2022-12-12 00:00:00
Attachments: PoC

Description 2019 2022-12-12 03:29:02 UTC
Created attachment 14495 [details]
PoC

# Reproduce

```bash
cd binutils-gdb
git reset --hard f2f58a399cf3f946983398cdfe52d0eaa72bf877
mkdir build && cd build
../configure --disable-gdb --disable-gdbserver --disable-gdbsupport --disable-libdecnumber --disable-readline --disable-sim --disable-libbacktrace --disable-gas --disable-ld --disable-werror --enable-targets=all CPPFLAGS=-DDEBUG CFLAGS="-g -O0 -fsanitize=address"
make all-binutils MAKEINFO=true && true
binutils/addr2line -e poc.bin 0
```

# Output

```
binutils/addr2line: DST__K_SET_PC not implemented
binutils/addr2line: DST__K_SET_LINUM_INCR not implemented
binutils/addr2line: DST__K_BEG_STMT_MODE not implemented
binutils/addr2line: DST__K_SET_LINUM_INCR not implemented
binutils/addr2line: unknown line command 30
binutils/addr2line: unknown line command 75
binutils/addr2line: unknown line command 69
binutils/addr2line: unknown line command 80
binutils/addr2line: unknown line command 36
binutils/addr2line: DST__K_END_STMT_MODE not implemented
binutils/addr2line: unknown line command 108
binutils/addr2line: unknown line command 80
binutils/addr2line: unknown line command 44
binutils/addr2line: DST__K_SET_LINUM_INCR not implemented
binutils/addr2line: unknown line command 24
binutils/addr2line: unknown line command 50
binutils/addr2line: DST__K_RESET_LINUM_INCR not implemented
binutils/addr2line: DST__K_SET_LINUM_INCR not implemented
binutils/addr2line: unknown line command 87
binutils/addr2line: unknown line command 99
binutils/addr2line: unknown line command 73
binutils/addr2line: DST__K_END_STMT_MODE not implemented
binutils/addr2line: unknown line command 72
binutils/addr2line: unknown line command 104
binutils/addr2line: unknown line command 76
binutils/addr2line: unknown line command 99
binutils/addr2line: unknown line command 102
binutils/addr2line: unknown line command 75
binutils/addr2line: unknown line command 120
binutils/addr2line: unknown line command 73
binutils/addr2line: unknown line command 28
binutils/addr2line: unknown line command 127
binutils/addr2line: DST__K_SET_LINUM_INCR_W not implemented
binutils/addr2line: DST__K_SET_LINUM_INCR_W not implemented
binutils/addr2line: unknown line command 100
binutils/addr2line: unknown line command 59
binutils/addr2line: unknown line command 115
binutils/addr2line: unknown line command 100
binutils/addr2line: unknown line command 40
binutils/addr2line: unknown line command 127
binutils/addr2line: unknown line command 67
binutils/addr2line: unknown line command 72
binutils/addr2line: unknown line command 67
binutils/addr2line: unknown line command 76
binutils/addr2line: unknown line command 99
binutils/addr2line: unknown line command 116
binutils/addr2line: unknown line command 76
binutils/addr2line: unknown line command 115
binutils/addr2line: unknown line command 73
binutils/addr2line: unknown line command 125
binutils/addr2line: DST__K_SET_LINUM_INCR not implemented
binutils/addr2line: DST__K_SET_PC_L not implemented
binutils/addr2line: unknown line command 72
binutils/addr2line: unknown line command 49
binutils/addr2line: unknown line command 68
binutils/addr2line: unknown line command 115
binutils/addr2line: unknown line command 68
binutils/addr2line: unknown line command 26
binutils/addr2line: unknown line command 82
binutils/addr2line: unknown line command 76
binutils/addr2line: unknown line command 83
binutils/addr2line: unknown line command 32
binutils/addr2line: unknown line command 99
binutils/addr2line: unknown line command 25
binutils/addr2line: DST__K_BEG_STMT_MODE not implemented
binutils/addr2line: unknown line command 116
binutils/addr2line: DST__K_END_STMT_MODE not implemented
binutils/addr2line: unknown line command 38
binutils/addr2line: unknown line command 112
binutils/addr2line: DST__K_BEG_STMT_MODE not implemented
binutils/addr2line: DST__K_SET_LINUM_INCR not implemented
binutils/addr2line: unknown line command 42
binutils/addr2line: unknown line command 80
binutils/addr2line: unknown line command 71
binutils/addr2line: DST__K_SET_LINUM_INCR not implemented
binutils/addr2line: DST__K_END_STMT_MODE not implemented
binutils/addr2line: unknown line command 118
binutils/addr2line: DST__K_END_STMT_MODE not implemented
binutils/addr2line: DST__K_SET_PC_W not implemented
binutils/addr2line: DST__K_SET_PC not implemented
binutils/addr2line: DST__K_RESET_LINUM_INCR not implemented
binutils/addr2line: unknown line command 90
binutils/addr2line: DST__K_RESET_LINUM_INCR not implemented
binutils/addr2line: DST__K_SET_LINUM_INCR not implemented
binutils/addr2line: unknown line command 42
binutils/addr2line: unknown line command 90
binutils/addr2line: unknown line command 64
binutils/addr2line: DST__K_BEG_STMT_MODE not implemented
binutils/addr2line: DST__K_END_STMT_MODE not implemented
binutils/addr2line: unknown line command 85
binutils/addr2line: unknown line command 32
binutils/addr2line: DST__K_END_STMT_MODE not implemented
binutils/addr2line: unknown line command 48
binutils/addr2line: DST__K_SET_PC not implemented
binutils/addr2line: unknown line command 32
binutils/addr2line: unknown line command 48
binutils/addr2line: DST__K_SET_PC_L not implemented
binutils/addr2line: DST__K_END_STMT_MODE not implemented
binutils/addr2line: unknown line command 82
binutils/addr2line: unknown line command 72
binutils/addr2line: unknown line command 95
binutils/addr2line: unknown line command 73
binutils/addr2line: unknown line command 49
binutils/addr2line: unknown line command 82
binutils/addr2line: unknown line command 28
binutils/addr2line: unknown line command 111
binutils/addr2line: unknown line command 84
binutils/addr2line: unknown line command 126
binutils/addr2line: unknown line command 26
binutils/addr2line: unknown line command 92
binutils/addr2line: DST__K_SET_PC_W not implemented
binutils/addr2line: unknown line command 33
binutils/addr2line: DST__K_SET_LINUM_INCR not implemented
binutils/addr2line: DST__K_END_STMT_MODE not implemented
binutils/addr2line: unknown line command 82
binutils/addr2line: unknown line command 26
binutils/addr2line: unknown line command 64
binutils/addr2line: unknown line command 83
binutils/addr2line: unknown line command 55
binutils/addr2line: unknown line command 26
binutils/addr2line: unknown line command 112
binutils/addr2line: unknown line command 36
binutils/addr2line: unknown line command 116
binutils/addr2line: DST__K_BEG_STMT_MODE not implemented
binutils/addr2line: DST__K_SET_PC not implemented
binutils/addr2line: unknown line command 69
binutils/addr2line: DST__K_BEG_STMT_MODE not implemented
binutils/addr2line: DST__K_SET_PC not implemented
binutils/addr2line: unknown line command 38
binutils/addr2line: DST__K_SET_PC_W not implemented
binutils/addr2line: unknown line command 112
binutils/addr2line: DST__K_RESET_LINUM_INCR not implemented
binutils/addr2line: DST__K_SET_LINUM_INCR not implemented
binutils/addr2line: unknown line command 42
binutils/addr2line: unknown line command 80
binutils/addr2line: unknown line command 71
binutils/addr2line: DST__K_SET_LINUM_INCR not implemented
binutils/addr2line: DST__K_SET_PC_W not implemented
binutils/addr2line: DST__K_SET_PC not implemented
binutils/addr2line: unknown line command 48
binutils/addr2line: DST__K_SET_PC_W not implemented
binutils/addr2line: unknown line command 118
binutils/addr2line: DST__K_SET_PC not implemented
binutils/addr2line: DST__K_SET_LINUM_INCR not implemented
binutils/addr2line: DST__K_SET_LINUM_INCR not implemented
binutils/addr2line: unknown line command 89
binutils/addr2line: DST__K_RESET_LINUM_INCR not implemented
binutils/addr2line: DST__K_SET_LINUM_INCR not implemented
binutils/addr2line: unknown line command 42
binutils/addr2line: unknown line command 89
binutils/addr2line: unknown line command 64
binutils/addr2line: DST__K_BEG_STMT_MODE not implemented
binutils/addr2line: DST__K_END_STMT_MODE not implemented
binutils/addr2line: DST__K_SET_LINUM_INCR_W not implemented
binutils/addr2line: unknown line command 32
binutils/addr2line: unknown line command 48
binutils/addr2line: unknown line command 107
binutils/addr2line: unknown line command 112
binutils/addr2line: unknown line command 101
binutils/addr2line: unknown line command 32
binutils/addr2line: unknown line command 36
binutils/addr2line: unknown line command 55
binutils/addr2line: unknown line command 54
binutils/addr2line: DST__K_END_STMT_MODE not implemented
binutils/addr2line: DST__K_SET_PC not implemented
binutils/addr2line: unknown line command 23
binutils/addr2line: unknown line command 22
binutils/addr2line: DST__K_SET_PC not implemented
binutils/addr2line: DST__K_END_STMT_MODE not implemented
binutils/addr2line: unknown line command 116
binutils/addr2line: DST__K_SET_PC not implemented
binutils/addr2line: unknown line command 39
binutils/addr2line: DST__K_SET_PC_W not implemented
binutils/addr2line: DST__K_RESET_LINUM_INCR not implemented
binutils/addr2line: DST__K_SET_LINUM_INCR not implemented
binutils/addr2line: unknown line command 117
binutils/addr2line: unknown line command 42
binutils/addr2line: unknown line command 80
binutils/addr2line: unknown line command 72
binutils/addr2line: DST__K_SET_LINUM_INCR not implemented
binutils/addr2line: unknown line command 113
binutils/addr2line: DST__K_SET_PC_W not implemented
binutils/addr2line: DST__K_SET_PC not implemented
binutils/addr2line: DST__K_SET_PC_W not implemented
binutils/addr2line: unknown line command 119
binutils/addr2line: DST__K_SET_PC not implemented
binutils/addr2line: unknown line command 32
binutils/addr2line: unknown line command 115
binutils/addr2line: unknown line command 32
binutils/addr2line: unknown line command 83
binutils/addr2line: DST__K_BEG_STMT_MODE not implemented
binutils/addr2line: DST__K_SET_LINUM_INCR not implemented
binutils/addr2line: unknown line command 42
binutils/addr2line: unknown line command 83
binutils/addr2line: unknown line command 64
binutils/addr2line: DST__K_SET_LINUM_INCR not implemented
binutils/addr2line: DST__K_END_STMT_MODE not implemented
binutils/addr2line: unknown line command 32
binutils/addr2line: unknown line command 100
binutils/addr2line: unknown line command 28
binutils/addr2line: unknown line command 49
binutils/addr2line: unknown line command 59
binutils/addr2line: unknown line command 41
binutils/addr2line: DST__K_END_STMT_MODE not implemented
binutils/addr2line: DST__K_SET_PC_W not implemented
binutils/addr2line: unknown line command 26
binutils/addr2line: DST__K_END_STMT_MODE not implemented
binutils/addr2line: DST__K_SET_PC_W not implemented
binutils/addr2line: DST__K_SET_LINUM_INCR not implemented
binutils/addr2line: unknown line command 83
binutils/addr2line: unknown line command 121
binutils/addr2line: DST__K_SET_LINUM_INCR not implemented
binutils/addr2line: unknown line command 42
binutils/addr2line: DST__K_RESET_LINUM_INCR not implemented
binutils/addr2line: unknown line command 58
binutils/addr2line: unknown line command 42
binutils/addr2line: unknown line command 80
binutils/addr2line: unknown line command 72
binutils/addr2line: unknown line command 80
binutils/addr2line: DST__K_SET_PC not implemented
binutils/addr2line: unknown line command 53
binutils/addr2line: unknown line command 50
binutils/addr2line: DST__K_SET_LINUM_INCR not implemented
binutils/addr2line: unknown line command 122
binutils/addr2line: DST__K_SET_PC_W not implemented
binutils/addr2line: DST__K_SET_LINUM_INCR not implemented
binutils/addr2line: unknown line command 56
binutils/addr2line: unknown line command 32
binutils/addr2line: DST__K_SET_LINUM_INCR not implemented
binutils/addr2line: DST__K_SET_PC_L not implemented
=================================================================
==178983==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a000000b80 at pc 0x55832f8db039 bp 0x7ffd3eb22c50 sp 0x7ffd3eb22c40
READ of size 1 at 0x61a000000b80 thread T0
    #0 0x55832f8db038 in parse_module ../../bfd/vms-alpha.c:4601
    #1 0x55832f8dbfad in module_find_nearest_line ../../bfd/vms-alpha.c:4902
    #2 0x55832f8dc911 in _bfd_vms_find_nearest_line ../../bfd/vms-alpha.c:4982
    #3 0x55832f308b1e in find_address_in_section ../../binutils/addr2line.c:197
    #4 0x55832f323f43 in bfd_map_over_sections ../../bfd/section.c:1366
    #5 0x55832f3098eb in translate_addresses ../../binutils/addr2line.c:337
    #6 0x55832f309fbc in process_file ../../binutils/addr2line.c:470
    #7 0x55832f30a5b1 in main ../../binutils/addr2line.c:579
    #8 0x7f11a5e25d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #9 0x7f11a5e25e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #10 0x55832f308244 in _start (/binutils-gdb/build/binutils/addr2line+0x343244)

0x61a000000b80 is located 0 bytes to the right of 1280-byte region [0x61a000000680,0x61a000000b80)
allocated by thread T0 here:
    #0 0x7f11a60d8867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x55832f31a8d5 in bfd_malloc ../../bfd/libbfd.c:289
    #2 0x55832f8c513a in _bfd_malloc_and_read ../../bfd/libbfd.h:970
    #3 0x55832f8dbf77 in module_find_nearest_line ../../bfd/vms-alpha.c:4896
    #4 0x55832f8dc911 in _bfd_vms_find_nearest_line ../../bfd/vms-alpha.c:4982
    #5 0x55832f308b1e in find_address_in_section ../../binutils/addr2line.c:197
    #6 0x55832f323f43 in bfd_map_over_sections ../../bfd/section.c:1366
    #7 0x55832f3098eb in translate_addresses ../../binutils/addr2line.c:337
    #8 0x55832f309fbc in process_file ../../binutils/addr2line.c:470
    #9 0x55832f30a5b1 in main ../../binutils/addr2line.c:579
    #10 0x7f11a5e25d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../bfd/vms-alpha.c:4601 in parse_module
Shadow bytes around the buggy address:
  0x0c347fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c347fff8170:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==178983==ABORTING
Aborted (core dumped)
```

# Analysis

`pcl_ptr[DST_S_B_PCLINE_UNSBYTE]` is accessed without bound check.
Comment 1 Sourceware Commits 2022-12-12 08:59:40 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=77c225bdeb410cf60da804879ad41622f5f1aa44

commit 77c225bdeb410cf60da804879ad41622f5f1aa44
Author: Alan Modra <amodra@gmail.com>
Date:   Mon Dec 12 18:28:49 2022 +1030

    Lack of bounds checking in vms-alpha.c parse_module
    
            PR 29873
            PR 29874
            PR 29875
            PR 29876
            PR 29877
            PR 29878
            PR 29879
            PR 29880
            PR 29881
            PR 29882
            PR 29883
            PR 29884
            PR 29885
            PR 29886
            PR 29887
            PR 29888
            PR 29889
            PR 29890
            PR 29891
            * vms-alpha.c (parse_module): Make length param bfd_size_type.
            Delete length == -1 checks.  Sanity check record_length.
            Sanity check DST__K_MODBEG, DST__K_RTNBEG, DST__K_RTNEND lengths.
            Sanity check DST__K_SOURCE and DST__K_LINE_NUM elements
            before accessing.
            (build_module_list): Pass dst_section size to parse_module.
Comment 2 Alan Modra 2022-12-12 09:01:16 UTC
.