[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/22416] New: heap-buffer-overflow in bfd_getl16
From: |
jgj212 at gmail dot com |
Subject: |
[Bug binutils/22416] New: heap-buffer-overflow in bfd_getl16 |
Date: |
Fri, 10 Nov 2017 09:24:48 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=22416
Bug ID: 22416
Summary: heap-buffer-overflow in bfd_getl16
Product: binutils
Version: 2.29
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: jgj212 at gmail dot com
Target Milestone: ---
Created attachment 10578
--> https://sourceware.org/bugzilla/attachment.cgi?id=10578&action=edit
heap-buffer-overflow-in-bfd_getl16
Hi:
I found a heap-buffer-overflow in bfd_getl16 about objdump 2.29.1.
Here is the asan-output:
==5178==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x617000000371
at pc 0x00000064bc77 bp 0x7ffcbd59cd00 sp 0x7ffcbd59ccf8
READ of size 1 at 0x617000000371 thread T0
#0 0x64bc76 in bfd_getl16 binutils-2.29.1/bfd/libbfd.c:505:11
#1 0x8b7cbf in _bfd_pei_swap_debugdir_in
binutils-2.29.1/bfd/peigen.c:1121:22
#2 0x894164 in pe_bfd_read_buildid binutils-2.29.1/bfd/./peicode.h:1353:7
#3 0x88cc2f in pe_bfd_object_p binutils-2.29.1/bfd/./peicode.h:1497:7
#4 0x64538c in bfd_check_format_matches binutils-2.29.1/bfd/format.c:311:14
#5 0x51785f in display_object_bfd
binutils-2.29.1/binutils/./objdump.c:3601:7
#6 0x517769 in display_any_bfd binutils-2.29.1/binutils/./objdump.c:3692:5
#7 0x5172aa in display_file binutils-2.29.1/binutils/./objdump.c:3713:3
#8 0x516b04 in main binutils-2.29.1/binutils/./objdump.c:4015:6
#9 0x7f5074958f44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#10 0x41b74b in _start (binutils-2.29.1/binutils/objdump+0x41b74b)
0x617000000371 is located 1 bytes to the right of 752-byte region
[0x617000000080,0x617000000370)
allocated by thread T0 here:
#0 0x4df116 in malloc asan_malloc_linux.cc:66
#1 0x64b51e in bfd_malloc binutils-2.29.1/bfd/libbfd.c:193:9
#2 0x6415cb in bfd_get_full_section_contents
binutils-2.29.1/bfd/compress.c:248:21
#3 0x658d04 in bfd_malloc_and_get_section
binutils-2.29.1/bfd/section.c:1640:10
#4 0x89403a in pe_bfd_read_buildid binutils-2.29.1/bfd/./peicode.h:1339:8
#5 0x88cc2f in pe_bfd_object_p binutils-2.29.1/bfd/./peicode.h:1497:7
#6 0x64538c in bfd_check_format_matches binutils-2.29.1/bfd/format.c:311:14
#7 0x51785f in display_object_bfd
binutils-2.29.1/binutils/./objdump.c:3601:7
#8 0x517769 in display_any_bfd binutils-2.29.1/binutils/./objdump.c:3692:5
#9 0x5172aa in display_file binutils-2.29.1/binutils/./objdump.c:3713:3
#10 0x516b04 in main binutils-2.29.1/binutils/./objdump.c:4015:6
#11 0x7f5074958f44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
SUMMARY: AddressSanitizer: heap-buffer-overflow
binutils-2.29.1/bfd/libbfd.c:505:11 in bfd_getl16
Shadow bytes around the buggy address:
0x0c2e7fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2e7fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa
0x0c2e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2e7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2e7fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==5178==ABORTING
Credit: ADLab of VenusTech
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/22416] New: heap-buffer-overflow in bfd_getl16,
jgj212 at gmail dot com <=