Bug 21150 - global buffer overflow in nm.c
Summary: global buffer overflow in nm.c
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.29
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-02-13 15:59 UTC by Thuan Pham
Modified: 2017-02-13 17:27 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
Bug triggering input (262 bytes, application/x-object)
2017-02-13 15:59 UTC, Thuan Pham
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Thuan Pham 2017-02-13 15:59:16 UTC
Created attachment 9818 [details]
Bug triggering input

Dear all,

This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks also to Marcel Böhme. 

This bug was found on Ubuntu 14.04 64-bit & binutils was checkout from main repository at git://sourceware.org/git/binutils-gdb.git. Its commit is 53f7e8ea7fad1fcff1b58f4cbd74e192e0bcbc1d (Fri Feb 10 00:00:16 2017) 

binutils was built with ASAN using gcc-6.2 and clang-3.4. The configure command was:

CC=clang CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=undefined,address -fno-omit-frame-pointer -g -Wno-error" ../configure --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim

To reproduce:
Download the attached file - bug_16
nm-new --si bug_16

ASAN says:
==107219==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000017a69fe at pc 0x4a65c3 bp 0x7ffcfc8e0c70 sp 0x7ffcfc8e0c68
READ of size 1 at 0x0000017a69fe thread T0
    #0 0x4a65c2 in size_forward1 /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/nm.c:693
    #1 0x7fea99955418 (/lib/x86_64-linux-gnu/libc.so.6+0x3b418)
    #2 0x7fea99955171 (/lib/x86_64-linux-gnu/libc.so.6+0x3b171)
    #3 0x7fea999556cb (/lib/x86_64-linux-gnu/libc.so.6+0x3b6cb)
    #4 0x495d94 in sort_symbols_by_size /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/nm.c:735
    #5 0x4923dd in display_rel_file /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/nm.c:1196
    #6 0x48da9c in display_file /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/nm.c:1319
    #7 0x48bd36 in main /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/nm.c:1793
    #8 0x7fea9993bf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #9 0x48a9cc in _start (/home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/nm-new+0x48a9cc)
Comment 1 cvs-commit@gcc.gnu.org 2017-02-13 17:24:34 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c12214021dedefcc2320827bcc1751f2d94ca2c6

commit c12214021dedefcc2320827bcc1751f2d94ca2c6
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Feb 13 17:23:10 2017 +0000

    Fix illegal memory access bug in nm when run on a corrupt binary.
    
    	PR binutils/21150
    	* nm.c (file_symbol): Add test of string length before testing
    	string characters.
Comment 2 Nick Clifton 2017-02-13 17:27:26 UTC
Hi Thuan,

  Thanks for reporting this bug.  I have applied a small patch to fix the problem.

  The bug was in the symbol sorting code used by nm.  It was testing for known file extensions (.o and .a) in symbol names without first checking to see if the symbol name was long enough to actually have one of these extensions.

Cheers
  Nick