Created attachment 10951 [details] Bug-revealing sample input Dear all, This bug was found with AFLSmart, an extension of AFL. Thanks also to Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu. This bug was found on Ubuntu 16.04 64-bit & binutils was checked out from main repository at git://sourceware.org/git/binutils-gdb.git. Its commit is 68e91e42492551e165b103d819c021c4953da10b (April 14 2018) To reproduce: Compile binutils with ASAN enabled CC=gcc-6 CXX=g++-6 CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=undefined,address -fno-omit-frame-pointer -g -Wno-error" CXXFLAGS="$CFLAGS" ./configure --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim Download the attached file - bug3 readelf -w bug3 ASAN says: readelf: Warning: Section 0 has an out of range sh_link value of 4160749568 readelf: Warning: Section 1 has an out of range sh_link value of 16769792 readelf: Warning: Section 2 has an out of range sh_link value of 33554432 readelf: Warning: Section 6 has an out of range sh_link value of 247 readelf: Warning: Section 7 has an out of range sh_link value of 2130706432 readelf: Warning: Section 11 has an out of range sh_link value of 774778414 readelf: Warning: Section 12 has an out of range sh_link value of 774778414 readelf: Warning: possibly corrupt ELF header - it has a non-zero program header offset, but no program headers readelf: Warning: could not find separate debug file '' readelf: Warning: tried: /lib/debug/ readelf: Warning: tried: /usr/lib/debug/usr/ readelf: Warning: tried: /usr/lib/debug/ readelf: Warning: tried: /home/thuan/experiments/binutils-gdb-asan-newest/binutils/.debug/ readelf: Warning: tried: /home/thuan/experiments/binutils-gdb-asan-newest/binutils/ readelf: Warning: tried: .debug/ readelf: Warning: tried: ================================================================= ==24671==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700000dd58 at pc 0x0000004c0942 bp 0x7ffe992edb10 sp 0x7ffe992edb00 READ of size 8 at 0x60700000dd58 thread T0 #0 0x4c0941 in process_cu_tu_index /home/thuan/experiments/binutils-gdb-asan-newest/binutils/dwarf.c:9290 #1 0x4c189f in load_cu_tu_indexes /home/thuan/experiments/binutils-gdb-asan-newest/binutils/dwarf.c:9411 #2 0x4c1926 in find_cu_tu_set /home/thuan/experiments/binutils-gdb-asan-newest/binutils/dwarf.c:9429 #3 0x461fe2 in display_debug_section /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:13703 #4 0x4628ab in process_section_contents /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:13796 #5 0x47c7ba in process_object /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:18684 #6 0x47e9d0 in process_file /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:19104 #7 0x47ed55 in main /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:19163 #8 0x7f863ba9c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #9 0x4025d8 in _start (/home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf+0x4025d8) 0x60700000dd5f is located 0 bytes to the right of 79-byte region [0x60700000dd10,0x60700000dd5f) allocated by thread T0 here: #0 0x7f863cc2bf70 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc6f70) #1 0x40b573 in get_data /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:421 #2 0x4600d1 in load_specific_debug_section /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:13477 #3 0x461605 in load_debug_section /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:13630 #4 0x48e235 in load_debug_section_with_follow /home/thuan/experiments/binutils-gdb-asan-newest/binutils/dwarf.c:2705 #5 0x4c188c in load_cu_tu_indexes /home/thuan/experiments/binutils-gdb-asan-newest/binutils/dwarf.c:9410 #6 0x4c1926 in find_cu_tu_set /home/thuan/experiments/binutils-gdb-asan-newest/binutils/dwarf.c:9429 #7 0x461fe2 in display_debug_section /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:13703 #8 0x4628ab in process_section_contents /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:13796 #9 0x47c7ba in process_object /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:18684 #10 0x47e9d0 in process_file /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:19104 #11 0x47ed55 in main /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:19163 #12 0x7f863ba9c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/thuan/experiments/binutils-gdb-asan-newest/binutils/dwarf.c:9290 in process_cu_tu_index Shadow bytes around the buggy address: 0x0c0e7fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff9b70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff9b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff9b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c0e7fff9ba0: fa fa 00 00 00 00 00 00 00 00 00[07]fa fa fa fa 0x0c0e7fff9bb0: 00 00 00 00 00 00 00 00 05 fa fa fa fa fa 00 00 0x0c0e7fff9bc0: 00 00 00 00 00 00 00 07 fa fa fa fa 00 00 00 00 0x0c0e7fff9bd0: 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 0x0c0e7fff9be0: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c0e7fff9bf0: fd fd fa fa fa fa 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Thanks, Thuan
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6aea08d9f3e3d6475a65454da488a0c51f5dc97d commit 6aea08d9f3e3d6475a65454da488a0c51f5dc97d Author: Nick Clifton <nickc@redhat.com> Date: Tue Apr 17 12:35:55 2018 +0100 Fix illegal memory access when parsing corrupt DWARF information. PR 23064 * dwarf.c (process_cu_tu_index): Test for a potential buffer overrun before copying signature pointer.
Hi Thuan, Thanks for reporting this bug. I have checked in a small patch to fix the problem, so I hope that the issue is now resolved. Cheers Nick