Bug 24229 - nm: heap buffer overflow
Summary: nm: heap buffer overflow
Status: RESOLVED MOVED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.33 (HEAD)
: P2 critical
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-02-18 12:46 UTC by spinpx
Modified: 2019-02-19 09:08 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
inputs that trigger bugs (2.47 KB, application/zip)
2019-02-18 12:46 UTC, spinpx
Details

Note You need to log in before you can comment on or make changes to this bug.
Description spinpx 2019-02-18 12:46:24 UTC
Created attachment 11612 [details]
inputs that trigger bugs

- Intel Xeon Gold 5118 processors and 256 GB memory
- Linux n18-065-139 4.19.0-1-amd64 #1 SMP Debian 4.19.12-1 (2018-12-22) x86_64 GNU/Linux
- clang version 4.0.0 (tags/RELEASE_400/final)
- version: commit commit 388a192d73df7439bf375d8b8042bb53a6be9c60
- run: nm -C input_file   (We attached the inputs that trigger the bug)
- asan report:
==2003322==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e0000000d8 at pc 0x0000008957c6 bp 0x7ffdf2e36340 sp 0x7ffdf2e36338
READ of size 1 at 0x60e0000000d8 thread T0
    #0 0x8957c5 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3356:12
    #1 0x896370 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3449:16
    #2 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #3 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #4 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #5 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #6 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #7 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #8 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #9 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #10 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #11 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #12 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #13 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #14 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #15 0x896370 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3449:16
    #16 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #17 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #18 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #19 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #20 0x896370 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3449:16
    #21 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #22 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #23 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #24 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #25 0x89610c in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3416:18
    #26 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #27 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #28 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #29 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #30 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #31 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #32 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #33 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #34 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #35 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #36 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #37 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #38 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #39 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #40 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #41 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #42 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #43 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #44 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #45 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #46 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #47 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #48 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #49 0x896210 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #50 0x896370 in d_expression_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3449:16
    #51 0x889158 in d_expression /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3531:9
    #52 0x887a7d in d_array_type /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3011:13
    #53 0x883aa8 in cplus_demangle_type /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:2463:13
    #54 0x893cf5 in d_parmlist /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:2908:14
    #55 0x88e7a5 in d_bare_function_type /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:2962:8
    #56 0x8828eb in d_encoding /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:1343:16
    #57 0x88200d in cplus_demangle_mangled_name /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:1234:7
    #58 0x88c408 in d_demangle_callback /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:6292:7
    #59 0x88b8e6 in d_demangle /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:6343:12
    #60 0x88b753 in cplus_demangle_v3 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:6500:10
    #61 0x87f020 in cplus_demangle /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cplus-dem.c:165:13
    #62 0x517028 in bfd_demangle /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/bfd.c:2254:9
    #63 0x4f4214 in print_symname /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:423:19
    #64 0x4f2e4e in print_symbol_info_bsd /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1565:3
    #65 0x4f9c36 in print_symbol /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:903:3
    #66 0x4f7844 in print_symbols /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1102:7
    #67 0x4f5d3a in display_rel_file /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1215:5
    #68 0x4f2356 in display_file /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1335:7
    #69 0x4f1a97 in main /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1816:12
    #70 0x7f5777ae909a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #71 0x41d5e9 in _start (/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/nm+0x41d5e9)

0x60e0000000d8 is located 0 bytes to the right of 152-byte region [0x60e000000040,0x60e0000000d8)
allocated by thread T0 here:
    #0 0x4c42dc in malloc /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66:3
    #1 0x52e4c5 in bfd_malloc /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/libbfd.c:275:9
    #2 0x516f6d in bfd_demangle /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/bfd.c:2246:24
    #3 0x4f4214 in print_symname /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:423:19
    #4 0x4f2e4e in print_symbol_info_bsd /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1565:3
    #5 0x4f9c36 in print_symbol /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:903:3
    #6 0x4f7844 in print_symbols /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1102:7
    #7 0x4f5d3a in display_rel_file /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1215:5
    #8 0x4f2356 in display_file /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1335:7
    #9 0x4f1a97 in main /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1816:12
    #10 0x7f5777ae909a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

SUMMARY: AddressSanitizer: heap-buffer-overflow /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3356:12 in d_expression_1
Shadow bytes around the buggy address:
  0x0c1c7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c1c7fff8010: 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa
  0x0c1c7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2003322==ABORTING
Comment 1 Nick Clifton 2019-02-18 16:53:26 UTC
Hi spinpx,

  Thanks for reporting this bug.  Unfortunately the problem is in the 
  libiberty library which is maintained by the gcc project, rather than
  the binutils project.  So please could you report this bug here:

https://gcc.gnu.org/bugzilla/enter_bug.cgi?product=gcc

Cheers
  Nick
Comment 2 spinpx 2019-02-19 08:25:41 UTC
report on gcc: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89395
Comment 3 spinpx 2019-02-19 09:08:00 UTC
It can be reproduced in commit c72e75a64030b0f6535a80481f37968ad55c333a (Feb 19 2019).