Bug 26946 - [nm] memory allocation failed
Summary: [nm] memory allocation failed
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.35
: P2 normal
Target Milestone: ---
Assignee: Nick Clifton
Depends on:
Reported: 2020-11-25 16:56 UTC by Hao Wang
Modified: 2022-11-11 07:36 UTC (History)
1 user (show)

See Also:
Last reconfirmed: 2020-11-26 00:00:00

asan-memory-allocation-failed (15.82 KB, application/x-executable)
2020-11-25 16:56 UTC, Hao Wang

Note You need to log in before you can comment on or make changes to this bug.
Description Hao Wang 2020-11-25 16:56:43 UTC
Created attachment 12997 [details]

I found a crash in nm-new when doing fuzzing experiments. And it can be reproduced in the master branch.

I downloaded source code from git, and I built it with Ubuntu 18.04 with gcc 7.5.0 with ASAN, and the following command to build nm-new from the source:
CFLAGS="-O1 -fsanitize=address -g" ./configure; make clean all;

You can reproduce the crash with the following command:
nm-new -l <attached file>

The AddressSanitizer message of the crash is:
==48823==ERROR: AddressSanitizer failed to allocate 0xff00003000 (1095216672768) bytes of LargeMmapAllocator (error code: 12)
==48823==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_common.cc:118 "((0 && "unable to mmap")) != (0)" (0x0, 0x0)
    #0 0x7f78c8f8abf2  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe9bf2)
    #1 0x7f78c8fa9575 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x108575)
    #2 0x7f78c8f94482  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xf3482)
    #3 0x7f78c8fa0895  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xff895)
    #4 0x7f78c8ec97fd  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x287fd)
    #5 0x7f78c8f7fb0a in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb0a)
    #6 0x55fe62a75ec7 in bfd_malloc /home/vul337/programs/psrc/binutils_bk/bfd/libbfd.c:275
    #7 0x55fe62cbddeb in read_section dwarf2.c:566
    #8 0x55fe62ccfae8 in decode_line_info dwarf2.c:2129
    #9 0x55fe62ceb516 in comp_unit_maybe_decode_line_info dwarf2.c:3938
    #10 0x55fe62ceb516 in comp_unit_find_line dwarf2.c:3972
    #11 0x55fe62cf19bf in _bfd_dwarf2_find_nearest_line dwarf2.c:5100
#12 0x55fe62bb81f2 in _bfd_elf_find_line /home/vul337/programs/psrc/binutils_bk/bfd/elf.c:9212
    #13 0x55fe62a1fcfe in print_symbol /home/vul337/programs/psrc/binutils_bk/binutils/nm.c:1031
    #14 0x55fe62a23640 in print_symbols /home/vul337/programs/psrc/binutils_bk/binutils/nm.c:1112
    #15 0x55fe62a23640 in display_rel_file /home/vul337/programs/psrc/binutils_bk/binutils/nm.c:1236
    #16 0x55fe62a261d3 in display_file /home/vul337/programs/psrc/binutils_bk/binutils/nm.c:1403
    #17 0x55fe62a1b237 in main /home/vul337/programs/psrc/binutils_bk/binutils/nm.c:1891
    #18 0x7f78c88cdbf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #19 0x55fe62a1d3c9 in _start (/home/vul337/programs/nm_master/nm-new+0xad3c9)
Comment 1 Sourceware Commits 2020-11-26 17:09:26 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:


commit 647cebce12a6b0a26960220caff96ff38978cf24
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Nov 26 17:08:33 2020 +0000

    Prevent a memory allocation failure when parsing corrupt DWARF debug sections.
            PR 26946
            * dwarf2.c (read_section): Check for debug sections with excessive
Comment 2 Nick Clifton 2020-11-26 17:19:03 UTC
Hi Hao,

  Thanks for reporting this problem.  I have now checked in a patch to
  fix the BFD library, so that it will now issue this warning:

     nm: DWARF error: section .debug_abbrev is larger than its filesize! (0xff0000040b vs 0xaf58)

Comment 3 Sourceware Commits 2022-11-11 07:36:22 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:


commit f7502dfe3f99d09fba2fc49f806ccc6b0a18c06d
Author: Alan Modra <amodra@gmail.com>
Date:   Fri Nov 11 13:43:42 2022 +1030

    PR28834, PR26946 sanity checking section size
    This patch provides a new function to sanity check section sizes.
    It's mostly extracted from what we had in bfd_get_full_section_contents
    but also handles compressed debug sections.
    Improvements are:
    - section file offset is taken into account,
    - added checks that a compressed section can be read from file.
    The function is then used when handling multiple .debug_* sections
    that need to be read into a single buffer, to sanity check sizes
    before allocating the buffer.
            PR 26946, PR 28834
            * Makefile.am (LIBBFD_H_FILES): Add section.c.
            * compress.c (bfd_get_full_section_contents): Move section size
            sanity checks..
            * section.c (_bfd_section_size_insane): ..to here.  New function.
            * dwarf2.c (read_section): Use _bfd_section_size_insane.
            (_bfd_dwarf2_slurp_debug_info): Likewise.
            * Makefile.in: Regenerate.
            * libbfd.h: Regenerate.