Created attachment 14534 [details] PoC to replay the vulnerability #Summary There is a memory leak vulnerability in nm-new, which can be triggered by a craft elf file. #Verification git clone git://sourceware.org/git/binutils-gdb.git CC="clang -fsanitize=address" CXX="clang++ -fsanitize=address" ./configure --disable-shared && make -j$(nproc) ./binutils/nm-new -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D poc #ASAN poc:0000000000001948 t ./binutils/nm-new: BFD (GNU Binutils) 2.39.50.20221221 assertion fail ./dwarf2.c:5044 poc:0000000000000000 0000000000000064 d __afl_area_ptr./binutils/nm-new: DWARF error: offset (4278190080) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (25115) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (1612316672) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (472973653) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (8192596) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (72417564) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (4278190080) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (16973824) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (355469056) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: could not find abbrev number 126975 ./binutils/nm-new: DWARF error: could not find variable specification at offset 0x113 ./binutils/nm-new: DWARF error: could not find abbrev number 991 ./binutils/nm-new: DWARF error: could not find variable specification at offset 0x114 ./binutils/nm-new: DWARF error: offset (25115) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (1612316672) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (472973653) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (8192596) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (72417564) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (4278190080) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (25115) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (1612316672) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (472973653) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (8192596) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (72417564) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (4278190080) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (16973824) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (355469056) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: could not find abbrev number 126975 ./binutils/nm-new: DWARF error: could not find variable specification at offset 0x113 ./binutils/nm-new: DWARF error: could not find abbrev number 991 ./binutils/nm-new: DWARF error: could not find variable specification at offset 0x114 ./binutils/nm-new: DWARF error: offset (25115) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (1612316672) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (472973653) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (8192596) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (72417564) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (4278190080) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (25115) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (1612316672) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (472973653) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (8192596) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (72417564) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (4278190080) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (16973824) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (355469056) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: could not find abbrev number 126975 ./binutils/nm-new: DWARF error: could not find variable specification at offset 0x113 ./binutils/nm-new: DWARF error: could not find abbrev number 991 ./binutils/nm-new: DWARF error: could not find variable specification at offset 0x114 ./binutils/nm-new: DWARF error: offset (25115) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (1612316672) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (472973653) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (8192596) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (72417564) greater than or equal to .debug_str size (1224) poc:0000000000001c2e t __afl_die poc:0000000000000010 0000000000000004 d __afl_fork_pid poc:0000000000001b49 t __afl_fork_resume poc:0000000000001a8b t __afl_forkserver poc:0000000000001ab1 0000000000000064 t __afl_fork_wait_loop poc:0000000000000008 0000000000000008 C __afl_global_area_ptr poc:0000000000001920 t __afl_maybe_log poc:e900000000000008 0000000000000007 d __afl_prev_loc poc:0000000000001950 t __afl_setup poc:0000000000000018 0000000000000001 d __afl_setup_failure poc:0000000000001971 t __afl_setup_first poc:0000000000001d07 t .AFL_SHM_ENV poc:0000000000001930 t __afl_store poc:0000000000000014 0000000000000004 d __afl_temp poc:0000000000001d07 t .AFL_VARS poc: U atoi poc:0000000000001750 00000000000001c9 T CatPath poc: U close poc:0000000000000000 d .data poc:0000000000000000 N .debug_abbrev st_rdev/paths.c:25 poc:0000000000000000 N .debug_aranges st_rdev/paths.c:25 poc:0000000000000000 N .debug_info st_rdev/paths.c:25 poc:0000000000000000 N .debug_info poc:0000000000000000 N .debug_info poc:0000000000000000 N .debug_line st_rdev/paths.c:25 poc:0000000000000000 N .debug_str st_rdev/paths.c:25 poc:0000000000000000 0000000000001741 T EnsurePathExists st_rdev/paths.c:25 poc: U etenv poc: U _exit poc: U __fprintf_chk poc: U getenv poc: U _GLOBAL_OFFSET_TABLE_ poc:0000000000000000 b .gnu.linkonce.wi..8 st_rdev/paths.c:36 poc:0000000000001c36 t I~afl_setup_abort poc: U intf_chk poc:0000000000000000 r linkonce.wi..8 poc:0000000000000080 t linkonce.wi..8 poc: U mkdi� poc:0000000000000000 n .note.GNU-stack st_rdev/paths.c:25 poc:0000000000000000 a paths.c poc:0000000000000000 A read poc:0000000000000000 N .rela.debug_aranges st_rdev/paths.c:25 poc:0000000000000000 a .rela.debug_line poc: U __stack_chk_fail poc: U stderr poc: U __stpcpy_chk poc: U strcat poc: U strcpy poc: U strlen poc:0000000000000000 t .text st_rdev/paths.c:25 poc: U waitpid poc: U write poc: U __xstat ================================================================= ==40988==ERROR: LeakSanitizer: detected memory leaks Direct leak of 63 byte(s) in 3 object(s) allocated from: #0 0x493fed in malloc (/binutils-gdb/binutils/nm-new+0x493fed) #1 0x4e3683 in bfd_malloc /binutils-gdb/bfd/libbfd.c:289:9 #2 0x5f7141 in comp_unit_find_line /binutils-gdb/bfd/./dwarf2.c:4733:8 SUMMARY: AddressSanitizer: 63 byte(s) leaked in 3 allocation(s). #Envieonment Ubuntu 18.04 clang 10.0.0
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d28fbc7197ba0e021a43f873eff90b05dcdcff6a commit d28fbc7197ba0e021a43f873eff90b05dcdcff6a Author: Alan Modra <amodra@gmail.com> Date: Wed Dec 21 21:40:12 2022 +1030 PR29925, Memory leak in find_abstract_instance The testcase in the PR had a variable with both DW_AT_decl_file and DW_AT_specification, where the DW_AT_specification also specified DW_AT_decl_file. This leads to a memory leak as the file name is malloced and duplicates are not expected. I've also changed find_abstract_instance to not use a temp for "name", because that can result in a change in behaviour from the usual last of duplicate attributes wins. PR 29925 * dwarf2.c (find_abstract_instance): Delete "name" variable. Free *filename_ptr before assigning new file name. (scan_unit_for_symbols): Similarly free func->file and var->file before assigning.
Fixed