Created attachment 9818 [details]
Bug triggering input
This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks also to Marcel Böhme.
This bug was found on Ubuntu 14.04 64-bit & binutils was checkout from main repository at git://sourceware.org/git/binutils-gdb.git. Its commit is 53f7e8ea7fad1fcff1b58f4cbd74e192e0bcbc1d (Fri Feb 10 00:00:16 2017)
binutils was built with ASAN using gcc-6.2 and clang-3.4. The configure command was:
CC=clang CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=undefined,address -fno-omit-frame-pointer -g -Wno-error" ../configure --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim
Download the attached file - bug_16
nm-new --si bug_16
==107219==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000017a69fe at pc 0x4a65c3 bp 0x7ffcfc8e0c70 sp 0x7ffcfc8e0c68
READ of size 1 at 0x0000017a69fe thread T0
#0 0x4a65c2 in size_forward1 /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/nm.c:693
#1 0x7fea99955418 (/lib/x86_64-linux-gnu/libc.so.6+0x3b418)
#2 0x7fea99955171 (/lib/x86_64-linux-gnu/libc.so.6+0x3b171)
#3 0x7fea999556cb (/lib/x86_64-linux-gnu/libc.so.6+0x3b6cb)
#4 0x495d94 in sort_symbols_by_size /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/nm.c:735
#5 0x4923dd in display_rel_file /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/nm.c:1196
#6 0x48da9c in display_file /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/nm.c:1319
#7 0x48bd36 in main /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/nm.c:1793
#8 0x7fea9993bf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#9 0x48a9cc in _start (/home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/nm-new+0x48a9cc)
The master branch has been updated by Nick Clifton <email@example.com>:
Author: Nick Clifton <firstname.lastname@example.org>
Date: Mon Feb 13 17:23:10 2017 +0000
Fix illegal memory access bug in nm when run on a corrupt binary.
* nm.c (file_symbol): Add test of string length before testing
Thanks for reporting this bug. I have applied a small patch to fix the problem.
The bug was in the symbol sorting code used by nm. It was testing for known file extensions (.o and .a) in symbol names without first checking to see if the symbol name was long enough to actually have one of these extensions.