Created attachment 12700 [details] POC input Hi, there. There is a heap overflow in the newest version of Binutils, libbfd.c To reproduce, run nm-new -C -a -l --synthetic poc Here is the trace reported by ASAN: ================================================================= ==8125==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62700001bfc8 at pc 0x7f800e15dc4c bp 0x7fffc72c76e0 sp 0x7fffc72c6e88 WRITE of size 40 at 0x62700001bfc8 thread T0 #0 0x7f800e15dc4b in __asan_memset (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8cc4b) #1 0x7c7375 in memset /usr/include/x86_64-linux-gnu/bits/string3.h:90 #2 0x7c7375 in _bfd_pex64i_swap_aux_in /mnt/data/playground/binutils-gdb/build/bfd/peXXigen.c:299 #3 0x7857f2 in coff_get_normalized_symtab ../../bfd/coffgen.c:1830 #4 0x7a4e04 in coff_slurp_symbol_table ../../bfd/coffcode.h:4494 #5 0x770538 in coff_get_symtab_upper_bound ../../bfd/coffgen.c:411 #6 0x47a425 in _bfd_generic_read_minisymbols ../../bfd/syms.c:802 #7 0x40e9fd in display_rel_file ../../binutils/nm.c:1126 #8 0x4123cb in display_file ../../binutils/nm.c:1393 #9 0x407e93 in main ../../binutils/nm.c:1874 #10 0x7f800db2382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #11 0x409e98 in _start (/mnt/data/playground/binutils-gdb/build/binutils/nm-new+0x409e98) 0x62700001bfc8 is located 8 bytes to the right of 14016-byte region [0x627000018900,0x62700001bfc0) allocated by thread T0 here: #0 0x7f800e169662 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98662) #1 0x9471cc in _objalloc_alloc ../../libiberty/objalloc.c:143 SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memset Shadow bytes around the buggy address: 0x0c4e7fffb7a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4e7fffb7b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4e7fffb7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4e7fffb7d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4e7fffb7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c4e7fffb7f0: 00 00 00 00 00 00 00 00 fa[fa]fa fa fa fa fa fa 0x0c4e7fffb800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4e7fffb810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4e7fffb820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4e7fffb830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4e7fffb840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==8125==ABORTING
I am not sure whether this case happens due to the system library or the code in binutils. I am also looking forward to your feedback.
It turns out that this bug is due to the same problem that was reported in PR 26241 and it is fixed by the patch applied for that PR. *** This bug has been marked as a duplicate of bug 26240 ***