https://sourceware.org/bugzilla/show_bug.cgi?id=17453
Bug ID: 17453
Summary: Two issues found by AddressSanitizer
Product: binutils
Version: 2.25 (HEAD)
Status: NEW
Severity: normal
Priority: P2
Component: ld
Assignee: unassigned at sourceware dot org
Reporter: markus at trippelsdorf dot de
1)
markus@x4 ld % /var/tmp/binutils-gdb/ld/ld-new -o tmpdir/tlsie4
-L/var/tmp/binutils-gdb/ld/testsuite/ld-x86-64 -melf32_x86_64 tmpdir/tlsie4.o
=================================================================
==20993==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60400000b48f at pc 0x4da32d bp 0x7fffcd882d00 sp 0x7fffcd882cf8
READ of size 1 at 0x60400000b48f thread T0
#0 0x4da32c in elf_x86_64_relocate_section
/var/tmp/binutils-gdb/bfd/elf64-x86-64.c:4294
#1 0x5411d2 in elf_link_input_bfd /var/tmp/binutils-gdb/bfd/elflink.c:9721
#2 0x54585c in bfd_elf_final_link /var/tmp/binutils-gdb/bfd/elflink.c:10908
#3 0x43d377 in ldwrite /var/tmp/binutils-gdb/ld/ldwrite.c:581
#4 0x406150 in main ldmain.c:427
#5 0x7fddf2b84fcf in __libc_start_main (/lib/libc.so.6+0x1ffcf)
#6 0x407484 (/var/tmp/binutils-gdb/ld/ld-new+0x407484)
0x60400000b48f is located 1 bytes to the left of 40-byte region
[0x60400000b490,0x60400000b4b8)
allocated by thread T0 here:
#0 0x7fddf3132bcf in malloc
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x5ebcf)
#1 0x490c8d in bfd_malloc /var/tmp/binutils-gdb/bfd/libbfd.c:181
SUMMARY: AddressSanitizer: heap-buffer-overflow
/var/tmp/binutils-gdb/bfd/elf64-x86-64.c:4294 elf_x86_64_relocate_section
Shadow bytes around the buggy address:
0x0c087fff9640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9670: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 fa
0x0c087fff9680: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
=>0x0c087fff9690: fa[fa]00 00 00 00 00 fa fa fa fd fd fd fd fd fd
0x0c087fff96a0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c087fff96b0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c087fff96c0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c087fff96d0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c087fff96e0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==20993==ABORTING
2)
markus@x4 ld % /var/tmp/binutils-gdb/ld/../binutils/readelf -d tmpdir/audit.out
=================================================================
==21468==ERROR: AddressSanitizer: global-buffer-overflow on address
0x0000005448c0 at pc 0x7f5d99269322 bp 0x7fffa0f91250 sp 0x7fffa0f91208
WRITE of size 4097 at 0x0000005448c0 thread T0
#0 0x7f5d99269321 in scanf_common(void*, int, bool, char const*,
__va_list_tag*) [clone .constprop.55]
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x2b321)
#1 0x7f5d99269c28 in vfscanf
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x2bc28)
#2 0x7f5d99269d22 in __interceptor_fscanf
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x2bd22)
#3 0x418337 in process_program_headers
/var/tmp/binutils-gdb/binutils/readelf.c:4403
#4 0x43c7b7 in process_object
/var/tmp/binutils-gdb/binutils/readelf.c:14465
#5 0x402d05 in process_file /var/tmp/binutils-gdb/binutils/readelf.c:14849
#6 0x402d05 in main /var/tmp/binutils-gdb/binutils/readelf.c:14914
#7 0x7f5d98ceefcf in __libc_start_main (/lib/libc.so.6+0x1ffcf)
#8 0x40338d (/var/tmp/binutils-gdb/binutils/readelf+0x40338d)
0x0000005448c0 is located 32 bytes to the left of global variable
'dynamic_syminfo_nent' from 'readelf.c' (0x5448e0) of size 4
0x0000005448c0 is located 0 bytes to the right of global variable
'program_interpreter' from 'readelf.c' (0x5438c0) of size 4096
SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 scanf_common(void*, int,
bool, char const*, __va_list_tag*) [clone .constprop.55]
Shadow bytes around the buggy address:
0x0000800a08c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800a08d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800a08e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800a08f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800a0900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000800a0910: 00 00 00 00 00 00 00 00[f9]f9 f9 f9 04 f9 f9 f9
0x0000800a0920: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
0x0000800a0930: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
0x0000800a0940: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
0x0000800a0950: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
0x0000800a0960: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==21468==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
