Bug 29988 - AddressSanitizer: heap-buffer-overflow /binutils-gdb/bfd/libbfd.c:784 in bfd_getl64
Summary: AddressSanitizer: heap-buffer-overflow /binutils-gdb/bfd/libbfd.c:784 in bfd_...
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.40
: P2 normal
Target Milestone: ---
Assignee: Nick Clifton
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-01-11 10:00 UTC by 曾思維
Modified: 2023-03-23 16:20 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed: 2023-01-11 00:00:00


Attachments
Generated by my fuzzer and afl-tmin (598 bytes, application/octet-stream)
2023-01-11 10:00 UTC, 曾思維
Details

Note You need to log in before you can comment on or make changes to this bug.
Description 曾思維 2023-01-11 10:00:01 UTC
Created attachment 14574 [details]
Generated by my fuzzer and afl-tmin

# version

$ ./binutils-gdb_asan/binutils/objdump --version
GNU objdump (GNU Binutils) 2.40.50.20230110
Copyright (C) 2023 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.

---------------------------------------------------------------------
# git log

$ git log --oneline -1
aefebe82dc8 (HEAD -> master, origin/master, origin/HEAD) IBM zSystems: Fix offset relative to static TLS

---------------------------------------------------------------------
# make

$ git clone git://sourceware.org/git/binutils-gdb.git
$ mv binutils-gdb binutils-gdb_asan
$ cd binutils-gdb_asan
$ ./configure CFLAGS='-fsanitize=address -g3' CXXFALGS='-fsanitize=address -g3'
$ make

---------------------------------------------------------------------
# ASAN report

$ ./binutils-gdb_asan/binutils/objdump -S poc
BFD: warning: poc has a section extending past end of file

poc:     file format elf64-x86-64


Disassembly of section abbrev:

3030303030303030 <abbrev>:
BFD: DWARF error: can't find .debug_str section.
BFD: DWARF error: can't find .debug_str section.
BFD: DWARF error: can't find .debug_str section.
BFD: DWARF error: can't find .debug_line_str section.
BFD: DWARF error: can't find .debug_line_str section.
BFD: DWARF error: can't find .debug_line_str section.
BFD: DWARF error: can't find .debug_line_str section.
BFD: DWARF error: can't find .debug_line_str section.
BFD: DWARF error: can't find .debug_line_str section.
BFD: DWARF error: can't find .debug_line_str section.
BFD: DWARF error: can't find .debug_line_str section.
BFD: DWARF error: can't find .debug_line_str section.
BFD: DWARF error: can't find .debug_line_str section.
BFD: DWARF error: mangled line number section (bad file number)
BFD: DWARF error: mangled line number section (bad file number)
=================================================================
==3970096==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000017f at pc 0x5573ee01c8cc bp 0x7fff9bcf2f50 sp 0x7fff9bcf2f40
READ of size 1 at 0x60300000017f thread T0
    #0 0x5573ee01c8cb in bfd_getl64 /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/libbfd.c:784
    #1 0x5573ee16bef2 in read_indexed_address dwarf2.c:1431
    #2 0x5573ee16dc6a in read_attribute_value dwarf2.c:1669
    #3 0x5573ee16e004 in read_attribute dwarf2.c:1711
    #4 0x5573ee1783c7 in scan_unit_for_symbols dwarf2.c:3973
    #5 0x5573ee17c2c4 in comp_unit_maybe_decode_line_info dwarf2.c:4721
    #6 0x5573ee17bf03 in comp_unit_find_nearest_line dwarf2.c:4679
    #7 0x5573ee182273 in _bfd_dwarf2_find_nearest_line_with_alt dwarf2.c:5991
    #8 0x5573ee0d4de3 in _bfd_elf_find_nearest_line_with_alt /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/elf.c:9338
    #9 0x5573ee0d4c72 in _bfd_elf_find_nearest_line /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/elf.c:9315
    #10 0x5573edec9d8b in show_line objdump.c:2180
    #11 0x5573edecf759 in disassemble_bytes objdump.c:3339
    #12 0x5573eded37f3 in disassemble_section objdump.c:4050
    #13 0x5573ee024bbc in bfd_map_over_sections /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/section.c:1366
    #14 0x5573eded4767 in disassemble_data objdump.c:4194
    #15 0x5573ededc530 in dump_bfd objdump.c:5676
    #16 0x5573ededc807 in display_object_bfd objdump.c:5739
    #17 0x5573ededcb38 in display_any_bfd objdump.c:5825
    #18 0x5573ededcbb2 in display_file objdump.c:5846
    #19 0x5573edede4db in main objdump.c:6254
    #20 0x7f755d389082 in __libc_start_main ../csu/libc-start.c:308
    #21 0x5573edec23bd in _start (/home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/binutils/objdump+0x13b3bd)

0x60300000017f is located 2 bytes to the right of 29-byte region [0x603000000160,0x60300000017d)
allocated by thread T0 here:
    #0 0x7f755d66a808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x5573ee01b6aa in bfd_malloc /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/libbfd.c:289
    #2 0x5573ee168ad5 in read_section dwarf2.c:734
    #3 0x5573ee16bae7 in read_indexed_address dwarf2.c:1412
    #4 0x5573ee16dc6a in read_attribute_value dwarf2.c:1669
    #5 0x5573ee16e004 in read_attribute dwarf2.c:1711
    #6 0x5573ee1783c7 in scan_unit_for_symbols dwarf2.c:3973
    #7 0x5573ee17c2c4 in comp_unit_maybe_decode_line_info dwarf2.c:4721
    #8 0x5573ee17bf03 in comp_unit_find_nearest_line dwarf2.c:4679
    #9 0x5573ee182273 in _bfd_dwarf2_find_nearest_line_with_alt dwarf2.c:5991
    #10 0x5573ee0d4de3 in _bfd_elf_find_nearest_line_with_alt /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/elf.c:9338
    #11 0x5573ee0d4c72 in _bfd_elf_find_nearest_line /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/elf.c:9315
    #12 0x5573edec9d8b in show_line objdump.c:2180
    #13 0x5573edecf759 in disassemble_bytes objdump.c:3339
    #14 0x5573eded37f3 in disassemble_section objdump.c:4050
    #15 0x5573ee024bbc in bfd_map_over_sections /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/section.c:1366
    #16 0x5573eded4767 in disassemble_data objdump.c:4194
    #17 0x5573ededc530 in dump_bfd objdump.c:5676
    #18 0x5573ededc807 in display_object_bfd objdump.c:5739
    #19 0x5573ededcb38 in display_any_bfd objdump.c:5825
    #20 0x5573ededcbb2 in display_file objdump.c:5846
    #21 0x5573edede4db in main objdump.c:6254
    #22 0x7f755d389082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/libbfd.c:784 in bfd_getl64
Shadow bytes around the buggy address:
  0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff8000: fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00
  0x0c067fff8010: 00 fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
=>0x0c067fff8020: 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00 00[05]
  0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3970096==ABORTING
Comment 1 Sourceware Commits 2023-01-11 12:13:03 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=11d171f1910b508a81d21faa087ad1af573407d8

commit 11d171f1910b508a81d21faa087ad1af573407d8
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Jan 11 12:12:25 2023 +0000

    Fix a potential illegal memory access in the BFD library when parsing a corrupt DWARF file.
    
            PR 29988
            * dwarf2.c (read_indexed_address): Fix check for an out of range
            offset.
Comment 2 Sourceware Commits 2023-01-11 12:14:19 UTC
The binutils-2_40-branch branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3e307d538c351aa9327cbad672c884059ecc20dd

commit 3e307d538c351aa9327cbad672c884059ecc20dd
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Jan 11 12:13:46 2023 +0000

    Fix a potential illegal memory access in the BFD library when parsing a corrupt DWARF file.
    
            PR 29988
            * dwarf2.c (read_indexed_address): Fix check for an out of range
            offset.
Comment 3 Nick Clifton 2023-01-11 12:16:03 UTC
Hi,

  Thanks for reporting this bug.  There was a check in the read_indexed_address() function for a buffer overflow, but it was testing against the wrong size field.  I have checked in a small patch to fix this.

Cheers
  Nick
Comment 4 曾思維 2023-03-23 16:20:27 UTC
use CVE-2023-1579