Bug 22957 - Heap out of bounds read in pop_bincl()
Summary: Heap out of bounds read in pop_bincl()
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.30
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-03-13 11:37 UTC by Kamil Frankowicz
Modified: 2018-03-31 12:30 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
Crashing test case (objdump) (193 bytes, application/octet-stream)
2018-03-13 11:37 UTC, Kamil Frankowicz 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kamil Frankowicz 2018-03-13 11:37:07 UTC 
Created attachment 10891 [details]
Crashing test case (objdump)

After some fuzz testing I found a crashing test case.

Version: 2.30

Command: objdump -x -D -S -s -G -g -e -t -T -r -R objdump_hoobr_pop_bincl

ASAN Context:

==2062==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000db70 at pc 0x000000535b77 bp 0x7ffeaf342190 sp 0x7ffeaf342180
READ of size 8 at 0x60200000db70 thread T0
    #0 0x535b76 in pop_bincl XYZ/binutils-2.30.0/binutils/stabs.c:3213
    #1 0x535b76 in parse_stab XYZ/binutils-2.30.0/binutils/stabs.c:565
    #2 0x4ebd89 in read_section_stabs_debugging_info XYZ/binutils-2.30.0/binutils/rddbg.c:239
    #3 0x4ebd89 in read_debugging_info XYZ/binutils-2.30.0/binutils/rddbg.c:56
    #4 0x41f654 in dump_bfd objdump.c:3607
    #5 0x421a77 in display_object_bfd objdump.c:3658
    #6 0x421a77 in display_any_bfd objdump.c:3747
    #7 0x40ea81 in display_file objdump.c:3768
    #8 0x40ea81 in main objdump.c:4070
    #9 0x7f36620ed82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #10 0x411ca8 in _start (/usr/local/bin/objdump+0x411ca8)

0x60200000db71 is located 0 bytes to the right of 1-byte region [0x60200000db70,0x60200000db71)
allocated by thread T0 here:
    #0 0x7f3662733602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0xb57fec in xmalloc xmalloc.c:147

SUMMARY: AddressSanitizer: heap-buffer-overflow XYZ/binutils-2.30.0/binutils/stabs.c:3213 pop_bincl
Shadow bytes around the buggy address:
  0x0c047fff9b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9b60: fa fa fa fa fa fa 00 fa fa fa 01 fa fa fa[01]fa
  0x0c047fff9b70: fa fa 00 00 fa fa 00 00 fa fa 07 fa fa fa 01 fa
  0x0c047fff9b80: fa fa 00 00 fa fa 00 fa fa fa 00 00 fa fa 00 00
  0x0c047fff9b90: fa fa 00 07 fa fa 01 fa fa fa 01 fa fa fa 00 00
  0x0c047fff9ba0: fa fa 00 00 fa fa 00 01 fa fa 05 fa fa fa 04 fa
  0x0c047fff9bb0: fa fa 00 01 fa fa 01 fa fa fa 01 fa fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==2062==ABORTING
Comment 1 Sourceware Commits 2018-03-13 17:04:13 UTC 
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e45ad1239d7d8591d5e80d8cbba7d404c6c3640f

commit e45ad1239d7d8591d5e80d8cbba7d404c6c3640f
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Mar 13 17:03:04 2018 +0000

    Prevent a buffer overrun when parsing corrupt STABS debug information.
    
    	PR 22957
    	* stabs.c (pop_binincl): Fail if the file index is off the end of
    	the stack.
Comment 2 Nick Clifton 2018-03-13 17:05:27 UTC 
Hi Kamil,

  Thanks for reporting this problem.  I have added a small patch to check
  for the STABS file stack being unwound incorrectly, so hopefully this
  bug should now be fixed.

Cheers
  Nick