Bug 29482 - strip: heap-buffer-overflow in coff_set_section_contents
Summary: strip: heap-buffer-overflow in coff_set_section_contents
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.40
: P2 normal
Target Milestone: 2.40
Assignee: Alan Modra
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-08-13 05:15 UTC by tricker51449
Modified: 2022-08-13 06:54 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
Crash input (89 bytes, application/octet-stream)
2022-08-13 05:15 UTC, tricker51449
Details

Note You need to log in before you can comment on or make changes to this bug.
Description tricker51449 2022-08-13 05:15:22 UTC
Created attachment 14274 [details]
Crash input

Hi, binutils developers

Recently, I tested the binary strip instrumented with ASAN. Unfortunately, it incurred a crash with the following error information and Iā€˜m not sure of the cause. 

The crash can be triggered in the latest binutils-gdb version:

https://github.com/bminor/binutils-gdb/commits/master
commit: 901dd67d0d68ac5e0be145d137533f03de495272

Any help would be greatly appreciated from you :D

Thanks & Best Regards


# ./binutils/strip -o out_file strip_crash_input

=================================================================
==130497==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000f1 at pc 0x556dbdbf5de5 bp 0x7ffee7a158c0 sp 0x7ffee7a158b8
READ of size 1 at 0x6020000000f1 thread T0
    #0 0x556dbdbf5de4 in bfd_getl32 (/workspace/test/binutils-gdb/binutils/strip-new+0x25fde4) (BuildId: 35a9c6af570fac13ead5254910cec2f0379f6e81)
    #1 0x556dbde98083 in coff_set_section_contents pe-x86_64.c
    #2 0x556dbdc01038 in bfd_set_section_contents (/workspace/test/binutils-gdb/binutils/strip-new+0x26b038) (BuildId: 35a9c6af570fac13ead5254910cec2f0379f6e81)
    #3 0x556dbdb7303c in copy_section objcopy.c
    #4 0x556dbdc00aaa in bfd_map_over_sections (/workspace/test/binutils-gdb/binutils/strip-new+0x26aaaa) (BuildId: 35a9c6af570fac13ead5254910cec2f0379f6e81)
    #5 0x556dbdb69abb in copy_object objcopy.c
    #6 0x556dbdb6400f in copy_file objcopy.c
    #7 0x556dbdb5e2d6 in strip_main objcopy.c
    #8 0x556dbdb5d661 in main (/workspace/test/binutils-gdb/binutils/strip-new+0x1c7661) (BuildId: 35a9c6af570fac13ead5254910cec2f0379f6e81)
    #9 0x7f515d81ed8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
    #10 0x7f515d81ee3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
    #11 0x556dbda9f5b4 in _start (/workspace/test/binutils-gdb/binutils/strip-new+0x1095b4) (BuildId: 35a9c6af570fac13ead5254910cec2f0379f6e81)

0x6020000000f1 is located 0 bytes to the right of 1-byte region [0x6020000000f0,0x6020000000f1)
allocated by thread T0 here:
    #0 0x556dbdb223fe in __interceptor_malloc (/workspace/test/binutils-gdb/binutils/strip-new+0x18c3fe) (BuildId: 35a9c6af570fac13ead5254910cec2f0379f6e81)
    #1 0x556dbdbf4e22 in bfd_malloc (/workspace/test/binutils-gdb/binutils/strip-new+0x25ee22) (BuildId: 35a9c6af570fac13ead5254910cec2f0379f6e81)
    #2 0x556dbdbe4d40 in bfd_get_full_section_contents (/workspace/test/binutils-gdb/binutils/strip-new+0x24ed40) (BuildId: 35a9c6af570fac13ead5254910cec2f0379f6e81)
    #3 0x556dbdb727db in copy_section objcopy.c
    #4 0x556dbdc00aaa in bfd_map_over_sections (/workspace/test/binutils-gdb/binutils/strip-new+0x26aaaa) (BuildId: 35a9c6af570fac13ead5254910cec2f0379f6e81)
    #5 0x556dbdb69abb in copy_object objcopy.c
    #6 0x556dbdb6400f in copy_file objcopy.c
    #7 0x556dbdb5e2d6 in strip_main objcopy.c
    #8 0x556dbdb5d661 in main (/workspace/test/binutils-gdb/binutils/strip-new+0x1c7661) (BuildId: 35a9c6af570fac13ead5254910cec2f0379f6e81)
    #9 0x7f515d81ed8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/workspace/test/binutils-gdb/binutils/strip-new+0x25fde4) (BuildId: 35a9c6af570fac13ead5254910cec2f0379f6e81) in bfd_getl32
Shadow bytes around the buggy address:
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c047fff8010: fa fa 00 01 fa fa fd fa fa fa 00 fa fa fa[01]fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==130497==ABORTING
Comment 1 Sourceware Commits 2022-08-13 06:53:06 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ef186fe54aa6d281a3ff8a9528417e5cc614c797

commit ef186fe54aa6d281a3ff8a9528417e5cc614c797
Author: Alan Modra <amodra@gmail.com>
Date:   Sat Aug 13 15:32:47 2022 +0930

    PR29482 - strip: heap-buffer-overflow
    
            PR 29482
            * coffcode.h (coff_set_section_contents): Sanity check _LIB.
Comment 2 Alan Modra 2022-08-13 06:54:47 UTC
Fixed for 2.40