Bug 29925 - Memory leak in find_abstract_instance
Summary: Memory leak in find_abstract_instance
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.39
: P2 normal
Target Milestone: 2.40
Assignee: Alan Modra
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-12-21 08:10 UTC by 邓朋
Modified: 2022-12-21 21:53 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Last reconfirmed: 2022-12-21 00:00:00


Attachments
PoC to replay the vulnerability (7.80 KB, application/x-object)
2022-12-21 08:10 UTC, 邓朋
Details

Note You need to log in before you can comment on or make changes to this bug.
Description 邓朋 2022-12-21 08:10:12 UTC
Created attachment 14534 [details]
PoC to replay the vulnerability

#Summary
There is a memory leak vulnerability in nm-new, which can be triggered by a craft elf file.

#Verification
git clone git://sourceware.org/git/binutils-gdb.git
CC="clang -fsanitize=address" CXX="clang++ -fsanitize=address" ./configure --disable-shared && make -j$(nproc)
./binutils/nm-new -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D poc

#ASAN
poc:0000000000001948 t ./binutils/nm-new: BFD (GNU Binutils) 2.39.50.20221221 assertion fail ./dwarf2.c:5044

poc:0000000000000000 0000000000000064 d __afl_area_ptr./binutils/nm-new: DWARF error: offset (4278190080) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (25115) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (1612316672) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (472973653) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (8192596) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (72417564) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (4278190080) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (16973824) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (355469056) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: could not find abbrev number 126975
./binutils/nm-new: DWARF error: could not find variable specification at offset 0x113
./binutils/nm-new: DWARF error: could not find abbrev number 991
./binutils/nm-new: DWARF error: could not find variable specification at offset 0x114
./binutils/nm-new: DWARF error: offset (25115) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (1612316672) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (472973653) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (8192596) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (72417564) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (4278190080) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (25115) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (1612316672) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (472973653) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (8192596) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (72417564) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (4278190080) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (16973824) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (355469056) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: could not find abbrev number 126975
./binutils/nm-new: DWARF error: could not find variable specification at offset 0x113
./binutils/nm-new: DWARF error: could not find abbrev number 991
./binutils/nm-new: DWARF error: could not find variable specification at offset 0x114
./binutils/nm-new: DWARF error: offset (25115) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (1612316672) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (472973653) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (8192596) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (72417564) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (4278190080) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (25115) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (1612316672) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (472973653) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (8192596) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (72417564) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (4278190080) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (16973824) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (355469056) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: could not find abbrev number 126975
./binutils/nm-new: DWARF error: could not find variable specification at offset 0x113
./binutils/nm-new: DWARF error: could not find abbrev number 991
./binutils/nm-new: DWARF error: could not find variable specification at offset 0x114
./binutils/nm-new: DWARF error: offset (25115) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (1612316672) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (472973653) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (8192596) greater than or equal to .debug_str size (1224)
./binutils/nm-new: DWARF error: offset (72417564) greater than or equal to .debug_str size (1224)

poc:0000000000001c2e t __afl_die
poc:0000000000000010 0000000000000004 d __afl_fork_pid
poc:0000000000001b49 t __afl_fork_resume
poc:0000000000001a8b t __afl_forkserver
poc:0000000000001ab1 0000000000000064 t __afl_fork_wait_loop
poc:0000000000000008 0000000000000008 C __afl_global_area_ptr
poc:0000000000001920 t __afl_maybe_log
poc:e900000000000008 0000000000000007 d __afl_prev_loc
poc:0000000000001950 t __afl_setup
poc:0000000000000018 0000000000000001 d __afl_setup_failure
poc:0000000000001971 t __afl_setup_first
poc:0000000000001d07 t .AFL_SHM_ENV
poc:0000000000001930 t __afl_store
poc:0000000000000014 0000000000000004 d __afl_temp
poc:0000000000001d07 t .AFL_VARS
poc:                 U atoi
poc:0000000000001750 00000000000001c9 T CatPath
poc:                 U close
poc:0000000000000000 d .data
poc:0000000000000000 N .debug_abbrev    st_rdev/paths.c:25
poc:0000000000000000 N .debug_aranges   st_rdev/paths.c:25
poc:0000000000000000 N .debug_info      st_rdev/paths.c:25
poc:0000000000000000 N .debug_info
poc:0000000000000000 N .debug_info
poc:0000000000000000 N .debug_line      st_rdev/paths.c:25
poc:0000000000000000 N .debug_str       st_rdev/paths.c:25
poc:0000000000000000 0000000000001741 T EnsurePathExists        st_rdev/paths.c:25
poc:                 U etenv
poc:                 U _exit
poc:                 U __fprintf_chk
poc:                 U getenv
poc:                 U _GLOBAL_OFFSET_TABLE_
poc:0000000000000000 b .gnu.linkonce.wi..8      st_rdev/paths.c:36
poc:0000000000001c36 t I~afl_setup_abort
poc:                 U intf_chk
poc:0000000000000000 r linkonce.wi..8
poc:0000000000000080 t linkonce.wi..8
poc:                 U mkdi�
poc:0000000000000000 n .note.GNU-stack  st_rdev/paths.c:25
poc:0000000000000000 a paths.c
poc:0000000000000000 A read
poc:0000000000000000 N .rela.debug_aranges      st_rdev/paths.c:25
poc:0000000000000000 a .rela.debug_line
poc:                 U __stack_chk_fail
poc:                 U stderr
poc:                 U __stpcpy_chk
poc:                 U strcat
poc:                 U strcpy
poc:                 U strlen
poc:0000000000000000 t .text    st_rdev/paths.c:25
poc:                 U waitpid
poc:                 U write
poc:                 U __xstat

=================================================================
==40988==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 63 byte(s) in 3 object(s) allocated from:
    #0 0x493fed in malloc (/binutils-gdb/binutils/nm-new+0x493fed)
    #1 0x4e3683 in bfd_malloc /binutils-gdb/bfd/libbfd.c:289:9
    #2 0x5f7141 in comp_unit_find_line /binutils-gdb/bfd/./dwarf2.c:4733:8

SUMMARY: AddressSanitizer: 63 byte(s) leaked in 3 allocation(s).

#Envieonment
Ubuntu 18.04
clang 10.0.0
Comment 1 Sourceware Commits 2022-12-21 21:28:40 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d28fbc7197ba0e021a43f873eff90b05dcdcff6a

commit d28fbc7197ba0e021a43f873eff90b05dcdcff6a
Author: Alan Modra <amodra@gmail.com>
Date:   Wed Dec 21 21:40:12 2022 +1030

    PR29925, Memory leak in find_abstract_instance
    
    The testcase in the PR had a variable with both DW_AT_decl_file and
    DW_AT_specification, where the DW_AT_specification also specified
    DW_AT_decl_file.  This leads to a memory leak as the file name is
    malloced and duplicates are not expected.
    
    I've also changed find_abstract_instance to not use a temp for "name",
    because that can result in a change in behaviour from the usual last
    of duplicate attributes wins.
    
            PR 29925
            * dwarf2.c (find_abstract_instance): Delete "name" variable.
            Free *filename_ptr before assigning new file name.
            (scan_unit_for_symbols): Similarly free func->file and
            var->file before assigning.
Comment 2 Alan Modra 2022-12-21 21:53:34 UTC
Fixed