Bug 29922 - Huge memoy allocation in nm
Summary: Huge memoy allocation in nm
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.39
: P2 normal
Target Milestone: 2.40
Assignee: Alan Modra
Depends on:
Reported: 2022-12-20 12:05 UTC by 邓朋
Modified: 2022-12-21 07:33 UTC (History)
0 users

See Also:
Last reconfirmed: 2022-12-20 00:00:00

POC (7.93 KB, application/x-object)
2022-12-20 12:05 UTC, 邓朋
proposed fix (632 bytes, patch)
2022-12-20 13:21 UTC, Alan Modra
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description 邓朋 2022-12-20 12:05:43 UTC
Created attachment 14528 [details]

There is a huge memory allocation vulnerability in nm-new, which can be triggered by a craft elf file.

git clone git://sourceware.org/git/binutils-gdb.git
CC="clang -fsanitize=address" CXX="clang++ -fsanitize=address" ./configure --disable-shared && make -j$(nproc)
./binutils/nm-new -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D poc

./binutils/nm-new: poc: invalid string offset 2147483648 >= 472 for section `.ung.ab'
./binutils/nm-new: poc: invalid string offset 32768 >= 472 for section `.ung.ab'
./binutils/nm-new: poc: invalid string offset 65280 >= 472 for section `.ung.ab'
./binutils/nm-new: poc: invalid string offset 4076863487 >= 472 for section `.ung.ab'
./binutils/nm-new: poc: invalid string offset 65408 >= 472 for section `.ung.ab'
poc:0000000000050000 a 
poc:                 U 
poc:                 U 
poc:                 U 
poc:                 U 
poc:                 U 
poc:                 U 
poc:                 U 
poc:                 U 
poc:                 U 
poc:0000000000130003 a 
poc:                 U 
poc:                 U 
poc:                 U 
poc:                 U 
poc:                 U 
poc:                 U 
poc:                 U 
poc:                 U 
poc:                 U 
poc:                 U 
poc:                 U 
poc:                 U 
poc:                 U 
poc:                 U 
poc:                 U 
poc:                 U 
poc:0000000000000008 0000000000000008 C __afl_global_area_ptr
poc:0000000000000650 00000000e8ff00c9 T CatPath./binutils/nm-new: BFD (GNU Binutils) assertion fail ./dwarf2.c:5038
./binutils/nm-new: BFD (GNU Binutils) assertion fail ./dwarf2.c:5038
==7488==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x5100001e69 bytes
    #0 0x493fed in malloc (/binutils-gdb/binutils/nm-new+0x493fed)
    #1 0x4e3683 in bfd_malloc /binutils-gdb/bfd/libbfd.c:289:9
    #2 0x5f4d44 in _bfd_dwarf2_find_nearest_line_with_alt /binutils-gdb/bfd/./dwarf2.c:5777:9
    #3 0x5f4b7b in _bfd_dwarf2_find_nearest_line /binutils-gdb/bfd/./dwarf2.c:5717:10
    #4 0x4c8224 in print_symbols /binutils-gdb/binutils/nm.c:1403:7
    #5 0x4c8224 in display_rel_file /binutils-gdb/binutils/nm.c:1530:5
    #6 0x4c4b42 in display_file /binutils-gdb/binutils/nm.c:1680:7
    #7 0x4c3f0d in main /binutils-gdb/binutils/nm.c:2197:12
    #8 0x7f36e8907c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310

==7488==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: out-of-memory (/binutils-gdb/binutils/nm-new+0x493fed) in malloc

Ubuntu 18.04
clang 10.0.0
Comment 1 Alan Modra 2022-12-20 13:21:33 UTC
Created attachment 14529 [details]
proposed fix
Comment 2 Sourceware Commits 2022-12-21 07:30:17 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:


commit 8f2c64de86bc3d7556121fe296dd679000283931
Author: Alan Modra <amodra@gmail.com>
Date:   Tue Dec 20 23:47:03 2022 +1030

    PR29922, SHT_NOBITS section avoids section size sanity check
            PR 29922
            * dwarf2.c (find_debug_info): Ignore sections without
Comment 3 Alan Modra 2022-12-21 07:33:16 UTC