Bug 26946 - [nm] memory allocation failed
Summary: [nm] memory allocation failed
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.35
: P2 normal
Target Milestone: ---
Assignee: Nick Clifton
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-11-25 16:56 UTC by Hao Wang
Modified: 2022-11-11 07:36 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed: 2020-11-26 00:00:00

Attachments
asan-memory-allocation-failed (15.82 KB, application/x-executable)
2020-11-25 16:56 UTC, Hao Wang 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hao Wang 2020-11-25 16:56:43 UTC 
Created attachment 12997 [details]
asan-memory-allocation-failed

Hello,
I found a crash in nm-new when doing fuzzing experiments. And it can be reproduced in the master branch.

I downloaded source code from git, and I built it with Ubuntu 18.04 with gcc 7.5.0 with ASAN, and the following command to build nm-new from the source:
CFLAGS="-O1 -fsanitize=address -g" ./configure; make clean all;

You can reproduce the crash with the following command:
nm-new -l <attached file>

The AddressSanitizer message of the crash is:
==48823==ERROR: AddressSanitizer failed to allocate 0xff00003000 (1095216672768) bytes of LargeMmapAllocator (error code: 12)
==48823==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_common.cc:118 "((0 && "unable to mmap")) != (0)" (0x0, 0x0)
    #0 0x7f78c8f8abf2  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe9bf2)
    #1 0x7f78c8fa9575 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x108575)
    #2 0x7f78c8f94482  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xf3482)
    #3 0x7f78c8fa0895  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xff895)
    #4 0x7f78c8ec97fd  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x287fd)
    #5 0x7f78c8f7fb0a in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb0a)
    #6 0x55fe62a75ec7 in bfd_malloc /home/vul337/programs/psrc/binutils_bk/bfd/libbfd.c:275
    #7 0x55fe62cbddeb in read_section dwarf2.c:566
    #8 0x55fe62ccfae8 in decode_line_info dwarf2.c:2129
    #9 0x55fe62ceb516 in comp_unit_maybe_decode_line_info dwarf2.c:3938
    #10 0x55fe62ceb516 in comp_unit_find_line dwarf2.c:3972
    #11 0x55fe62cf19bf in _bfd_dwarf2_find_nearest_line dwarf2.c:5100
#12 0x55fe62bb81f2 in _bfd_elf_find_line /home/vul337/programs/psrc/binutils_bk/bfd/elf.c:9212
    #13 0x55fe62a1fcfe in print_symbol /home/vul337/programs/psrc/binutils_bk/binutils/nm.c:1031
    #14 0x55fe62a23640 in print_symbols /home/vul337/programs/psrc/binutils_bk/binutils/nm.c:1112
    #15 0x55fe62a23640 in display_rel_file /home/vul337/programs/psrc/binutils_bk/binutils/nm.c:1236
    #16 0x55fe62a261d3 in display_file /home/vul337/programs/psrc/binutils_bk/binutils/nm.c:1403
    #17 0x55fe62a1b237 in main /home/vul337/programs/psrc/binutils_bk/binutils/nm.c:1891
    #18 0x7f78c88cdbf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #19 0x55fe62a1d3c9 in _start (/home/vul337/programs/nm_master/nm-new+0xad3c9)
Comment 1 Sourceware Commits 2020-11-26 17:09:26 UTC 
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=647cebce12a6b0a26960220caff96ff38978cf24

commit 647cebce12a6b0a26960220caff96ff38978cf24
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Nov 26 17:08:33 2020 +0000

    Prevent a memory allocation failure when parsing corrupt DWARF debug sections.
    
            PR 26946
            * dwarf2.c (read_section): Check for debug sections with excessive
            sizes.
Comment 2 Nick Clifton 2020-11-26 17:19:03 UTC 
Hi Hao,

  Thanks for reporting this problem.  I have now checked in a patch to
  fix the BFD library, so that it will now issue this warning:

     nm: DWARF error: section .debug_abbrev is larger than its filesize! (0xff0000040b vs 0xaf58)

Cheers
  Nick
Comment 3 Sourceware Commits 2022-11-11 07:36:22 UTC 
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f7502dfe3f99d09fba2fc49f806ccc6b0a18c06d

commit f7502dfe3f99d09fba2fc49f806ccc6b0a18c06d
Author: Alan Modra <amodra@gmail.com>
Date:   Fri Nov 11 13:43:42 2022 +1030

    PR28834, PR26946 sanity checking section size
    
    This patch provides a new function to sanity check section sizes.
    It's mostly extracted from what we had in bfd_get_full_section_contents
    but also handles compressed debug sections.
    Improvements are:
    - section file offset is taken into account,
    - added checks that a compressed section can be read from file.
    
    The function is then used when handling multiple .debug_* sections
    that need to be read into a single buffer, to sanity check sizes
    before allocating the buffer.
    
            PR 26946, PR 28834
            * Makefile.am (LIBBFD_H_FILES): Add section.c.
            * compress.c (bfd_get_full_section_contents): Move section size
            sanity checks..
            * section.c (_bfd_section_size_insane): ..to here.  New function.
            * dwarf2.c (read_section): Use _bfd_section_size_insane.
            (_bfd_dwarf2_slurp_debug_info): Likewise.
            * Makefile.in: Regenerate.
            * libbfd.h: Regenerate.