Created attachment 14502 [details] PoC # Reproduce ```bash cd binutils-gdb git reset --hard f2f58a399cf3f946983398cdfe52d0eaa72bf877 mkdir build && cd build ../configure --disable-gdb --disable-gdbserver --disable-gdbsupport --disable-libdecnumber --disable-readline --disable-sim --disable-libbacktrace --disable-gas --disable-ld --disable-werror --enable-targets=all CPPFLAGS=-DDEBUG CFLAGS="-g -O0 -fsanitize=address" make all-binutils MAKEINFO=true binutils/addr2line -e poc.bin 0 ``` # Output ``` binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 255 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 128 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 240 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 240 binutils/addr2line: unknown source command 120 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 104 binutils/addr2line: unknown source command 240 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 9 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 26 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 34 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 25 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 binutils/addr2line: unknown source command 0 ================================================================= ==174046==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a000000b81 at pc 0x55e9176f5340 bp 0x7ffc0efeec00 sp 0x7ffc0efeebf0 READ of size 1 at 0x61a000000b81 thread T0 #0 0x55e9176f533f in parse_module ../../bfd/vms-alpha.c:4449 #1 0x55e9176f6fad in module_find_nearest_line ../../bfd/vms-alpha.c:4902 #2 0x55e9176f7911 in _bfd_vms_find_nearest_line ../../bfd/vms-alpha.c:4982 #3 0x55e917123b1e in find_address_in_section ../../binutils/addr2line.c:197 #4 0x55e91713ef43 in bfd_map_over_sections ../../bfd/section.c:1366 #5 0x55e9171248eb in translate_addresses ../../binutils/addr2line.c:337 #6 0x55e917124fbc in process_file ../../binutils/addr2line.c:470 #7 0x55e9171255b1 in main ../../binutils/addr2line.c:579 #8 0x7fa2acad1d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #9 0x7fa2acad1e3f in __libc_start_main_impl ../csu/libc-start.c:392 #10 0x55e917123244 in _start (/binutils-gdb/build/binutils/addr2line+0x343244) 0x61a000000b81 is located 1 bytes to the right of 1280-byte region [0x61a000000680,0x61a000000b80) allocated by thread T0 here: #0 0x7fa2acd84867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x55e9171358d5 in bfd_malloc ../../bfd/libbfd.c:289 #2 0x55e9176e013a in _bfd_malloc_and_read ../../bfd/libbfd.h:970 #3 0x55e9176f6f77 in module_find_nearest_line ../../bfd/vms-alpha.c:4896 #4 0x55e9176f7911 in _bfd_vms_find_nearest_line ../../bfd/vms-alpha.c:4982 #5 0x55e917123b1e in find_address_in_section ../../binutils/addr2line.c:197 #6 0x55e91713ef43 in bfd_map_over_sections ../../bfd/section.c:1366 #7 0x55e9171248eb in translate_addresses ../../binutils/addr2line.c:337 #8 0x55e917124fbc in process_file ../../binutils/addr2line.c:470 #9 0x55e9171255b1 in main ../../binutils/addr2line.c:579 #10 0x7fa2acad1d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 SUMMARY: AddressSanitizer: heap-buffer-overflow ../../bfd/vms-alpha.c:4449 in parse_module Shadow bytes around the buggy address: 0x0c347fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fff8150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fff8160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c347fff8170:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==174046==ABORTING Aborted (core dumped) ``` # Analysis `src_ptr[0]` is accessed[1], which is only ensured to be smaller than `ptr + rec_length`. However, `rec_length` can be controlled by file content[2] and can be larger than actual buffer size. Therefore, out-of-bound read can occur. [1] https://github.com/bminor/binutils-gdb/blob/85f9067d3a47d51a46ba369c60fdec752da0f885/bfd/vms-alpha.c#L4449 [2] https://github.com/bminor/binutils-gdb/blob/85f9067d3a47d51a46ba369c60fdec752da0f885/bfd/vms-alpha.c#L4372
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=77c225bdeb410cf60da804879ad41622f5f1aa44 commit 77c225bdeb410cf60da804879ad41622f5f1aa44 Author: Alan Modra <amodra@gmail.com> Date: Mon Dec 12 18:28:49 2022 +1030 Lack of bounds checking in vms-alpha.c parse_module PR 29873 PR 29874 PR 29875 PR 29876 PR 29877 PR 29878 PR 29879 PR 29880 PR 29881 PR 29882 PR 29883 PR 29884 PR 29885 PR 29886 PR 29887 PR 29888 PR 29889 PR 29890 PR 29891 * vms-alpha.c (parse_module): Make length param bfd_size_type. Delete length == -1 checks. Sanity check record_length. Sanity check DST__K_MODBEG, DST__K_RTNBEG, DST__K_RTNEND lengths. Sanity check DST__K_SOURCE and DST__K_LINE_NUM elements before accessing. (build_module_list): Pass dst_section size to parse_module.
.