Bug 26240 - Heap overflow in libbfd.c
Summary: Heap overflow in libbfd.c
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.36
: P2 normal
Target Milestone: ---
Assignee: Nick Clifton
URL:
Keywords:
: 26241 (view as bug list)
Depends on:
Blocks:
 
Reported: 2020-07-14 13:15 UTC by Heqing HUANG
Modified: 2020-07-15 12:33 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed: 2020-07-15 00:00:00

Attachments
POC input (183 bytes, application/x-ms-dos-executable)
2020-07-14 13:15 UTC, Heqing HUANG 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Heqing HUANG 2020-07-14 13:15:22 UTC 
Created attachment 12699 [details]
POC input

Hi, there.

There is a heap overflow in the newest version of Binutils, libbfd.c

To reproduce,
run 
nm-new -C -a -l --synthetic poc 

Here is the trace reported by ASAN:
==15754==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61300000dfe8 at pc 0x00000045d9b3 bp 0x7ffe098a7ae0 sp 0x7ffe098a7ad0
READ of size 4 at 0x61300000dfe8 thread T0
    #0 0x45d9b2 in bfd_getl32 ../../bfd/libbfd.c:643
    #1 0x7c741a in _bfd_pex64i_swap_aux_in /mnt/data/playground/binutils-gdb/build/bfd/peXXigen.c:328
    #2 0x7857f2 in coff_get_normalized_symtab ../../bfd/coffgen.c:1830
    #3 0x7a4e04 in coff_slurp_symbol_table ../../bfd/coffcode.h:4494
    #4 0x770538 in coff_get_symtab_upper_bound ../../bfd/coffgen.c:411
    #5 0x47a425 in _bfd_generic_read_minisymbols ../../bfd/syms.c:802
    #6 0x40e9fd in display_rel_file ../../binutils/nm.c:1126
    #7 0x4123cb in display_file ../../binutils/nm.c:1393
    #8 0x407e93 in main ../../binutils/nm.c:1874
    #9 0x7f08d02fa82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #10 0x409e98 in _start (/mnt/data/playground/binutils-gdb/build/binutils/nm-new+0x409e98)

0x61300000dfe8 is located 0 bytes to the right of 360-byte region [0x61300000de80,0x61300000dfe8)
allocated by thread T0 here:
    #0 0x7f08d0940662 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98662)
    #1 0x45bff7 in bfd_malloc ../../bfd/libbfd.c:275

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../bfd/libbfd.c:643 bfd_getl32
Shadow bytes around the buggy address:
  0x0c267fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff9be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c267fff9bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa
  0x0c267fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==15754==ABORTING
Comment 1 Nick Clifton 2020-07-15 09:01:27 UTC 
Investigating...
Comment 2 Nick Clifton 2020-07-15 10:16:46 UTC 
Fixed - it was an off-by-one error in the check to make sure that the buffer containing the auxillary symbol data was not overrun.
Comment 3 Nick Clifton 2020-07-15 12:33:14 UTC 
*** Bug 26241 has been marked as a duplicate of this bug. ***