[Bug binutils/26805] New: objcopy : global-buffer-overflow in objcopy.c:

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/26805] New: objcopy : global-buffer-overflow in objcopy.c:

From:	zodf0055980 at gmail dot com
Subject:	[Bug binutils/26805] New: objcopy : global-buffer-overflow in objcopy.c:1274
Date:	Thu, 29 Oct 2020 07:32:16 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=26805

            Bug ID: 26805
           Summary: objcopy : global-buffer-overflow in objcopy.c:1274
           Product: binutils
           Version: 2.36 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: zodf0055980 at gmail dot com
  Target Milestone: ---

Created attachment 12926
  --> https://sourceware.org/bugzilla/attachment.cgi?id=12926&action=edit
file that reproduces this problem

OS : ubuntu 18.04.3
kernel : gnu/linux 5.4.0-52-generic
CPU :　Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz
compiler : gcc version 7.5.0

Steps to Reproduce :
download the sample from attachment

~/binutils-ASAN/binutils/objcopy -I elf32-i386 --extract-dwo ./sample /dev/null

ASan trace:
=================================================================
==13087==ERROR: AddressSanitizer: global-buffer-overflow on address
0x5606d020369c at pc 0x7f30d2c91a69 bp 0x7ffc6df9eba0 sp 0x7ffc6df9e348
READ of size 1 at 0x5606d020369c thread T0
    #0 0x7f30d2c91a68  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5aa68)
    #1 0x5606cfb81813 in is_dwo_section
/home/yuan/binutils-ASAN/binutils/objcopy.c:1274
    #2 0x5606cfb81813 in is_strip_section_1
/home/yuan/binutils-ASAN/binutils/objcopy.c:1371
    #3 0x5606cfb81813 in is_strip_section
/home/yuan/binutils-ASAN/binutils/objcopy.c:1381
    #4 0x5606cfb86b5c in setup_section
/home/yuan/binutils-ASAN/binutils/objcopy.c:3985
    #5 0x5606cfc8d1cb in bfd_map_over_sections
/home/yuan/binutils-ASAN/bfd/section.c:1379
    #6 0x5606cfb8ae5d in copy_object
/home/yuan/binutils-ASAN/binutils/objcopy.c:2826
    #7 0x5606cfb9b51b in copy_file
/home/yuan/binutils-ASAN/binutils/objcopy.c:3838
    #8 0x5606cfb6fd84 in copy_main
/home/yuan/binutils-ASAN/binutils/objcopy.c:5899
    #9 0x5606cfb6fd84 in main /home/yuan/binutils-ASAN/binutils/objcopy.c:6025
    #10 0x7f30d2663b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #11 0x5606cfb7b4d9 in _start
(/home/yuan/binutils-ASAN/binutils/objcopy+0xc14d9)

0x5606d020369c is located 54 bytes to the right of global variable '*.LC24'
defined in 'elf.c' (0x5606d0203660) of size 6
  '*.LC24' is ascii string '.rela'
0x5606d020369c is located 4 bytes to the left of global variable '*.LC26'
defined in 'elf.c' (0x5606d02036a0) of size 1
  '*.LC26' is ascii string ''
SUMMARY: AddressSanitizer: global-buffer-overflow
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5aa68) 
Shadow bytes around the buggy address:
  0x0ac15a038680: 06 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x0ac15a038690: 06 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 05 f9
  0x0ac15a0386a0: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9
  0x0ac15a0386b0: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 07 f9 f9 f9
  0x0ac15a0386c0: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9
=>0x0ac15a0386d0: f9 f9 f9[f9]01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0ac15a0386e0: f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0ac15a0386f0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9
  0x0ac15a038700: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0ac15a038710: f9 f9 f9 f9 00 00 00 00 00 00 00 03 f9 f9 f9 f9
  0x0ac15a038720: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 02 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==13087==ABORTING

len in is_dwo_section() is 0, so name + len - 4 is overflow.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/26805] New: objcopy : global-buffer-overflow in objcopy.c:1274, zodf0055980 at gmail dot com <=
- [Bug binutils/26805] objcopy : global-buffer-overflow in objcopy.c:1274, nickc at redhat dot com, 2020/10/29
- [Bug binutils/26805] objcopy : global-buffer-overflow in objcopy.c:1274, cvs-commit at gcc dot gnu.org, 2020/10/29
- [Bug binutils/26805] objcopy : global-buffer-overflow in objcopy.c:1274, nickc at redhat dot com, 2020/10/29

Prev by Date: [Bug binutils/26803] New: c++filt fails to demangle a C++ symbol
Next by Date: [Bug ld/26806] New: Suspected linker bug with LTO
Previous by thread: [Bug binutils/26803] New: c++filt fails to demangle a C++ symbol
Next by thread: [Bug binutils/26805] objcopy : global-buffer-overflow in objcopy.c:1274
Index(es):
- Date
- Thread