Created attachment 11423 [details] malicious input that trigger the heap overflow A heap overflow bug in 32bit version nm-new. ================================================================= ==12375==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf3c038e3 at pc 0x083308a6 bp 0xffe81b48 sp 0xffe81b3c WRITE of size 8 at 0xf3c038e3 thread T0 #0 0x83308a5 in bfd_elf32_swap_phdr_in /home/dongdong/binutils_exp/binutils-2.30/bfd/./elfcode.h:367:20 #1 0x83308a5 in bfd_elf32_object_p /home/dongdong/binutils_exp/binutils-2.30/bfd/./elfcode.h:792 #2 0x81a4d64 in bfd_check_format_matches /home/dongdong/binutils_exp/binutils-2.30/bfd/format.c:311:14 #3 0x8182def in display_file /home/dongdong/binutils_exp/binutils-2.30/binutils/nm.c:1321:12 #4 0x8182140 in main /home/dongdong/binutils_exp/binutils-2.30/binutils/nm.c:1799:12 #5 0xf758f636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) #6 0x806d480 in _start (/home/dongdong/binutils_exp/binutils-2.30_32/binutils/nm-new+0x806d480) 0xf3c038e3 is located 3 bytes to the right of 4064-byte region [0xf3c02900,0xf3c038e0) allocated by thread T0 here: #0 0x813dfbf in malloc /local/dongdong/llvm/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146 #1 0x85246a9 in objalloc_create /home/dongdong/binutils_exp/binutils-2.30/libiberty/./objalloc.c:95:23 #2 0x8182140 in main /home/dongdong/binutils_exp/binutils-2.30/binutils/nm.c:1799:12 #3 0xf758f636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/dongdong/binutils_exp/binutils-2.30/bfd/./elfcode.h:367:20 in bfd_elf32_swap_phdr_in Shadow bytes around the buggy address: 0x3e7806c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e7806d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e7806e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e7806f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e780700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x3e780710: 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa 0x3e780720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e780730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e780740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e780750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e780760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==12375==ABORTING
Created attachment 11424 [details] Proposed patch
I have checked in the attached patch (as commit 5f60af5d24d) to fix this bug.